Solved

Injecting/Executing Code in a processes Main Thread.... how to??

Posted on 2009-07-10
14
1,411 Views
Last Modified: 2012-05-07
hey guys!

Long time no talk! Honestly didnt know I was still paying for this account lol Might as well use it!

Ok guys, So Im working with a few languages, But I have a personal goal to make a C++/C# UDF(Include) for Autoit that can do all of the C++ functions and such,. ive done pretty well so far .. injecting and executing my own code into my own thread etc. BUT im stuck on something so heres my question...


Im trying to Inject and Execute ASM (converted to OPCodes) into a extrernal processes Main thread then execute the code.. Like I said before Im able to do this in my own thread but the task im trying to do must be executed in the main thread of the process since the process has some sort of check stopping me from executing some functions in my own thread..

So first off im running WinXP not lower..

Second, I need some sort of example please in functions, (DLL Functions that can be called if possible.. Kernel32.dll, user32 etc)

Heres exactly what I need to do..

1. I need to be able to get the handle of the processes Main thread
2. Suspend the main thread (SuspendThread -->Kernel32.dll)
3. Allocate memory (VirtualAllocEx)
4. Inject the ASM
5. Execute the code
6. ??
7. Resume the main thread (ResumeThread) **WITHOUT CRASHING THE APP!* xp

This is a personal project im working on for learning purposes and for the debugging/enhancement of my own apps.

Thank you to who ever can help me.

-Jay
0
Comment
Question by:jay1996
  • 6
  • 3
  • 3
14 Comments
 
LVL 17

Expert Comment

by:CSecurity
ID: 24830387
Why you don't change OEP, store real OEP in somewhere, add new section, change OEP to your section, then jump back to real OEP?

Why you don't use DLL injection? Inject you DLL, do whatever you want then let thread resume...
0
 

Author Comment

by:jay1996
ID: 24830525
I dont want to inject a dll...

what I need to do is get access to the external processes main thread,Suspend it, then inject my code then execute.. then resume.

could someone help me out please?
0
 
LVL 17

Expert Comment

by:CSecurity
ID: 24830589
how about OEP method?
0
 

Author Comment

by:jay1996
ID: 24830654
OEP as in Original entry point... How will this help me access the external processes main thread?

I need to find the External processes Main thread handle #1

Example... My_app1.exe --> Finds Main Thread Handle of live process (this_app2.exe)
So I need code in my_app1.exe to access this_app2.exe's Main thread, Suspend it, inject my code into this_app2.exe's main thread, Execute it, then Resume this_app2.exe's Main thread. This way I can call ALL of this_app2.exe's functions with my injected code.

hope you can help..
0
 
LVL 17

Expert Comment

by:CSecurity
ID: 24830703
You can create new section in your exe (before running it) with any size you need, then write your special code in your own section, then change your OEP to point your new section, run your code and then jmp back to your old OEP. Method of infecting exe files that virus and worms use.

There is a lot of articles about how to inject DLL into exe (not in run-time, injecting DLL and for example making EXE password protected with injected DLL, see:http://migeel.sk/programming/pe-inject/)

How about this solution?

Because modifying running remote exe's main thread, executing your code and resuming thread will be really time consuming and hard point to achieve... But let me know if you SHOULD use your own method, I'll try to find a way for it.
0
 

Author Comment

by:jay1996
ID: 24830864
I need to be able to Inject/Execute code into the processes main thread 'on the fly' So when I want a function called that cant be called in my own thread, I just want to click a button on my app, to call the function, Not inject at runtime and let it execute thats not what im trying to do. heres some of my code that uses my own thread. and its 'On the fly' injecting so I just click the inject button and its done.


The code below is the function that is called when the button 'Inject' is clicked, I need this EXACT ASM to be injected and executed into the processes main thread when I click the button. I have the functions for suspending and resuming, I just need to know how to get the Main Thread Handle of the external process and be able to inject/execute the code into it. Ive seen this done so many times its ridiculous, but the people ive seen do it, are for personal projects with no sharing :(. Please help MY situation please hear me out.


Func InjectCode()
 

	Global $hProcess = _WinAPI_OpenProcess(BitOR($PROCESS_CREATE_THREAD, $PROCESS_VM_OPERATION, $PROCESS_VM_WRITE),False,ProcessExists("Wow.exe"))

	;DataBuffer Struct to Store the Lua String

	Global $LuaEnt = GUICtrlRead($LString)

	$DataBuffer = DllStructCreate("char LuaString[" & StringLen($LuaEnt) + 1 & "]")

	DllStructSetData($DataBuffer, "LuaString", GUICtrlRead($LString))
 

	;Allocate the memory for the DataBuffer..

	$RemoteData = _MemVirtualAllocEx($hProcess, 0, sizeof($DataBuffer), $MEM_COMMIT, $PAGE_READWRITE)
 

	;Struct to hold the actual ASM Code.

	$CodeBuffer = DllStructCreate("byte[58]")

	

	;allocate eaxct memory for asm to be called

	$RemoteCode = _MemVirtualAllocEx($hProcess, 0, sizeof($CodeBuffer), $MEM_COMMIT, $PAGE_EXECUTE_READWRITE)

	

	;Lua_DoString_Inject - MOV EAX,49AAB0 ASM::B8B0AA4900

	DllStructSetData($CodeBuffer, 1, _

			"0x" & _;                        <---CurMgr Updare Start--->

			"C7C2809F1301" & _;                      mov EDX, 01139F80

			"8B92342C0000" & _;                      mov EDX, [EDX+0x2C34]

			"648B052C000000" & _;                    mov eax, DWORD PTR FS:[0x2C]

			"8B00" & _;                              mov EAX, [EAX]

			"83C010" & _;                            add EAX, 0x10

			"6A00" & _;                      <---CurMgr Updare End Lua_DOString Start--->

			"68" & SwapEndian($RemoteData + (_ptr($DataBuffer, "LuaString") - _ptr($DataBuffer))) & _

			"68" & SwapEndian($RemoteData + (_ptr($DataBuffer, "LuaString") - _ptr($DataBuffer))) & _

			"B8B0AA4900" & _;                        MOV EAX,49AAB0

			"FFD0" & _;                              CALL EAX

			"83C40C" & _;                            ADD ESP,C

			"C3")

			

	;Inject ASM and String Struct

	Local $written

	_WinAPI_WriteProcessMemory($hProcess, $RemoteCode, _ptr($CodeBuffer), sizeof($CodeBuffer), $written)

	_WinAPI_WriteProcessMemory($hProcess, $RemoteData, _ptr($DataBuffer), sizeof($DataBuffer), $written)

	

	; Create thread in the target process. The start address is of course our injected code

	$call = DllCall("Kernel32.dll", "int", "CreateRemoteThread", "ptr", $hProcess, "ptr", 0, "int", 0, "ptr", $RemoteCode, "ptr", 0, "int", 0, "dword*", 0)

	$hThread = $call[0]

	

	_WinAPI_WaitForSingleObject($hThread)

	

	; We're polite guests so we clean up after ourselves.

	_MemVirtualFreeEx($hProcess, $RemoteCode, sizeof($CodeBuffer), $MEM_RELEASE)

	

	

	; Get the return value and return. Mission Successful

	$call = DllCall("Kernel32.dll", "ptr", "GetExitCodeThread", "ptr", $hThread, "dword*", 0)

;~ 	_ResumeThread($WoWThread)

	Return $call[2]

EndFunc

Open in new window

0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 40

Accepted Solution

by:
evilrix earned 500 total points
ID: 24833991
Maybe the Microsoft detours library will assist you?
http://research.microsoft.com/en-us/projects/detours/

Detours is a library for instrumenting arbitrary Win32 functions on x86, x64, and IA64 machines. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary.
0
 

Author Comment

by:jay1996
ID: 24835907
No one can give me a code template that gets access to a live processes main thread, suspends it, injects code into it , executes it then resumes..? please worth fat 500 points
0
 
LVL 40

Expert Comment

by:evilrix
ID: 24837558
Did you look at Detours? It lets you hook into Win32 API functions, hijack them, run your own code and then (if you still want to) run the original API function called. Does this not provide you with a mechanism for doing what you are after?
0
 

Author Comment

by:jay1996
ID: 24844284
How about doing it with these kernel32 functions to access main thread then inject/execute?

_ThreadEntry32()            
_CreateToolhelp32Snapshot
_Thread32First
_OpenThread
_NTQueryInformationThread

Ill look into the detours dll.. Do you know if its made in .Net? because I cant call functions from a .Net DLL in autoit :(
0
 
LVL 40

Expert Comment

by:evilrix
ID: 24846762
>> Do you know if its made in .Net?
It's designed to hook win32 API functions so I'm pretty sure it's a native C++ API.
0
 

Author Closing Comment

by:jay1996
ID: 31613292
blah, Never ended up even using detours, I figured out how to hook endscene and reroute it to execute my code. Thanks anyway
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Introduction Although it is an old technology, serial ports are still being used by many hardware manufacturers. If you develop applications in C#, Microsoft .NET framework has SerialPort class to communicate with the serial ports.  I needed to…
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
The viewer will learn how to pass data into a function in C++. This is one step further in using functions. Instead of only printing text onto the console, the function will be able to perform calculations with argumentents given by the user.
The viewer will learn how to use the return statement in functions in C++. The video will also teach the user how to pass data to a function and have the function return data back for further processing.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now