Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

exe hijacking

Posted on 2006-07-21
13
Medium Priority
?
348 Views
Last Modified: 2010-04-05
hi there,  
how can i hijack an exe and run my own code on it?
i yet found a working code.  Plz help!
0
Comment
Question by:xapsx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158671

Sorry, but your not going to get anyone here to help you in questionable activities. You need to restate your question and intentions (hijack is not the word you want to be using) before anyone is going to help.

Regards,
Russell
0
 

Author Comment

by:xapsx
ID: 17158712
hi rllibby
that's not good, what should i say?
i just want to learn how to make it, if you have any tutorials, let me know.
maybe the right word is: inject? if not i cant help you
i know a way would be to inject a thread using CreateRemoteThread and a DLL but i don't know much about it.
any idea?
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158737

The concern is with the word "hijack", as it denotes negative intentions. "Inject"ing is better terminolory, so long as you plan on using this for legitimate purposes; eg. do whatever you want on your own system, but do no harm to others. If your only intention is on learning, then I can help you in this area, as I am semi versed in hooking, IAT pacthing, code rewriting, dll injection, and process memory handling.

Russell

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:xapsx
ID: 17158756
yes, just learning.
0
 
LVL 26

Accepted Solution

by:
Russell Libby earned 1000 total points
ID: 17158803
Alright...

You can download sources from my site; the 2 downloads that you will need are the Win32Hook unit and the Disasm32 unit:

http://users.adelphia.net/~rllibby/downloads/disasm32.zip
http://users.adelphia.net/~rllibby/downloads/win32hook.zip

The disasm unit is used by the win32hook unit only for the code rewriting. The win32 hook unit itself exposes classes for:

- IAT patching
- Code rewriting
- Library injection

The code I provide in these units is nothing special, and is not anything you can't already find on the net (usually for C/C++ though).  Anyways, the injection that you are interested in will require a Win 2k, Xp, 2003 system due to the API calls it uses to allocate memory in the other process. To simplify learning, there is a download at:

http://users.adelphia.net/~rllibby/downloads/hookloader.zip

That includes 2 projects, one an exe (no form) which is used to start notepad and inject the hook dll into it, and the other a library (hook.dll). The hookloader program starts Notepad and demostrates what is required to inject a library into another process. The hook dll demos IAT patching, where it patches the calls to CreateFileA and CreateFileW; in short, once injected into notepad, any time notepad opens / saves a file, it will display the file name in a message box (which is coming from the hook dll).

Hopefully you will find this useful,
Russell


0
 

Author Comment

by:xapsx
ID: 17158876
thanks you!
its awesome!  
can i contact you by email?, i still might need your help!
0
 

Author Comment

by:xapsx
ID: 17158880
thank you*
and btw: what IAT means?
0
 

Author Comment

by:xapsx
ID: 17158897
where did you get this function?

  TCreateFileW      =  function(lpFileName: PWideChar; dwDesiredAccess, dwShareMode: DWORD; lpSecurityAttributes: PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: DWORD; hTemplateFile: THandle): THandle; stdcall;

how do i do that with DragQueryFileW?? plz help
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158899

Import Address Table: When making API calls, you never actually directly call the api address directly (its unknown till load time), so a table of addresses is used. This table is updated during the loading process, and contains the pointers to the imported functions, thus called the IAT.

Russell
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158914
>>  TCreateFileW      =  function(lpFileName: PWideChar; dwDesiredAccess, dwShareMode: DWORD; lpSecurityAttributes:
 >> PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: DWORD; hTemplateFile: THandle): THandle; stdcall;

Its the declaration layout for CreateFileW. For DragQueryFileW, just look up the declartion in shellapi.pas and do the same thing:

type
  TDragQueryFileW   =  function(Drop: HDROP; FileIndex: UINT; FileName: PWideChar; cb: UINT): UINT; stdcall;

then create a function pointer to hold the original, and a new declaration, eg:

var
  lpDragQueryFileW:  TDragQueryFileW;

function HookDragQueryFileW(Drop: HDROP; FileIndex: UINT; FileName: PWideChar; cb: UINT): UINT; stdcall;
begin
 ...
end;

to use as the hooked function. I would suggest Google'ing this topic (IAT, Hooks, Injection, etc) and read up on what you find so you get a better understanding. If you still need help after that, then let me know.

Russell




0
 

Author Comment

by:xapsx
ID: 17158935
hey Russell
thank you very much. great help
0
 
LVL 26

Expert Comment

by:Russell Libby
ID: 17158940

Your very welcome...
Like i said, read up, do some looking around, go through the provided code (most of it is pretty well commented), etc and then if you still have questions, I will be more than glad to answer them

Russell
0
 

Author Comment

by:xapsx
ID: 17164227
hey russell,
are you still there?

i was just wondering
how can i inject my own function?
and how to handle objects from any application? like write in the notepad memo.

can you help me? (if you want i'll make a new thread so i can give you more points)
please let me know
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A lot of questions regard threads in Delphi.   One of the more specific questions is how to show progress of the thread.   Updating a progressbar from inside a thread is a mistake. A solution to this would be to send a synchronized message to the…
Hello everybody This Article will show you how to validate number with TEdit control, What's the TEdit control? TEdit is a standard Windows edit control on a form, it allows to user to write, read and copy/paste single line of text. Usua…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question