?
Solved

exe hijacking

Posted on 2006-07-21
13
Medium Priority
?
345 Views
Last Modified: 2010-04-05
hi there,  
how can i hijack an exe and run my own code on it?
i yet found a working code.  Plz help!
0
Comment
Question by:xapsx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158671

Sorry, but your not going to get anyone here to help you in questionable activities. You need to restate your question and intentions (hijack is not the word you want to be using) before anyone is going to help.

Regards,
Russell
0
 

Author Comment

by:xapsx
ID: 17158712
hi rllibby
that's not good, what should i say?
i just want to learn how to make it, if you have any tutorials, let me know.
maybe the right word is: inject? if not i cant help you
i know a way would be to inject a thread using CreateRemoteThread and a DLL but i don't know much about it.
any idea?
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158737

The concern is with the word "hijack", as it denotes negative intentions. "Inject"ing is better terminolory, so long as you plan on using this for legitimate purposes; eg. do whatever you want on your own system, but do no harm to others. If your only intention is on learning, then I can help you in this area, as I am semi versed in hooking, IAT pacthing, code rewriting, dll injection, and process memory handling.

Russell

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:xapsx
ID: 17158756
yes, just learning.
0
 
LVL 26

Accepted Solution

by:
Russell Libby earned 1000 total points
ID: 17158803
Alright...

You can download sources from my site; the 2 downloads that you will need are the Win32Hook unit and the Disasm32 unit:

http://users.adelphia.net/~rllibby/downloads/disasm32.zip
http://users.adelphia.net/~rllibby/downloads/win32hook.zip

The disasm unit is used by the win32hook unit only for the code rewriting. The win32 hook unit itself exposes classes for:

- IAT patching
- Code rewriting
- Library injection

The code I provide in these units is nothing special, and is not anything you can't already find on the net (usually for C/C++ though).  Anyways, the injection that you are interested in will require a Win 2k, Xp, 2003 system due to the API calls it uses to allocate memory in the other process. To simplify learning, there is a download at:

http://users.adelphia.net/~rllibby/downloads/hookloader.zip

That includes 2 projects, one an exe (no form) which is used to start notepad and inject the hook dll into it, and the other a library (hook.dll). The hookloader program starts Notepad and demostrates what is required to inject a library into another process. The hook dll demos IAT patching, where it patches the calls to CreateFileA and CreateFileW; in short, once injected into notepad, any time notepad opens / saves a file, it will display the file name in a message box (which is coming from the hook dll).

Hopefully you will find this useful,
Russell


0
 

Author Comment

by:xapsx
ID: 17158876
thanks you!
its awesome!  
can i contact you by email?, i still might need your help!
0
 

Author Comment

by:xapsx
ID: 17158880
thank you*
and btw: what IAT means?
0
 

Author Comment

by:xapsx
ID: 17158897
where did you get this function?

  TCreateFileW      =  function(lpFileName: PWideChar; dwDesiredAccess, dwShareMode: DWORD; lpSecurityAttributes: PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: DWORD; hTemplateFile: THandle): THandle; stdcall;

how do i do that with DragQueryFileW?? plz help
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158899

Import Address Table: When making API calls, you never actually directly call the api address directly (its unknown till load time), so a table of addresses is used. This table is updated during the loading process, and contains the pointers to the imported functions, thus called the IAT.

Russell
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158914
>>  TCreateFileW      =  function(lpFileName: PWideChar; dwDesiredAccess, dwShareMode: DWORD; lpSecurityAttributes:
 >> PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: DWORD; hTemplateFile: THandle): THandle; stdcall;

Its the declaration layout for CreateFileW. For DragQueryFileW, just look up the declartion in shellapi.pas and do the same thing:

type
  TDragQueryFileW   =  function(Drop: HDROP; FileIndex: UINT; FileName: PWideChar; cb: UINT): UINT; stdcall;

then create a function pointer to hold the original, and a new declaration, eg:

var
  lpDragQueryFileW:  TDragQueryFileW;

function HookDragQueryFileW(Drop: HDROP; FileIndex: UINT; FileName: PWideChar; cb: UINT): UINT; stdcall;
begin
 ...
end;

to use as the hooked function. I would suggest Google'ing this topic (IAT, Hooks, Injection, etc) and read up on what you find so you get a better understanding. If you still need help after that, then let me know.

Russell




0
 

Author Comment

by:xapsx
ID: 17158935
hey Russell
thank you very much. great help
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158940

Your very welcome...
Like i said, read up, do some looking around, go through the provided code (most of it is pretty well commented), etc and then if you still have questions, I will be more than glad to answer them

Russell
0
 

Author Comment

by:xapsx
ID: 17164227
hey russell,
are you still there?

i was just wondering
how can i inject my own function?
and how to handle objects from any application? like write in the notepad memo.

can you help me? (if you want i'll make a new thread so i can give you more points)
please let me know
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction The parallel port is a very commonly known port, it was widely used to connect a printer to the PC, if you look at the back of your computer, for those who don't have newer computers, there will be a port with 25 pins and a small print…
In this tutorial I will show you how to use the Windows Speech API in Delphi. I will only cover basic functions such as text to speech and controlling the speed of the speech. SAPI Installation First you need to install the SAPI type library, th…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month11 days, 15 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question