Solved

exe hijacking

Posted on 2006-07-21
13
330 Views
Last Modified: 2010-04-05
hi there,  
how can i hijack an exe and run my own code on it?
i yet found a working code.  Plz help!
0
Comment
Question by:xapsx
  • 7
  • 6
13 Comments
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158671

Sorry, but your not going to get anyone here to help you in questionable activities. You need to restate your question and intentions (hijack is not the word you want to be using) before anyone is going to help.

Regards,
Russell
0
 

Author Comment

by:xapsx
ID: 17158712
hi rllibby
that's not good, what should i say?
i just want to learn how to make it, if you have any tutorials, let me know.
maybe the right word is: inject? if not i cant help you
i know a way would be to inject a thread using CreateRemoteThread and a DLL but i don't know much about it.
any idea?
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158737

The concern is with the word "hijack", as it denotes negative intentions. "Inject"ing is better terminolory, so long as you plan on using this for legitimate purposes; eg. do whatever you want on your own system, but do no harm to others. If your only intention is on learning, then I can help you in this area, as I am semi versed in hooking, IAT pacthing, code rewriting, dll injection, and process memory handling.

Russell

0
 

Author Comment

by:xapsx
ID: 17158756
yes, just learning.
0
 
LVL 26

Accepted Solution

by:
Russell Libby earned 250 total points
ID: 17158803
Alright...

You can download sources from my site; the 2 downloads that you will need are the Win32Hook unit and the Disasm32 unit:

http://users.adelphia.net/~rllibby/downloads/disasm32.zip
http://users.adelphia.net/~rllibby/downloads/win32hook.zip

The disasm unit is used by the win32hook unit only for the code rewriting. The win32 hook unit itself exposes classes for:

- IAT patching
- Code rewriting
- Library injection

The code I provide in these units is nothing special, and is not anything you can't already find on the net (usually for C/C++ though).  Anyways, the injection that you are interested in will require a Win 2k, Xp, 2003 system due to the API calls it uses to allocate memory in the other process. To simplify learning, there is a download at:

http://users.adelphia.net/~rllibby/downloads/hookloader.zip

That includes 2 projects, one an exe (no form) which is used to start notepad and inject the hook dll into it, and the other a library (hook.dll). The hookloader program starts Notepad and demostrates what is required to inject a library into another process. The hook dll demos IAT patching, where it patches the calls to CreateFileA and CreateFileW; in short, once injected into notepad, any time notepad opens / saves a file, it will display the file name in a message box (which is coming from the hook dll).

Hopefully you will find this useful,
Russell


0
 

Author Comment

by:xapsx
ID: 17158876
thanks you!
its awesome!  
can i contact you by email?, i still might need your help!
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:xapsx
ID: 17158880
thank you*
and btw: what IAT means?
0
 

Author Comment

by:xapsx
ID: 17158897
where did you get this function?

  TCreateFileW      =  function(lpFileName: PWideChar; dwDesiredAccess, dwShareMode: DWORD; lpSecurityAttributes: PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: DWORD; hTemplateFile: THandle): THandle; stdcall;

how do i do that with DragQueryFileW?? plz help
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158899

Import Address Table: When making API calls, you never actually directly call the api address directly (its unknown till load time), so a table of addresses is used. This table is updated during the loading process, and contains the pointers to the imported functions, thus called the IAT.

Russell
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158914
>>  TCreateFileW      =  function(lpFileName: PWideChar; dwDesiredAccess, dwShareMode: DWORD; lpSecurityAttributes:
 >> PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: DWORD; hTemplateFile: THandle): THandle; stdcall;

Its the declaration layout for CreateFileW. For DragQueryFileW, just look up the declartion in shellapi.pas and do the same thing:

type
  TDragQueryFileW   =  function(Drop: HDROP; FileIndex: UINT; FileName: PWideChar; cb: UINT): UINT; stdcall;

then create a function pointer to hold the original, and a new declaration, eg:

var
  lpDragQueryFileW:  TDragQueryFileW;

function HookDragQueryFileW(Drop: HDROP; FileIndex: UINT; FileName: PWideChar; cb: UINT): UINT; stdcall;
begin
 ...
end;

to use as the hooked function. I would suggest Google'ing this topic (IAT, Hooks, Injection, etc) and read up on what you find so you get a better understanding. If you still need help after that, then let me know.

Russell




0
 

Author Comment

by:xapsx
ID: 17158935
hey Russell
thank you very much. great help
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158940

Your very welcome...
Like i said, read up, do some looking around, go through the provided code (most of it is pretty well commented), etc and then if you still have questions, I will be more than glad to answer them

Russell
0
 

Author Comment

by:xapsx
ID: 17164227
hey russell,
are you still there?

i was just wondering
how can i inject my own function?
and how to handle objects from any application? like write in the notepad memo.

can you help me? (if you want i'll make a new thread so i can give you more points)
please let me know
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This article explains how to create forms/units independent of other forms/units object names in a delphi project. Have you ever created a form for user input in a Delphi project and then had the need to have that same form in a other Delphi proj…
Have you ever had your Delphi form/application just hanging while waiting for data to load? This is the article to read if you want to learn some things about adding threads for data loading in the background. First, I'll setup a general applica…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now