exe hijacking

hi there,  
how can i hijack an exe and run my own code on it?
i yet found a working code.  Plz help!
xapsxAsked:
Who is Participating?
 
Russell LibbyConnect With a Mentor Software Engineer, Advisory Commented:
Alright...

You can download sources from my site; the 2 downloads that you will need are the Win32Hook unit and the Disasm32 unit:

http://users.adelphia.net/~rllibby/downloads/disasm32.zip
http://users.adelphia.net/~rllibby/downloads/win32hook.zip

The disasm unit is used by the win32hook unit only for the code rewriting. The win32 hook unit itself exposes classes for:

- IAT patching
- Code rewriting
- Library injection

The code I provide in these units is nothing special, and is not anything you can't already find on the net (usually for C/C++ though).  Anyways, the injection that you are interested in will require a Win 2k, Xp, 2003 system due to the API calls it uses to allocate memory in the other process. To simplify learning, there is a download at:

http://users.adelphia.net/~rllibby/downloads/hookloader.zip

That includes 2 projects, one an exe (no form) which is used to start notepad and inject the hook dll into it, and the other a library (hook.dll). The hookloader program starts Notepad and demostrates what is required to inject a library into another process. The hook dll demos IAT patching, where it patches the calls to CreateFileA and CreateFileW; in short, once injected into notepad, any time notepad opens / saves a file, it will display the file name in a message box (which is coming from the hook dll).

Hopefully you will find this useful,
Russell


0
 
Russell LibbySoftware Engineer, Advisory Commented:

Sorry, but your not going to get anyone here to help you in questionable activities. You need to restate your question and intentions (hijack is not the word you want to be using) before anyone is going to help.

Regards,
Russell
0
 
xapsxAuthor Commented:
hi rllibby
that's not good, what should i say?
i just want to learn how to make it, if you have any tutorials, let me know.
maybe the right word is: inject? if not i cant help you
i know a way would be to inject a thread using CreateRemoteThread and a DLL but i don't know much about it.
any idea?
0
[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

 
Russell LibbySoftware Engineer, Advisory Commented:

The concern is with the word "hijack", as it denotes negative intentions. "Inject"ing is better terminolory, so long as you plan on using this for legitimate purposes; eg. do whatever you want on your own system, but do no harm to others. If your only intention is on learning, then I can help you in this area, as I am semi versed in hooking, IAT pacthing, code rewriting, dll injection, and process memory handling.

Russell

0
 
xapsxAuthor Commented:
yes, just learning.
0
 
xapsxAuthor Commented:
thanks you!
its awesome!  
can i contact you by email?, i still might need your help!
0
 
xapsxAuthor Commented:
thank you*
and btw: what IAT means?
0
 
xapsxAuthor Commented:
where did you get this function?

  TCreateFileW      =  function(lpFileName: PWideChar; dwDesiredAccess, dwShareMode: DWORD; lpSecurityAttributes: PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: DWORD; hTemplateFile: THandle): THandle; stdcall;

how do i do that with DragQueryFileW?? plz help
0
 
Russell LibbySoftware Engineer, Advisory Commented:

Import Address Table: When making API calls, you never actually directly call the api address directly (its unknown till load time), so a table of addresses is used. This table is updated during the loading process, and contains the pointers to the imported functions, thus called the IAT.

Russell
0
 
Russell LibbySoftware Engineer, Advisory Commented:
>>  TCreateFileW      =  function(lpFileName: PWideChar; dwDesiredAccess, dwShareMode: DWORD; lpSecurityAttributes:
 >> PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: DWORD; hTemplateFile: THandle): THandle; stdcall;

Its the declaration layout for CreateFileW. For DragQueryFileW, just look up the declartion in shellapi.pas and do the same thing:

type
  TDragQueryFileW   =  function(Drop: HDROP; FileIndex: UINT; FileName: PWideChar; cb: UINT): UINT; stdcall;

then create a function pointer to hold the original, and a new declaration, eg:

var
  lpDragQueryFileW:  TDragQueryFileW;

function HookDragQueryFileW(Drop: HDROP; FileIndex: UINT; FileName: PWideChar; cb: UINT): UINT; stdcall;
begin
 ...
end;

to use as the hooked function. I would suggest Google'ing this topic (IAT, Hooks, Injection, etc) and read up on what you find so you get a better understanding. If you still need help after that, then let me know.

Russell




0
 
xapsxAuthor Commented:
hey Russell
thank you very much. great help
0
 
Russell LibbySoftware Engineer, Advisory Commented:

Your very welcome...
Like i said, read up, do some looking around, go through the provided code (most of it is pretty well commented), etc and then if you still have questions, I will be more than glad to answer them

Russell
0
 
xapsxAuthor Commented:
hey russell,
are you still there?

i was just wondering
how can i inject my own function?
and how to handle objects from any application? like write in the notepad memo.

can you help me? (if you want i'll make a new thread so i can give you more points)
please let me know
0
All Courses

From novice to tech pro — start learning today.