Consult the issue of Win API routine address and code injection
-
Hi everybody, Could you give me the answer which concern to inject code to other process.My questions are: [1]Must Windows API function have the same address in all process? [2]Why would crash when a remote thread proceduer directly call Windows API function? Now I show my code:
DWORD __stdcall RemoteThreadProc(LPVOID lParam) { LoadLibraryA(NULL); //_**crash!!! Why crash???**_ return 0; } DWORD Inject(HANDLE hTargetProcess) { //Compare local calling with calling in remote thread proceduer. LoadLibraryA(NULL); //Ok!!! //======================================================= DWORD dwWriteBytes; //The size of thread procedure code. Estimated it. DWORD dwThreadSize = 5000; //Allocate memory in another process space void* pRemoteThread = VirtualAllocEx(hTargetProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); //Write thread procedure code to target process. if (!WriteProcessMemory(hTargetProcess, pRemoteThread, RemoteThreadProc, dwThreadSize, 0)) { //Failed!!! return 0; } //Create remote thread HANDLE hRemoteThread = CreateRemoteThread( hTargetProcess, NULL, 0, (DWORD (__stdcall *)(void *))pRemoteThread, NULL, 0, &dwWriteBytes); if (!hRemoteThread) { //Failed!!! return -1; } return 1; //Successfully } //============================================ //Base on WinsowsXP sp2 、VC6.0 //============================================As far as known, Windows API function have same address in all process, but I can`t make sure it. For example, the address of "LoadLibraryA" is 0x7c801d77 in some process which I tested.[I get the address by printf(TEXT("%x"), LoadLibraryA ); ]. If Winsows API function have same address in all process, there are no reason to crash when the remote thread proceduer call API function . Please give me an answer or an illumination. Thank you. -
Hi everybody, Could you give me the answer which concern to inject code to other process.My questions are: [1]Must Windows API function have the same address in all process? [2]Why would crash when a remote thread proceduer directly call Windows API function? Now I show my code:
DWORD __stdcall RemoteThreadProc(LPVOID lParam) { LoadLibraryA(NULL); //_**crash!!! Why crash???**_ return 0; } DWORD Inject(HANDLE hTargetProcess) { //Compare local calling with calling in remote thread proceduer. LoadLibraryA(NULL); //Ok!!! //======================================================= DWORD dwWriteBytes; //The size of thread procedure code. Estimated it. DWORD dwThreadSize = 5000; //Allocate memory in another process space void* pRemoteThread = VirtualAllocEx(hTargetProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); //Write thread procedure code to target process. if (!WriteProcessMemory(hTargetProcess, pRemoteThread, RemoteThreadProc, dwThreadSize, 0)) { //Failed!!! return 0; } //Create remote thread HANDLE hRemoteThread = CreateRemoteThread( hTargetProcess, NULL, 0, (DWORD (__stdcall *)(void *))pRemoteThread, NULL, 0, &dwWriteBytes); if (!hRemoteThread) { //Failed!!! return -1; } return 1; //Successfully } //============================================ //Base on WinsowsXP sp2 、VC6.0 //============================================As far as known, Windows API function have same address in all process, but I can`t make sure it. For example, the address of "LoadLibraryA" is 0x7c801d77 in some process which I tested.[I get the address by printf(TEXT("%x"), LoadLibraryA ); ]. If Winsows API function have same address in all process, there are no reason to crash when the remote thread proceduer call API function . Please give me an answer or an illumination. Thank you.Injecting functions written in high level programming language this way is unsafe, when they are relocated, some addresses change. It's safer to call
HANDLE hRemoteThread = CreateRemoteThread( hTargetProcess, NULL, 0, LoadLibraryA, pRemotelyAllocatedStringContainigPathToTheDll, 0, &dwWriteBytes);And in the DllMain of this dll call your RemoteThreadProc. Anyway, as far as I understand the comments in your code, WriteProcessMemory is the part that fails. What process do you try inject your code to? Are you sure that you have sufficient rights? -- added at 6:56 Wednesday 28th November, 2007 One more thing. Do you compile it in debug mode? If so, at the address of your function you'll see:jmp some_other_addressThen WriteProcessMemory will copy just these 5 (6?) bytes and some "other" data, not useful for you instead of your function's body. -
Injecting functions written in high level programming language this way is unsafe, when they are relocated, some addresses change. It's safer to call
HANDLE hRemoteThread = CreateRemoteThread( hTargetProcess, NULL, 0, LoadLibraryA, pRemotelyAllocatedStringContainigPathToTheDll, 0, &dwWriteBytes);And in the DllMain of this dll call your RemoteThreadProc. Anyway, as far as I understand the comments in your code, WriteProcessMemory is the part that fails. What process do you try inject your code to? Are you sure that you have sufficient rights? -- added at 6:56 Wednesday 28th November, 2007 One more thing. Do you compile it in debug mode? If so, at the address of your function you'll see:jmp some_other_addressThen WriteProcessMemory will copy just these 5 (6?) bytes and some "other" data, not useful for you instead of your function's body.Dear maciu2020, I know your method of injection. I just want to learn my code why to crash.In addition, I have step up the privilege of process`s handle before the to call the function 'Inject'. In you code, LoadLibraryA is a parameter of CreateRemoteThread. Given the address of LoadLibraryA is 0x7c801d77, the following code is ok.
HANDLE hRemoteThread = CreateRemoteThread( hTargetProcess, NULL, 0, **0x7c801d77**, pRemotelyAllocatedStringContainigPathToTheDll, 0, &dwWriteBytes);Why it`s ok ??? There is only one reason which the address of LoadLibraryA is same in all process! In other words, LoadLibraryA==0x7c801d77 in process A and LoadLibraryA==0x7c801d77 in process B at the same time. Do you agree with my opinion ??? This is the key of my question, which, in my code, local calling LoadLibraryA is jmp/call 0x7c801d77 and the calling LoadLibraryA in remote thread proceduer is also jmp/call 0x7c801d77. Why the latter must crash? -
Dear maciu2020, I know your method of injection. I just want to learn my code why to crash.In addition, I have step up the privilege of process`s handle before the to call the function 'Inject'. In you code, LoadLibraryA is a parameter of CreateRemoteThread. Given the address of LoadLibraryA is 0x7c801d77, the following code is ok.
HANDLE hRemoteThread = CreateRemoteThread( hTargetProcess, NULL, 0, **0x7c801d77**, pRemotelyAllocatedStringContainigPathToTheDll, 0, &dwWriteBytes);Why it`s ok ??? There is only one reason which the address of LoadLibraryA is same in all process! In other words, LoadLibraryA==0x7c801d77 in process A and LoadLibraryA==0x7c801d77 in process B at the same time. Do you agree with my opinion ??? This is the key of my question, which, in my code, local calling LoadLibraryA is jmp/call 0x7c801d77 and the calling LoadLibraryA in remote thread proceduer is also jmp/call 0x7c801d77. Why the latter must crash?Actually the address may vary, windows sets it while loading kernel32.dll. But on each machine, all processes share kernel32.dll functions' addresses.
DWORD __stdcall RemoteThreadProc(LPVOID lParam) { __asm { push 0 call DWORD PTR LoadLibrary } }should be ok...as long as you compile your program with optimizations on. It would be definitely OK if you wrote the whole thing in assembly to ensure that compiler won't insert there something you don't want it to.push 0 call DWORD PTR LoadLibrary retn 0generates the same code, no matter where it's placed. If it still doesn't work, can you disassembly RemoteThreadProc and post here? -
Hi everybody, Could you give me the answer which concern to inject code to other process.My questions are: [1]Must Windows API function have the same address in all process? [2]Why would crash when a remote thread proceduer directly call Windows API function? Now I show my code:
DWORD __stdcall RemoteThreadProc(LPVOID lParam) { LoadLibraryA(NULL); //_**crash!!! Why crash???**_ return 0; } DWORD Inject(HANDLE hTargetProcess) { //Compare local calling with calling in remote thread proceduer. LoadLibraryA(NULL); //Ok!!! //======================================================= DWORD dwWriteBytes; //The size of thread procedure code. Estimated it. DWORD dwThreadSize = 5000; //Allocate memory in another process space void* pRemoteThread = VirtualAllocEx(hTargetProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); //Write thread procedure code to target process. if (!WriteProcessMemory(hTargetProcess, pRemoteThread, RemoteThreadProc, dwThreadSize, 0)) { //Failed!!! return 0; } //Create remote thread HANDLE hRemoteThread = CreateRemoteThread( hTargetProcess, NULL, 0, (DWORD (__stdcall *)(void *))pRemoteThread, NULL, 0, &dwWriteBytes); if (!hRemoteThread) { //Failed!!! return -1; } return 1; //Successfully } //============================================ //Base on WinsowsXP sp2 、VC6.0 //============================================As far as known, Windows API function have same address in all process, but I can`t make sure it. For example, the address of "LoadLibraryA" is 0x7c801d77 in some process which I tested.[I get the address by printf(TEXT("%x"), LoadLibraryA ); ]. If Winsows API function have same address in all process, there are no reason to crash when the remote thread proceduer call API function . Please give me an answer or an illumination. Thank you.deng0jun wrote:
LoadLibraryA(NULL); //crash!!! Why crash???
Why would you expect it not to crash?
"Normal is getting dressed in clothes that you buy for work and driving through traffic in a car that you are still paying for, in order to get to the job you need to pay for the clothes and the car and the house you leave vacant all day so you can afford to live in it." - Ellen Goodman
"To have a respect for ourselves guides our morals; to have deference for others governs our manners." - Laurence Sterne
-
deng0jun wrote:
LoadLibraryA(NULL); //crash!!! Why crash???
Why would you expect it not to crash?
"Normal is getting dressed in clothes that you buy for work and driving through traffic in a car that you are still paying for, in order to get to the job you need to pay for the clothes and the car and the house you leave vacant all day so you can afford to live in it." - Ellen Goodman
"To have a respect for ourselves guides our morals; to have deference for others governs our manners." - Laurence Sterne
-
deng0jun wrote:
LoadLibraryA(NULL); //crash!!! Why crash???
Why would you expect it not to crash?
"Normal is getting dressed in clothes that you buy for work and driving through traffic in a car that you are still paying for, in order to get to the job you need to pay for the clothes and the car and the house you leave vacant all day so you can afford to live in it." - Ellen Goodman
"To have a respect for ourselves guides our morals; to have deference for others governs our manners." - Laurence Sterne
-
DavidCrow wrote:
Why would you expect it not to crash?
Because calling 'LoadLibraryA(NULL);' is ok in local process.
But what does it do?
"Normal is getting dressed in clothes that you buy for work and driving through traffic in a car that you are still paying for, in order to get to the job you need to pay for the clothes and the car and the house you leave vacant all day so you can afford to live in it." - Ellen Goodman
"To have a respect for ourselves guides our morals; to have deference for others governs our manners." - Laurence Sterne