Solved

exe hijacking

Posted on 2006-07-21
13
337 Views
Last Modified: 2010-04-05
hi there,  
how can i hijack an exe and run my own code on it?
i yet found a working code.  Plz help!
0
Comment
Question by:xapsx
  • 7
  • 6
13 Comments
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158671

Sorry, but your not going to get anyone here to help you in questionable activities. You need to restate your question and intentions (hijack is not the word you want to be using) before anyone is going to help.

Regards,
Russell
0
 

Author Comment

by:xapsx
ID: 17158712
hi rllibby
that's not good, what should i say?
i just want to learn how to make it, if you have any tutorials, let me know.
maybe the right word is: inject? if not i cant help you
i know a way would be to inject a thread using CreateRemoteThread and a DLL but i don't know much about it.
any idea?
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158737

The concern is with the word "hijack", as it denotes negative intentions. "Inject"ing is better terminolory, so long as you plan on using this for legitimate purposes; eg. do whatever you want on your own system, but do no harm to others. If your only intention is on learning, then I can help you in this area, as I am semi versed in hooking, IAT pacthing, code rewriting, dll injection, and process memory handling.

Russell

0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:xapsx
ID: 17158756
yes, just learning.
0
 
LVL 26

Accepted Solution

by:
Russell Libby earned 250 total points
ID: 17158803
Alright...

You can download sources from my site; the 2 downloads that you will need are the Win32Hook unit and the Disasm32 unit:

http://users.adelphia.net/~rllibby/downloads/disasm32.zip
http://users.adelphia.net/~rllibby/downloads/win32hook.zip

The disasm unit is used by the win32hook unit only for the code rewriting. The win32 hook unit itself exposes classes for:

- IAT patching
- Code rewriting
- Library injection

The code I provide in these units is nothing special, and is not anything you can't already find on the net (usually for C/C++ though).  Anyways, the injection that you are interested in will require a Win 2k, Xp, 2003 system due to the API calls it uses to allocate memory in the other process. To simplify learning, there is a download at:

http://users.adelphia.net/~rllibby/downloads/hookloader.zip

That includes 2 projects, one an exe (no form) which is used to start notepad and inject the hook dll into it, and the other a library (hook.dll). The hookloader program starts Notepad and demostrates what is required to inject a library into another process. The hook dll demos IAT patching, where it patches the calls to CreateFileA and CreateFileW; in short, once injected into notepad, any time notepad opens / saves a file, it will display the file name in a message box (which is coming from the hook dll).

Hopefully you will find this useful,
Russell


0
 

Author Comment

by:xapsx
ID: 17158876
thanks you!
its awesome!  
can i contact you by email?, i still might need your help!
0
 

Author Comment

by:xapsx
ID: 17158880
thank you*
and btw: what IAT means?
0
 

Author Comment

by:xapsx
ID: 17158897
where did you get this function?

  TCreateFileW      =  function(lpFileName: PWideChar; dwDesiredAccess, dwShareMode: DWORD; lpSecurityAttributes: PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: DWORD; hTemplateFile: THandle): THandle; stdcall;

how do i do that with DragQueryFileW?? plz help
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158899

Import Address Table: When making API calls, you never actually directly call the api address directly (its unknown till load time), so a table of addresses is used. This table is updated during the loading process, and contains the pointers to the imported functions, thus called the IAT.

Russell
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158914
>>  TCreateFileW      =  function(lpFileName: PWideChar; dwDesiredAccess, dwShareMode: DWORD; lpSecurityAttributes:
 >> PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: DWORD; hTemplateFile: THandle): THandle; stdcall;

Its the declaration layout for CreateFileW. For DragQueryFileW, just look up the declartion in shellapi.pas and do the same thing:

type
  TDragQueryFileW   =  function(Drop: HDROP; FileIndex: UINT; FileName: PWideChar; cb: UINT): UINT; stdcall;

then create a function pointer to hold the original, and a new declaration, eg:

var
  lpDragQueryFileW:  TDragQueryFileW;

function HookDragQueryFileW(Drop: HDROP; FileIndex: UINT; FileName: PWideChar; cb: UINT): UINT; stdcall;
begin
 ...
end;

to use as the hooked function. I would suggest Google'ing this topic (IAT, Hooks, Injection, etc) and read up on what you find so you get a better understanding. If you still need help after that, then let me know.

Russell




0
 

Author Comment

by:xapsx
ID: 17158935
hey Russell
thank you very much. great help
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158940

Your very welcome...
Like i said, read up, do some looking around, go through the provided code (most of it is pretty well commented), etc and then if you still have questions, I will be more than glad to answer them

Russell
0
 

Author Comment

by:xapsx
ID: 17164227
hey russell,
are you still there?

i was just wondering
how can i inject my own function?
and how to handle objects from any application? like write in the notepad memo.

can you help me? (if you want i'll make a new thread so i can give you more points)
please let me know
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A lot of questions regard threads in Delphi.   One of the more specific questions is how to show progress of the thread.   Updating a progressbar from inside a thread is a mistake. A solution to this would be to send a synchronized message to the…
The uses clause is one of those things that just tends to grow and grow. Most of the time this is in the main form, as it's from this form that all others are called. If you have a big application (including many forms), the uses clause in the in…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question