Sign in to follow this  
Followers 0

Writing into process using injection

10 posts in this topic

Posted (edited)

I am attempting to write ASM into the currently running process using my AutoIT script. However, I am running into some weird problems that I honestly cannot understand correctly.

Firstly, here is my code for injecting into the process:

Func Run_ASM2($hWnd)
    Dim $i, $tmp_Addr, $RThwnd, $h, $pid
    ConsoleWrite($AsmCode)
    ReDim $AsmCode[StringLen($OPcode) / 2 - 1]
    For $i = 0 To UBound($AsmCode)
        $AsmCode[$i] = Int("0x" & StringMid($OPcode, $i * 2 + 1, 2))
    Next
    GetWindowThreadProcessId($hWnd, $pid)
    $h = OpenProcess($PROCESS_ALL_ACCESS, False, $pid)
    $tmp_Addr = VirtualAllocEx($h, 0, UBound($AsmCode) + 1, $MEM_COMMIT2, $PAGE_EXECUTE_READWRITE2)
    WriteProcessMemory($h, $tmp_Addr, VarPtr($AsmCode[0]), UBound($AsmCode) + 1, 0)
    $RThwnd = CreateRemoteThread($h, 0, 0, $tmp_Addr, 0, 0, 0)
    VirtualFreeEx($h, $tmp_Addr, UBound($AsmCode) + 1, $MEM_RELEASE2)
    CloseHandle($RThwnd)
    CloseHandle($h)
    $OPcode = ""
EndFunc   ;==>Run_ASM2

Before injecting into the code I first find a high and loword that will be pushed into the process:

$tInt64 = DllStructCreate('int64')
    DllStructSetData($tInt64, 1, $iValue)
    $tHiLo = DllStructCreate('dword;dword', DllStructGetPtr($tInt64))
    ConsoleWrite('Hi DWord = 0x' & Hex(DllStructGetData($tHiLo, 2)) & @CR)
    ConsoleWrite('Lo DWord = 0x' & Hex(DllStructGetData($tHiLo, 1)) & @CR)
$dHiWord = Hex(DllStructGetData($tHiLo, 2))
    $dLoWord = Hex(DllStructGetData($tHiLo, 1))

Following that I call functions that create my opcodes:

MOV_EAX($dHiWord)
    PUSH_EAX()
    MOV_EAX($dLoWord)
    PUSH_EAX()
    MOV_EAX(0x004C9AA0) ;move the address into EAX register
    CALL_EAX();call the function located at EAX register using the guid we just pushed on the stack
    Add_ESP(0x08)
    Ret()
    Run_ASM2($hWnd)

And an example of one of the push functions and the MOV function that puts my hi and lo onto the stack:

Func Push_EAX()
    $OPcode = $OPcode + "50"
EndFunc   ;==>Push_EAX

Func Mov_EAX($i)
    $OPcode = $OPcode + "B8" + Int2Hex($i, 8)
EndFunc   ;==>Mov_EAX

Func Int2Hex($Value, $n) ;?????
    Dim $tmp1, $tmp2, $i
    $tmp1 = StringRight("0000000" + Hex($Value), $n)
    For $i = 0 To StringLen($tmp1) / 2 - 1
        $tmp2 = $tmp2 + StringMid($tmp1, StringLen($tmp1) - 1 - 2 * $i, 2)
    Next
    $Int2Hex = $tmp2
EndFunc   ;==>Int2Hex

However, there are two major problems that are showing up:

1. if i insert a MsgBox(0,"test it", $OPcode) under the first MOV_EAX function call, I am returned with 0. I tried substituting $dHiWord with DllStructGetData($tHiLo, 2) (an int) but it still returns 0.. ?? strange

2. get a compilation error: ==> Array variable subscript badly formatted.:

ReDim $AsmCode[stringLen($OPcode) / 2 - 1]

ReDim $AsmCode[^ ERROR

Any ideas about what is going on here?

Edited by mavor

Share this post


Link to post
Share on other sites



Posted

Re 2. I don't think AutoIt will evaluate a function within an array index, help file says

"The index number can also be substituted by another variable or an expression, so you can build complex ways to assign or access elements in an array."

so, try a dummy variable:

$dummy = StringLen($OPcode) / 2 - 1

ReDim $AsmCode[$dummy]

cheers,

whim

Share this post


Link to post
Share on other sites

Posted

Ok the dummy variable didn't help.. still dieing at wherever we call Strlen. So I checked it out and for some reason the OPcode is not being written properly... like I said, every time i tested the value after doing a MOV or etc.. function the OPcode would stay at 0 Except for when it had a number like " +50" added to it.

Any idea why the OPcode is not being updated correctly?

Share this post


Link to post
Share on other sites

Posted

The badly formatted array error message is because the math expression results into -1 so ReDim $aArr[-1] produces this error. I've looked into the Mov_EAX and Push_EAX functions and it's not visible whether the $OPCode variable should contain a number variable or a binary string. Perhaps the +'s there should be &'s?

Share this post


Link to post
Share on other sites

Posted

Here i have attached the full ASMinjection file (functions for injection). Perhaps you can see what it is expecting now?

ASMinjection.au3

Share this post


Link to post
Share on other sites

Posted

Seems like this library is a mess. MulDiv is expecting 3 parameters and not a pointer. I guess that this library is quite old and was targeting one of the AutoIt versions prior to version 3 but I don't know. The context the pluses are used in the library seems to me like in a concatenation context.

Share this post


Link to post
Share on other sites

Posted

Hmm do you know of any other AIT3 injection libraries? This was what I pulled up after searching around for awhile.

Share this post


Link to post
Share on other sites

Posted (edited)

Hot. I'm going to get into that and report my results later on. Thanks for the heads up : )

Edit** Looks really good but... that is for running a .dll in its own memory space correct? However, I must run this opcode from within the process (injection) maybe by using a remote thread? Do you see what I mean?

Please share any ideas you have getting a .dll from that inline ASM library injected via remote thread into my $Pid .. i think my knowledge of this stuff is falling a bit short ;)

Edited by mavor

Share this post


Link to post
Share on other sites

Posted

lol, oh here it is, thanks monoceres ;). The example is quite 1:1 but you can use Ward's inline assembly UDF by first allocating the necessary code and data blocks and then write the machine code using AsmAdd(). Look how monoceres did the calculation and do accordingly.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0