Jump to content

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here. X
X


Photo

Writing into process using injection


  • Please log in to reply
9 replies to this topic

#1 mavor

mavor

    Seeker

  • Active Members
  • 19 posts

Posted 25 December 2009 - 03:01 AM

I am attempting to write ASM into the currently running process using my AutoIT script. However, I am running into some weird problems that I honestly cannot understand correctly.

Firstly, here is my code for injecting into the process:

Func Run_ASM2($hWnd)     Dim $i, $tmp_Addr, $RThwnd, $h, $pid     ConsoleWrite($AsmCode)     ReDim $AsmCode[StringLen($OPcode) / 2 - 1]     For $i = 0 To UBound($AsmCode)         $AsmCode[$i] = Int("0x" & StringMid($OPcode, $i * 2 + 1, 2))     Next     GetWindowThreadProcessId($hWnd, $pid)     $h = OpenProcess($PROCESS_ALL_ACCESS, False, $pid)     $tmp_Addr = VirtualAllocEx($h, 0, UBound($AsmCode) + 1, $MEM_COMMIT2, $PAGE_EXECUTE_READWRITE2)     WriteProcessMemory($h, $tmp_Addr, VarPtr($AsmCode[0]), UBound($AsmCode) + 1, 0)     $RThwnd = CreateRemoteThread($h, 0, 0, $tmp_Addr, 0, 0, 0)     VirtualFreeEx($h, $tmp_Addr, UBound($AsmCode) + 1, $MEM_RELEASE2)     CloseHandle($RThwnd)     CloseHandle($h)     $OPcode = "" EndFunc   ;==>Run_ASM2


Before injecting into the code I first find a high and loword that will be pushed into the process:
$tInt64 = DllStructCreate('int64')     DllStructSetData($tInt64, 1, $iValue)     $tHiLo = DllStructCreate('dword;dword', DllStructGetPtr($tInt64))     ConsoleWrite('Hi DWord = 0x' & Hex(DllStructGetData($tHiLo, 2)) & @CR)     ConsoleWrite('Lo DWord = 0x' & Hex(DllStructGetData($tHiLo, 1)) & @CR) $dHiWord = Hex(DllStructGetData($tHiLo, 2))     $dLoWord = Hex(DllStructGetData($tHiLo, 1))


Following that I call functions that create my opcodes:

MOV_EAX($dHiWord)     PUSH_EAX()     MOV_EAX($dLoWord)     PUSH_EAX()     MOV_EAX(0x004C9AA0) ;move the address into EAX register     CALL_EAX();call the function located at EAX register using the guid we just pushed on the stack     Add_ESP(0x08)     Ret()     Run_ASM2($hWnd)

And an example of one of the push functions and the MOV function that puts my hi and lo onto the stack:

Func Push_EAX()     $OPcode = $OPcode + "50" EndFunc   ;==>Push_EAX Func Mov_EAX($i)     $OPcode = $OPcode + "B8" + Int2Hex($i, 8) EndFunc   ;==>Mov_EAX Func Int2Hex($Value, $n) ;?????     Dim $tmp1, $tmp2, $i     $tmp1 = StringRight("0000000" + Hex($Value), $n)     For $i = 0 To StringLen($tmp1) / 2 - 1         $tmp2 = $tmp2 + StringMid($tmp1, StringLen($tmp1) - 1 - 2 * $i, 2)     Next     $Int2Hex = $tmp2 EndFunc   ;==>Int2Hex


However, there are two major problems that are showing up:
1. if i insert a MsgBox(0,"test it", $OPcode) under the first MOV_EAX function call, I am returned with 0. I tried substituting $dHiWord with DllStructGetData($tHiLo, 2) (an int) but it still returns 0.. ?? strange

2. get a compilation error: ==> Array variable subscript badly formatted.:
ReDim $AsmCode[StringLen($OPcode) / 2 - 1]
ReDim $AsmCode[^ ERROR

Any ideas about what is going on here?

Edited by mavor, 25 December 2009 - 03:12 AM.








#2 whim

whim

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 350 posts

Posted 25 December 2009 - 09:08 AM

Re 2. I don't think AutoIt will evaluate a function within an array index, help file says

"The index number can also be substituted by another variable or an expression, so you can build complex ways to assign or access elements in an array."


so, try a dummy variable:

$dummy = StringLen($OPcode) / 2 - 1
ReDim $AsmCode[$dummy]

cheers,

whim

#3 mavor

mavor

    Seeker

  • Active Members
  • 19 posts

Posted 25 December 2009 - 11:23 AM

Ok the dummy variable didn't help.. still dieing at wherever we call Strlen. So I checked it out and for some reason the OPcode is not being written properly... like I said, every time i tested the value after doing a MOV or etc.. function the OPcode would stay at 0 Except for when it had a number like " +50" added to it.

Any idea why the OPcode is not being updated correctly?

#4 Authenticity

Authenticity

    Universalist

  • MVPs
  • 2,619 posts

Posted 25 December 2009 - 12:21 PM

The badly formatted array error message is because the math expression results into -1 so ReDim $aArr[-1] produces this error. I've looked into the Mov_EAX and Push_EAX functions and it's not visible whether the $OPCode variable should contain a number variable or a binary string. Perhaps the +'s there should be &'s?

#5 mavor

mavor

    Seeker

  • Active Members
  • 19 posts

Posted 25 December 2009 - 01:08 PM

Here i have attached the full ASMinjection file (functions for injection). Perhaps you can see what it is expecting now?

Attached Files



#6 Authenticity

Authenticity

    Universalist

  • MVPs
  • 2,619 posts

Posted 25 December 2009 - 01:39 PM

Seems like this library is a mess. MulDiv is expecting 3 parameters and not a pointer. I guess that this library is quite old and was targeting one of the AutoIt versions prior to version 3 but I don't know. The context the pluses are used in the library seems to me like in a concatenation context.

#7 mavor

mavor

    Seeker

  • Active Members
  • 19 posts

Posted 25 December 2009 - 01:53 PM

Hmm do you know of any other AIT3 injection libraries? This was what I pulled up after searching around for awhile.

#8 Authenticity

Authenticity

    Universalist

  • MVPs
  • 2,619 posts

Posted 25 December 2009 - 02:09 PM

AutoIt Inline Assembly UDF by Ward.

#9 mavor

mavor

    Seeker

  • Active Members
  • 19 posts

Posted 25 December 2009 - 02:18 PM

Hot. I'm going to get into that and report my results later on. Thanks for the heads up : )

Edit** Looks really good but... that is for running a .dll in its own memory space correct? However, I must run this opcode from within the process (injection) maybe by using a remote thread? Do you see what I mean?

Please share any ideas you have getting a .dll from that inline ASM library injected via remote thread into my $Pid .. i think my knowledge of this stuff is falling a bit short ;)

Edited by mavor, 25 December 2009 - 02:45 PM.


#10 Authenticity

Authenticity

    Universalist

  • MVPs
  • 2,619 posts

Posted 25 December 2009 - 07:07 PM

lol, oh here it is, thanks monoceres ;). The example is quite 1:1 but you can use Ward's inline assembly UDF by first allocating the necessary code and data blocks and then write the machine code using AsmAdd(). Look how monoceres did the calculation and do accordingly.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users