Jump to content

Writing into process using injection


mavor
 Share

Recommended Posts

I am attempting to write ASM into the currently running process using my AutoIT script. However, I am running into some weird problems that I honestly cannot understand correctly.

Firstly, here is my code for injecting into the process:

Func Run_ASM2($hWnd)
    Dim $i, $tmp_Addr, $RThwnd, $h, $pid
    ConsoleWrite($AsmCode)
    ReDim $AsmCode[StringLen($OPcode) / 2 - 1]
    For $i = 0 To UBound($AsmCode)
        $AsmCode[$i] = Int("0x" & StringMid($OPcode, $i * 2 + 1, 2))
    Next
    GetWindowThreadProcessId($hWnd, $pid)
    $h = OpenProcess($PROCESS_ALL_ACCESS, False, $pid)
    $tmp_Addr = VirtualAllocEx($h, 0, UBound($AsmCode) + 1, $MEM_COMMIT2, $PAGE_EXECUTE_READWRITE2)
    WriteProcessMemory($h, $tmp_Addr, VarPtr($AsmCode[0]), UBound($AsmCode) + 1, 0)
    $RThwnd = CreateRemoteThread($h, 0, 0, $tmp_Addr, 0, 0, 0)
    VirtualFreeEx($h, $tmp_Addr, UBound($AsmCode) + 1, $MEM_RELEASE2)
    CloseHandle($RThwnd)
    CloseHandle($h)
    $OPcode = ""
EndFunc   ;==>Run_ASM2

Before injecting into the code I first find a high and loword that will be pushed into the process:

$tInt64 = DllStructCreate('int64')
    DllStructSetData($tInt64, 1, $iValue)
    $tHiLo = DllStructCreate('dword;dword', DllStructGetPtr($tInt64))
    ConsoleWrite('Hi DWord = 0x' & Hex(DllStructGetData($tHiLo, 2)) & @CR)
    ConsoleWrite('Lo DWord = 0x' & Hex(DllStructGetData($tHiLo, 1)) & @CR)
$dHiWord = Hex(DllStructGetData($tHiLo, 2))
    $dLoWord = Hex(DllStructGetData($tHiLo, 1))

Following that I call functions that create my opcodes:

MOV_EAX($dHiWord)
    PUSH_EAX()
    MOV_EAX($dLoWord)
    PUSH_EAX()
    MOV_EAX(0x004C9AA0) ;move the address into EAX register
    CALL_EAX();call the function located at EAX register using the guid we just pushed on the stack
    Add_ESP(0x08)
    Ret()
    Run_ASM2($hWnd)

And an example of one of the push functions and the MOV function that puts my hi and lo onto the stack:

Func Push_EAX()
    $OPcode = $OPcode + "50"
EndFunc   ;==>Push_EAX

Func Mov_EAX($i)
    $OPcode = $OPcode + "B8" + Int2Hex($i, 8)
EndFunc   ;==>Mov_EAX

Func Int2Hex($Value, $n) ;?????
    Dim $tmp1, $tmp2, $i
    $tmp1 = StringRight("0000000" + Hex($Value), $n)
    For $i = 0 To StringLen($tmp1) / 2 - 1
        $tmp2 = $tmp2 + StringMid($tmp1, StringLen($tmp1) - 1 - 2 * $i, 2)
    Next
    $Int2Hex = $tmp2
EndFunc   ;==>Int2Hex

However, there are two major problems that are showing up:

1. if i insert a MsgBox(0,"test it", $OPcode) under the first MOV_EAX function call, I am returned with 0. I tried substituting $dHiWord with DllStructGetData($tHiLo, 2) (an int) but it still returns 0.. ?? strange

2. get a compilation error: ==> Array variable subscript badly formatted.:

ReDim $AsmCode[stringLen($OPcode) / 2 - 1]

ReDim $AsmCode[^ ERROR

Any ideas about what is going on here?

Edited by mavor
Link to comment
Share on other sites

Re 2. I don't think AutoIt will evaluate a function within an array index, help file says

"The index number can also be substituted by another variable or an expression, so you can build complex ways to assign or access elements in an array."

so, try a dummy variable:

$dummy = StringLen($OPcode) / 2 - 1

ReDim $AsmCode[$dummy]

cheers,

whim

Link to comment
Share on other sites

Ok the dummy variable didn't help.. still dieing at wherever we call Strlen. So I checked it out and for some reason the OPcode is not being written properly... like I said, every time i tested the value after doing a MOV or etc.. function the OPcode would stay at 0 Except for when it had a number like " +50" added to it.

Any idea why the OPcode is not being updated correctly?

Link to comment
Share on other sites

The badly formatted array error message is because the math expression results into -1 so ReDim $aArr[-1] produces this error. I've looked into the Mov_EAX and Push_EAX functions and it's not visible whether the $OPCode variable should contain a number variable or a binary string. Perhaps the +'s there should be &'s?

Link to comment
Share on other sites

Seems like this library is a mess. MulDiv is expecting 3 parameters and not a pointer. I guess that this library is quite old and was targeting one of the AutoIt versions prior to version 3 but I don't know. The context the pluses are used in the library seems to me like in a concatenation context.

Link to comment
Share on other sites

Hot. I'm going to get into that and report my results later on. Thanks for the heads up : )

Edit** Looks really good but... that is for running a .dll in its own memory space correct? However, I must run this opcode from within the process (injection) maybe by using a remote thread? Do you see what I mean?

Please share any ideas you have getting a .dll from that inline ASM library injected via remote thread into my $Pid .. i think my knowledge of this stuff is falling a bit short ;)

Edited by mavor
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...