29 replies to this topic

[WSCPorts]

like findingout about callBack.Dlls and Plugins huge(though they havent quit fully taken off as i would like them to be)but this isn't that huge according to valik!..

but yea anyway heres the ASM SOURCE teh DLL and the C# usageFile and the AU3

Plain Text        expandcollapse  popup

; -------------------------------------------------------------
;
; InvokeFuncAsm - Invokes a function through a function pointer passed as
; the first argument. All other parameters are forwarded on, plus the return
; value of the function invoked is returned.
;
; Copyright © Richard Birkby, ThunderMain ltd, November 2001
;
; -------------------------------------------------------------

.386
.model flat

option prologue:none
option epilogue:none
option dotname


.code
align DWORD
DllMain  proc   stdcall public, instance:DWORD, reason:DWORD, reserved:DWORD
        mov  eax, 1; success
        ret 12
DllMain  endp


align DWORD
InvokeFunc  proc    stdcall public, funcptr:DWORD

    pop ecx; save return address
    pop edx; Get function pointer
    push    ecx; Restore return address
    jmp edx; Transfer control to the function pointer
InvokeFunc  endp

end

PROPS TO THAT GUY

This is a Console Applicaation showing usage.. in C#

Plain Text        expandcollapse  popup

using System;
using System.Runtime.InteropServices;

namespace DynamicInvocationTest
{
    public class Invokation {
        [DllImport("kernel32")]
        public extern static int LoadLibrary(string lpLibFileName);
        [DllImport("kernel32")]
        public extern static bool FreeLibrary(int hLibModule);
        [DllImport("kernel32", CharSet=CharSet.Ansi)]
        public extern static int GetProcAddress(int hModule, string lpProcName);
/*
        [DllImport("msjava", CharSet=CharSet.Unicode)]
        public extern static int call(int funcptr, int hwnd, string message, string title, int flags);
*/
        [DllImport("Invoke", CharSet=CharSet.Unicode)]
        public extern static int InvokeFunc(int funcptr, int hwnd, string message, string title, int flags);


        static void Main(string[] args) {
            int hmod=LoadLibrary("User32");
            int funcaddr=GetProcAddress(hmod, "MessageBoxW");
            int result=InvokeFunc(funcaddr, 0, "Hello World", ".Net dynamic export invocation", 1 /*MB_OKCANCEL*/);
            Console.WriteLine("Result of invocation is " + result);
            
            FreeLibrary(hmod);

            Console.WriteLine("Press any key to continue...");
            Console.ReadLine();
        }
    }
}

By Same Author ^^ Props Again

Plain Text        expandcollapse  popup

MLFLAGS = /c /coff /Cp /Fl /Sc /Sg

All: Invoke.dll UnitTest.exe

Clean: 
    -@if exist Invoke.obj erase Invoke.obj
    -@if exist Invoke.dll erase Invoke.dll
    -@if exist Invoke.lib erase Invoke.lib
    -@if exist Invoke.exp erase Invoke.exp
    -@if exist Invoke.lst erase Invoke.lst
    -@if exist UnitTest.exe erase UnitTest.exe

Invoke.obj: Invoke.asm
        ml $(MLFLAGS) $**


Invoke.dll: Invoke.obj
    
link -DLL -entry:DllMain /machine:i386 /subsystem:windows /out:Invoke.dll /export:InvokeFunc


UnitTest.exe: UnitTest.cs
    csc $**

Plain Text        expandcollapse  popup

Func LibLoad( $lpLibFileName )
$hKrnl = DllOpen("kernel32.dll")
$LibHandle = DllCall($hKrnl, "int", "LoadLibraryA", "str", $lpLibFileName)
DllClose($hKrnl)
Return $LibHandle[0]
EndFunc
Func GetProcAddress( $hModule, $lpProcName)
$hKrnl = DllOpen("Kernel32.dll")
$ProcessAddy = DllCall($hKrnl,"int","GetProcAddress","int",$hModule,"str",$lpProcName)
DllClose($hKrnl)
Return $ProcessAddy[0]
EndFunc
Func Invoke($FuncPtr,$hWnd,$Message,$Title,$dwFlags)
$DllInvoke = DllOpen("Invoke.dll")
$Result = DllCall($DllInvoke,"int","InvokeFunc","int",$FuncPtr,"int",$hWnd,"wstr",$Message,"wstr",$Title,"int",$dwFlags)
DllClose($DllInvoke)
Return $Result[0]
EndFunc
$User32 = LibLoad("User32.dll")
$FuncPtr = GetProcAddress($User32, "MessageBoxW")
$Result = Invoke($FuncPtr,0,"Hello World","dynamic invocation",1)
MsgBox(0,"WorkedMaybe",$Result)

Edited by WSCPorts, 19 March 2006 - 01:53 AM.

[WSCPorts]

****DISCLAIMER****

Be Very careful with this if u provide the wrong params to the dllcall for Invoke it will hard crash autoit... learn from all the dllcalls outthere B4 trying THIS PLS..
File Attached HERE ;]

Attached Files

•  Invoke.zip   899bytes   144 downloads
•  Dumped_nksp.zip   43.15KB   119 downloads

Edited by WSCPorts, 16 April 2006 - 10:02 AM.

[Valik]

Now's the part where I tell you that I can achieve the same thing with AutoIt-only and have known how to do that for over 6 months. This really isn't as useful as you're making it out to be.

[WSCPorts]

WHY such a frigin downer god worked for 20 mins on something get a decent result and u say "you can do it better and have."(which i dont doubt, btw) Like i frigin know that or could have known that...
what function would allow for such a dynamic API feat i ask ? and can u provide a example?

Edited by WSCPorts, 15 March 2006 - 12:14 AM.

[Valik]

I'm not providing examples. There are very few practical examples to having this functionality and there are a lot more nefarious uses for it. In the real world, I've found very few things that just give you the address of a function and say, "here, push parameters onto the stack and invoke this function". In fact, I can't think of anything off the top of my head that does that (Except GetProcAddress(), but that is what DllCall() does).

[WSCPorts]

working on a new section for inline asm UDF for autoit and marshaling the return data to structures which may also have to be written to memory if anyone is interested in helping in teh development of In-Line ASM For Autoit Please post

[w0uter]

i already did it with my _Mem functions but im interested if we are going to have statements like _Asm()

[WSCPorts]

yea but im going masm32 v9 dll

Plain Text        expandcollapse  popup

align DWORD
InLineCode  proc  stdcall    public, szFile:DWORD, CodeBuffer:BYTE
    
    invoke FindWindow, addr szFile,0;get hwnd Of File
    mov [hwnd], eax
    invoke GetWindowThreadProcessId, [hwnd], 0
      mov   [ThePID], eax 
    invoke OpenProcess,PROCESS_ALL_ACCESS, FALSE, [ThePID];open the process
    mov     [lpProcess], eax
    invoke VirtualAlloc, [CodeBuffer], sizeof CodeBuffer, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE
    mov [lpCode], eax
    invoke WriteProcessMemory, [lpProcess],  [lpCode], [CodeBuffer], sizeof CodeBuffer, addr nBytesWritten 
    invoke VirtualAlloc, [Buffer], sizeof Buffer, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE
    mov [lpBuffer], eax
    invoke WriteProcessMemory, [lpProcess],  [lpBuffer], [Buffer], sizeof Buffer, addr nBytesWritten
    invoke CreateThread, 0, 0, [lpCode], [lpCodeBuffer], 0, threadid
    mov [hthread],eax
    invoke WaitForSingleObject, [hthread],5000
    mov [sObject], eax;some mashaling of data here
    invoke CopyMemory, [sObject], [lpBuffer], sizeof sObject
    invoke VirtualFree,[lpCode], sizeof lpCode, MEM_RELEASE
    invoke VirtualFree,[lpCodeBuffer], sizeof lpCodeBuffer, MEM_RELEASE
    invoke CloseHandle, [hthread]

InLineCode  endp

[Gene]

I'm not providing examples. There are very few practical examples to having this functionality and there are a lot more nefarious uses for it. In the real world, I've found very few things that just give you the address of a function and say, "here, push parameters onto the stack and invoke this function". In fact, I can't think of anything off the top of my head that does that (Except GetProcAddress(), but that is what DllCall() does).

Hi Valik, I remember the reasons you gave for not approving of the _Mem functions by @Wouter in terms of base addresses changing with versions. Would you give more detail as to why this sort of thing is a bad idea, for those of us not into C or assembler?

Gene

Edited by Gene, 17 March 2006 - 07:25 AM.

[Valik]

The methods used are the exact same methods used to inject foreign code into other processes. Admittedly, without the ability to create a DLL in AutoIt, some of the potential damage is mitigated, however, it can still be abused.

[Gene]

The methods used are the exact same methods used to inject foreign code into other processes. Admittedly, without the ability to create a DLL in AutoIt, some of the potential damage is mitigated, however, it can still be abused.

Thanks.

[Richard Robertson]

Wow. This is fun. AutoIt's DllCall is much easier than trying to DllCall kernel32 and load things yourself. Although I like dynamically generated code better than dynamically linked code.

[WSCPorts]

well you are right in some sense valik but the method used is for "Native Code Execution" not remote dll injection or Process Injection .. though the methods are quite similiar the effects are dramaticly different

im only try to provide what other languages already have FBSL has it C++/C and C# have it why not try it with autoit what u think autoit cant handle it or the hacking community will take it over and use it for nefarious purposes... well why did they think of that when C++ came out.. u know why, b.c. in order to manage the greater good some evil has to be used

Sources for this blurb are here:
http://www.codeproject.com/dotnet/native_net.asp
This is what i intend to accomplish as proof of concept just as fbsl did..
http://www.governmentsecurity.org/forum/lo...php/t16603.html
http://www.fbsl.net

Edited by WSCPorts, 18 March 2006 - 03:13 PM.

[Valik]

Comparing AutoIt and C++ in this nature is foolish. C++ is a low-level language with access to raw memory. AutoIt isn't, although there are ways to get access to memory now-a-days with DllCall() and DllStruct(). Trying to say they intentionally allowed raw memory access even with evil ramifications is just plain ignorance.

If you want to go this route, fine. My personal opinion as stated to the other developers was that I will not be the one responsible for releasing code that will eventually be used for nefarious purposes when at the time of writing the code, I know it can be used that way.

And for the record, I don't give a damn what you call it. It's still the same thing. The same code that allows "native code execution" is the same code that allows "process injection" and other such nice tricks. The only difference is nobody has figured out how to do process injection without a DLL yet (or at least there are no mainstream methods that I have seen).

[WSCPorts]

heh sorry for ignoring you valik but PURE asm owns C++ and combining there capabilities with autoit3 is like the the notion set forth by the statement "why didnt microsoft implement something like autoit?" i think one of you developers made that comment.. im just going a step further and saying "why didnt we develop something like that" 0_o and if u wanna throw words around saying ur all bettter at everything, then frankly i dont care to listen but if you keep ur heart beat to a minimum and add ur knowledge without poignancy im more than willing to listen.

no other comments?? anyone find it useful?

Edited by WSCPorts, 03 April 2006 - 11:05 PM.

[Gerome]

Hello,

well you are right in some sense valik but the method used is for "Native Code Execution" not remote dll injection or Process Injection .. though the methods are quite similiar the effects are dramaticly different

im only try to provide what other languages already have FBSL has it C++/C and C# have it why not try it with autoit what u think autoit cant handle it or the hacking community will take it over and use it for nefarious purposes... well why did they think of that when C++ came out.. u know why, b.c. in order to manage the greater good some evil has to be used

Sources for this blurb are here:
http://www.codeproject.com/dotnet/native_net.asp
This is what i intend to accomplish as proof of concept just as fbsl did..
http://www.governmentsecurity.org/forum/lo...php/t16603.html
http://www.fbsl.net

Thanks for having pointed out my language that natively can interpret and execute ASM opcodes simply
You just need raw pointer access and direct api call and it'll work, but i dunno if Autoit can manage pointers directly...

[WSCPorts]

new code Upcoming Tests...soon..
Still a bit more to do first though

Plain Text        expandcollapse  popup

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

      .386                   ; create 32 bit code
      .model flat, stdcall   ; 32 bit memory model
      option casemap:none
      option prologue:none
      option epilogue:none

;    include files
;    ~~~~~~~~~~~~~
    include \masm32\include\windows.inc
    include \masm32\include\user32.inc
    include \masm32\include\kernel32.inc
    include \masm32\include\advapi32.inc

    includelib \masm32\lib\user32.lib
    includelib \masm32\lib\kernel32.lib
    includelib \masm32\lib\advapi32.lib
   ; ----------------------------------------
   ; prototypes for local procedures go here
   ; ----------------------------------------
    
    CopyMemory  PROTO STDCALL        :DWORD, :DWORD, :DWORD; Workaround for rtlCopyMemory for moving around return values. 
    InlineCode       PROTO STDCALL       :DWORD; Inline Code injection routine
    GetDbg          PROTO STDCALL       ; Enables the SE_DEBUG privilege
    GetCPI      PROTO STDCALL        :DWORD, :DWORD; Gets Current Process_Info  

  .data?
        hInstance      dd ?
        hThreadDll     dd ?
        Buffer           db 256 dup(?)
        ThePID         dd ?
        lpProcess      dd ?
        lpBuffer         dd ?
        lpCode     dd ?
        lpCodeBuffer     db 256 dup(?)
        threadid       dd ?
        hthread    dd ?
        lpPID          dd ?
        hwnd       dd ?
        sObject    dd ?
        nBytesWritten   dd ?
        IEvent_Handle   DD   ? 
        
   .data
        SE_DEBUG          DB  "SeDebugPrivilege",0
        IEvent_Name   DB   "WinEvent",0
            

        CTEXT MACRO y:VARARG
        LOCAL sym, dummy
        dummy EQU $;; MASM error fix
        CONST segment
        IFIDNI <y>,<>
        sym db 0
        ELSE
        sym db y,0
        ENDIF
        CONST ends
        EXITM <OFFSET sym>
        ENDM
    
        EJUMP   MACRO  TARGET_CODE; jump when EAX is 0.
        CMP EAX, 0
        JE   TARGET_CODE
        ENDM  
        
        szText MACRO Name, Text:VARARG
        LOCAL lbl
        jmp lbl
        Name db Text,0
        lbl:
        ENDM
        
        return MACRO arg
        mov eax, arg
        ret
        ENDM
        
      

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

.code
LibMain proc hInstDLL:DWORD, reason:DWORD, unused:DWORD
     mov eax, TRUE              ; put TRUE in EAX to continue loading the DLL
     ret
LibMain Endp

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

align DWORD
InvokeFunc PROC STDCALL public, funcptr:DWORD

    pop ecx; save return address
    pop edx; Get function pointer
    push    ecx; Restore return address
    jmp edx; Transfer control to the function pointer
InvokeFunc  endp

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

align DWORD
InlineCode  proc  STDCALL public, CodeBuffer:DWORD
    pushad
              invoke GetCurrentProcess
    mov [lpProcess], eax
    push 40; page_execute_readwrite
    push 3000 ; page mem_commit
    mov ebx, sizeof CodeBuffer
    push ebx
    push DWORD PTR CodeBuffer
    push DWORD PTR lpProcess
    call VirtualAllocEx
    cmp eax, 0
    jz ret1
 
;invoke VirtualAllocEx [lpProcess], [CodeBuffer], sizeof CodeBuffer, MEM_COMMIT, PAGE_EXECUTE_READWRITE
 
    mov [lpCode], eax
 
    invoke WriteProcessMemory, [lpProcess],  [lpCode], [CodeBuffer], sizeof CodeBuffer, nBytesWritten
 
    invoke VirtualAllocEx, [lpProcess], [Buffer], sizeof Buffer, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE
 
    mov [lpBuffer], eax
 
    invoke WriteProcessMemory, [lpProcess],  [lpBuffer], [Buffer], sizeof Buffer, nBytesWritten
 
    invoke CreateThread, 0, 0, [lpCode], addr lpCodeBuffer, 0, threadid
 
    mov [hthread],eax
 
    invoke WaitForSingleObject, [hthread], 60000
    mov [sObject], eax  
 
    invoke CopyMemory, [sObject], [lpBuffer], sizeof sObject;some mashaling of data here
    invoke VirtualFreeEx, [lpProcess], [lpCode], sizeof lpCode, MEM_RELEASE
    invoke VirtualFreeEx, [lpProcess], [lpCodeBuffer], sizeof lpCodeBuffer, MEM_RELEASE
    invoke CloseHandle, [hthread]
    ret1:
    popad
    ret
 
InlineCode  endp

; «««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««

align DWORD
CopyMemory  proc uses esi edi,Dest:DWORD, Source:DWORD, mlength:DWORD

;   This routine is provided in place of Visual C's CopyMemory
;   ----------------------------------------------------------

;   It could be developed a little more to move data faster as double words (movsd)
;   but possibly needs checking to ensure we copy the exact number of bytes
;   in the bitmap; this could be an odd number and a possible solution is to
;   copy as many Dwords as possible 1st then any remaining word or byte.
;   Leave this upgrade until later.
        
    cld         ; Work upwards

    mov esi, Source ; Source address
    mov edi, Dest   ; Destination address
    mov ecx, mlength    ; Get size in bytes
    shr ecx, 1      ; Convert to words   

    rep movsw       ; repeat copy util all done
    ret

CopyMemory endp

align DWORD
GetDbg  PROC ; enables the SE_DEBUG privilege for ourself
        LOCAL   token:HANDLE
        LOCAL   priv:TOKEN_PRIVILEGES 
        LOCAL   luid:LUID
        INVOKE  LookupPrivilegeValue, 0,OFFSET SE_DEBUG, ADDR luid
        EJUMP   DBE0
        MOV  priv.PrivilegeCount, 01H
        MOV  priv.Privileges.Attributes, 02H
        MOV  EAX,luid.LowPart
        MOV  priv.Privileges.Luid.LowPart,EAX
        MOV  EAX,luid.HighPart
        MOV  priv.Privileges.Luid.HighPart,EAX
        INVOKE  GetCurrentProcess
        MOV  ECX,EAX
        INVOKE  OpenProcessToken,ECX,020H, ADDR token
        MOV  ECX, token
        CMP  ECX, 0
        JE    DBE0
        INVOKE  AdjustTokenPrivileges,ECX,0,ADDR priv,0,0,0
        MOV  ECX,EAX
        INVOKE  CloseHandle, token
        MOV  EAX,ECX
DBE0:   RET

GetDbg  endp

align DWORD
GetCPI  PROC,  TRUSTED:DWORD, pProcessInfo:DWORD

       ; This function fills a PROCESS_INFORMATION
       ; structure with the ID and handle of the
       ; required named process and its primary
       ; thread. The tool helper API is used to
       ; retrieve this information.

        LOCAL   p32:PROCESSENTRY32
        LOCAL   t32:THREADENTRY32
        
        LOCAL   hShot:DWORD
        
        MOV  p32.dwSize, SIZEOF PROCESSENTRY32
        MOV  t32.dwSize, SIZEOF THREADENTRY32
        
        INVOKE  GetDbg; we need SE_DEBUG first
        
       ; Create a snapshot of all processes and
       ; threads. 06H is the appropriate bitmask
       ; for this purpose, look it up if you 
       ; dont trust me.
        
        INVOKE  CreateToolhelp32Snapshot,06H,0
        MOV  hShot,EAX
        
       ; Start to search for the trusted process.
       ; We will compare the name of the process'
       ; primary module with the string buffer
       ; TRUSTED until we find a match.
        
        INVOKE  Process32First, hShot, ADDR p32
        CMP  EAX, 0
        JE    GSE1

GSL:    LEA  EDX, p32.szExeFile
        INVOKE  lstrcmpi, EDX, TRUSTED
        
        CMP  EAX, 0; lstrcmpi is not case sensitive!
        JE    GSL1  ; good, we found the process
        
        INVOKE  Process32Next, hShot, ADDR p32
        
        CMP  EAX, 0; no more processes,
        JE    GSE1  ; no success
        JMP  GSL   ; otherwise, continue loop
        
       ; We have found an instance of the trusted
       ; process, continue to retrieve information
       ; about its primary thread and gain an open
       ; handle to both the process itself and the
       ; thread. To find the thread, we have to
       ; loop through all thread entries in our 
       ; snapshot until we discover a thread that
       ; has been created by the process we found.
        
GSL1:   INVOKE  Thread32First, hShot, ADDR t32
        MOV  EBX, 0

TSL:    MOV  EDX, t32.th32OwnerProcessID
        CMP  EDX, p32.th32ProcessID
        JE    TSL0
        INVOKE  Thread32Next, hShot, ADDR t32
        CMP  EAX, 0; no more threads (weird),
        JE    GSE1  ; no success 
        JMP  TSL   ; otherwise, continue loop
        
       ; Now, since we have got the ID's of both
       ; the process itself and the primary thread,
       ; use OpenProcess() and OpenThread() to 
       ; get a handle to both of them. You are right,
       ; OpenThread is NOT a documented call, but
       ; it looks like that was rather an accident.
       ; It is exported by kernel32.dll just like
       ; OpenProcess().
        
TSL0:   MOV  EDX, pProcessInfo  ; the structure address

        MOV  EAX,p32.th32ProcessID; copy the process ID
        MOV  [EDX+08H], EAX
        
        MOV  EAX, t32.th32ThreadID; copy the thread ID
        MOV  [EDX+0CH], EAX
        
        PUSH    EDX               ; safe the address
        
        
        INVOKE  OpenProcess, PROCESS_ALL_ACCESS, \
                0, p32.th32ProcessID
                
        CMP  EAX, 0
        JE    GSE1
        MOV  EBX, EAX
        
        INVOKE  OpenThread, THREAD_ALL_ACCESS, 0, \
                t32.th32ThreadID
                
        CMP  EAX, 0
        JE    GSE1
        
        POP  EDX                  ; restore the address
        MOV  [EDX], EBX        ; copy the process handle
        MOV  [EDX+04H], EAX    ; copy the thread handle
        
        PUSH    1                   ; success
        JMP  GSE0                  
           
GSE1:   PUSH    0                   ; failure

GSE0:   CMP  hShot, 0
        JE    GSE
        INVOKE  CloseHandle, hShot   ; cleanup

GSE:    POP  EAX                  ; pop the return value to EAX
        RET                       ; that's it.
        
GetCPI endp
 
end LibMain

the definition file or Invoke.def

LIBRARY invoke
EXPORTS 
InvokeFunc
InlineCode
GetCPI
GetDbg
CopyMemory

the makefile.bat built in Masm32 v9 Hutchs version |good luck finding that|

@echo off
if exist invoke.obj del invoke.obj
if exist invoke.dll del invoke.dll
\masm32\bin\ml /c /coff invoke.asm
\masm32\bin\Link /SUBSYSTEM:WINDOWS /DLL /DEF:invoke.def invoke.obj 
dir invoke.*
pause

1 question : would any of you be interested in a modularized implementation of Tsongkies Trainer Engine Part 3 in a separate Dll or in this one along with all the other Functions.. i also plan to make a sister dll that initializes a gui Edit Box with a Button for Direct execution of asm, im gonna try and mimic all the functionality of masm commands i can so bear with me as i go through this prilimanary mapping stages.. and hack out some examples.

[jackyyll]

This is very interesting So basically, this is DLL Injection correct? Commonly used in game-hacks?

[WSCPorts]

So basicly no it isnt.. its a code cave Runner.. which can load and unload dll's dynamicly.. well thats at least whats its supposed to do...

[jackyyll]

This is also interesting... And very useful for things... Yes.. that's it.. 'things'... Any information on what some of the stuff does? It still a little blurry

Edited by jackyyll, 08 April 2006 - 06:09 AM.