DLL Injection

[Hdx]

Does anyone have any suggestions on how I can make a 'persistent' dll?
What I mean is a situation like this:
I inject my dll into ProcessA
ProcessA creates ProcessB
My DLL Auto-Injects into ProcessB

Right now I'm simply using the CreateProcess(target, start_stopped)
CreateRemoteThread(my dll)
ResumeThread(target thread) Mehtod.

On a slightly unrelated note, Anyone happen to know how to get the size of a process in memory? [exa: I want to search only X Process's memory space]

[Warrior]

On a slightly unrelated note, Anyone happen to know how to get the size of a process in memory? [exa: I want to search only X Process's memory space]

Not quite sure what you mean, all process memory is isolated from each other. It's not like you can accidentally spill over into another processes memory.

[Hdx]

Well, Basically say I was wanting to search for a string in a processe's memory. It could be at the start, could be at the vary end, could be in the middle.
Problem is, The process could be 10 bytes, or 10gbs... Kinda help to figure out how far I should search.

[Skywing]

Use VirtualQueryEx iteratively to build a map describing process address space, then scan the readable regions.

Note that the process address space may mutate while you do this, and while you do your reading, so be prepared to handle this case.

- S

[iago]

Does anyone have any suggestions on how I can make a 'persistent' dll?
What I mean is a situation like this:
I inject my dll into ProcessA
ProcessA creates ProcessB
My DLL Auto-Injects into ProcessB

Well, you can hook the CreateProcess() (and related) functions.

Or, you can use SetWindowsHookEx() function to hook all processes, then check if it's the one you want.

Hope that helps!

[Hdx]

I'm replacing each instance in-memory of "call    ds:CreateProcessW" with "call MyFunc"
EXA:
"FF 15 64 62 89 00" -> "90 E8 ** ** ** **" where **'s are my function's address
 

Code: [Select]

char* CreateWPatch  = "\x90\xE8\x00\x00\x00\x00";
  WriteMemory(CreateWPatch+2, &CreateProcessWHook, 4);
    if(!memcmp((void*)(gwStart + x), CreateWSearch,  6)) WriteMemory((void*)(gwStart + x),     CreateWPatch, 6);It *should* be working right........

Anyways, I got it to write everything correctly, but it isn't liking it...
I'm doing my testing using guild wars as it has a good error reporting system.

Code: [Select]

*--> Crash <--*
Exception: c000001d
App: Gw.exe
ProgramId: 1
Build: 25526
When: 4/5/2008 20:17:19
Flags: 0

*--> System <--*
Name: GOLIATH
IpAddr: 192.168.0.4
Processors: 1 [GenuineIntel:15:3:3]
OSVersion: 5.1

*--> Thread 0xfffffffe <--*
eax=017af62f ebx=031b0020 ecx=017af11c edx=017af674 esi=017af8a0 edi=00000000
eip=005d65e8 esp=017aecd4 ebp=017af684
cs=10203 ss=001b ds=0023 es=0023 fs=0023 gs=003b efl=00000000

eax-32 017AF60C  00000000 00000000 00000000 00000000
eax-16 017AF61C  00000001 021a003c 002620a0 002620a0
eax +0 017AF62C  00040000 00000000 00000000 00000000
eax+16 017AF63C  00000000 00000000 00000000 00000000
eax+32 017AF64C  00000000 00000000 00000000 00000000
eax+48 017AF65C  00000000 00000000 00000000 00000000
ebx-32 031B0000  00150050 00150050 00000000 00000000
ebx-16 031B0010  007b3000 007b3000 00000d50 00000b00
ebx +0 031B0020  00905a4d 00000003 00000004 0000ffff
ebx+16 031B0030  000000b8 00000000 00000040 00000000
ebx+32 031B0040  00000000 00000000 00000000 00000000
ebx+48 031B0050  00000000 00000000 00000000 000000f8
ecx-32 017AF0FC  017af60c 00000000 00000000 00000000
ecx-16 017AF10C  00000000 00000000 00000000 00000000
ecx +0 017AF11C  00460022 005c003a 00610047 0065006d
ecx+16 017AF12C  005c0073 00750047 006c0069 00200064
ecx+32 017AF13C  00610057 00730072 0047005c 002e0077
ecx+48 017AF14C  006d0074 00220070 00000000 00000000
edx-32 017AF654  00000000 00000000 00000000 00000000
edx-16 017AF664  00000000 00000000 00000000 00000000
edx +0 017AF674  00000000 00000000 00000000 00000000
edx+16 017AF684  017afab4 0059d74e 029f004c 0018910c
edx+32 017AF694  00000003 00000003 00000004 00000003
edx+48 017AF6A4  00000004 00000003 00000004 00770047
esi-32 017AF880  00000104 017afab0 0058cfea 00000000
esi-16 017AF890  00d3dd24 009d17dc 00000000 029f004c
esi +0 017AF8A0  003a0046 0047005c 006d0061 00730065
esi+16 017AF8B0  0047005c 00690075 0064006c 00570020
esi+32 017AF8C0  00720061 005c0073 00770047 0074002e
esi+48 017AF8D0  0070006d 00000000 00000000 7c90d37c

*--> Code <--*
005D65C8  038b0d38 6da200c1 e2058d44 02e08945 ...8m......D...E
005D65D8  fc890841 890d386d a2008bce c74004ff ...A..8m.....@..
005D65E8  ffffffe8 e045fbff 8b4dfc8b f883c10c .....E...M......
005D65F8  478b4104 3bf8760b 8d510c52 5057e885 G.A.;.v..Q.RPW..
005D6608  62fbff6a 00508b45 fc8d480c e8072de5 b..j.P.E..H...-.
005D6618  ff8b4dfc 8d410c8b 490c894d f48d1479 ..M..A..I..M...y

*--> Trace <--*
Pc:005d65e8 Fr:017af684 Rt:0059d74e Arg:029f004c 0018910c 00000003 00000003
Pc:0059d74e Fr:017afab4 Rt:007d705c Arg:017afacc 00000000 00000000 00000002
Pc:007d705c Fr:017afcf0 Rt:007d6e5b Arg:00000000 00000000 0018b4e8 00000000
Pc:007d6e5b Fr:017afd34 Rt:007d396b Arg:00000000 00000000 00000000 00000000
Pc:007d396b Fr:017afd4c Rt:00404066 Arg:00000000 00000000 017afda0 0018b4b4
Pc:00404066 Fr:017afd6c Rt:005ee174 Arg:00000004 00179850 0018b4e8 00000002
Pc:005ee174 Fr:017afdac Rt:005e8666 Arg:0017989c 0018b4a8 0000044c 0018b4e8
Pc:005e8666 Fr:017afde8 Rt:005e86ff Arg:0000044c 00000000 00000000 00000001
Pc:005e86ff Fr:017afe2c Rt:005e8385 Arg:00000001 00179850 8000005d 00000001
Pc:005e8385 Fr:017afe64 Rt:005e7e61 Arg:017aff20 017aff1c ffffffff 00000001
Pc:005e7e61 Fr:017aff14 Rt:005a3582 Arg:005e7ce0 00000001 00000001 ffffffff
Pc:005a3582 Fr:017aff34 Rt:005a71db Arg:7c913f50 0015ffc0 00177d38 00369e99
Pc:005a71db Fr:017aff68 Rt:005a1156 Arg:00000001 7c913f50 00177d38 00177d38
Pc:005a1156 Fr:017aff80 Rt:0080cf0e Arg:0015ffc0 7c913f50 ffffffff 00177d38
Pc:0080cf0e Fr:017affb4 Rt:7c80b713 Arg:00177d38 7c913f50 ffffffff 00177d38
Pc:7c80b713 Fr:017affec Rt:00000000 Arg:0080ceaf 00177d38 00000000 027af690

*--> Stack <--*
017AECD4  0059d8fd 017af8a0 017af11c 00000000 ..Y...z...z.....
017AECE4  00000000 00000000 00000000 00000000 ................
017AECF4  00000000 017af630 017af674 007b22b0 ....0.z.t.z.."{.
017AED04  00000000 031b0020 00460022 005c003a .... ...".F.:.\.
017AED14  00610047 0065006d 005c0073 00750047 G.a.m.e.s.\.G.u.
017AED24  006c0069 00200064 00610057 00730072 i.l.d. .W.a.r.s.
017AED34  0047005c 002e0077 006d0074 00220070 \.G.w...t.m.p.".
017AED44  00000000 00000008 017aed80 00260000 ..........z...&.
017AED54  7c910202 00000045 00261378 00260000 ...|E...x.&...&.
017AED64  002620a0 017aed58 00000040 017aef9c . &.X.z.@.....z.
017AED74  7c90e900 7c910208 ffffffff 7c910202 ...|...|.......|
017AED84  7c91017b 7c9101bb 00000000 017af2d0 {..|...|......z.
017AED94  017af2a8 00000008 00000039 00000008 ..z.....9.......
017AEDA4  00000038 00000008 00000037 00000008 8.......7.......
017AEDB4  00000036 00000008 00000035 00000008 6.......5.......
017AEDC4  00000034 00000008 00000033 00000008 4.......3.......
017AEDD4  00000032 00000008 00000031 00000008 2.......1.......
017AEDE4  00000030 00000008 0000002f 00000008 0......./.......
017AEDF4  0000002e 00000008 0000002d 00000008 ........-.......
017AEE04  0000002c 00000008 0000002b 00000008 ,.......+.......
017AEE14  0000002a 00000008 00000029 00000008 *.......).......
017AEE24  00000028 00000008 00000027 00000008 (.......'.......
017AEE34  00000025 00000008 00000024 00000008 %.......$.......
017AEE44  00000023 00000008 00000022 00000008 #.......".......
017AEE54  00000021 00000008 00000020 00000008 !....... .......
017AEE64  0000001f 00000008 0000001e 00000008 ................
017AEE74  0000001d 00000008 0000001c 00000008 ................
017AEE84  0000001b 00000008 0000001a 00000008 ................
017AEE94  00000019 00000008 00000018 00000008 ................
017AEEA4  00000017 00000008 00000016 00000008 ................
017AEEB4  00000014 7c910415 7c91041e 017af22c .......|...|,.z.
017AEEC4  00020024 017af018 00000002 017aeef0 $.....z.......z.
017AEED4  7ffdf000 7c901000 017aeec0 00000000 .......|..z.....
017AEEE4  017aef90 7c90e900 7c910440 7c97d600 ..z....|@..|...|
017AEEF4  7c914029 7c91401c 00000208 017af2d0 )@.|.@.|......z.
017AEF04  017af2a8 00000034 00000009 00000008 ..z.4...........
017AEF14  00000008 00000008 017af022 00000008 ........".z.....
017AEF24  0000001a 00000002 00360034 017af8a0 ........4.6...z.
017AEF34  00000000 00000008 017af8a0 00000000 ..........z.....
017AEF44  02080034 00000045 46000001 00000034 4...E......F4...
017AEF54  00000000 00000003 017af058 00000000 ........X.z.....
017AEF64  01000100 017af024 43000100 00000000 ....$.z....C....
017AEF74  00000000 017af8d4 7c910415 7c91041e ......z....|...|
017AEF84  00007c9e 017aeefc 017af2a8 017af23c .|....z...z.<.z.
017AEF94  7c90e900 017af2d0 00000008 017af24c ...|..z.....L.z.
017AEFA4  7c914202 002620a8 017af024 7c910440 .B.|. &.$.z.@..|
017AEFB4  7c97d600 7c9142c7 7c91428f 00000000 ...|.B.|.B.|....
017AEFC4  017af8a0 017af8a0 00000002 0000001e ..z...z.........
017AEFD4  ffffffff 7c910202 00000000 000a0008 .......|........
017AEFE4  7c91405c 0000021a 00000000 7c910202 \@.|...........|
017AEFF4  7c91017b 7c9101bb 00000034 00000000 {..|...|4.......
017AF004  017af53c ffffffff 00360034 017af8a0 <.z.....4.6...z.
017AF014  017af024 00000002 002620a0 01000058 $.z...... &.X...
017AF024  003a0046 0047005c 006d0061 00730065 F.:.\.G.a.m.e.s.
017AF034  0047005c 00690075 0064006c 00570020 \.G.u.i.l.d. .W.
017AF044  00720061 005c0073 00770047 0074002e a.r.s.\.G.w...t.
017AF054  0070006d 00000000 00000000 00000000 m.p.............
017AF064  00000000 00000000 00000000 00000000 ................
017AF074  00000000 00000000 00000000 00000000 ................
017AF084  00000000 00000000 00000000 00000000 ................
017AF094  00000000 00000000 00000000 00000000 ................
017AF0A4  00000000 00000000 00000000 00000000 ................
017AF0B4  017af0e8 00260000 7c910202 00000045 ..z...&....|E...
017AF0C4  00261378 00260000 002620a0 017af0c0 x.&...&.. &...z.

*--> LogQueue <--*

[iago]

You should just replace the first 5 bytes of the actual function, in the kernel32.dll import. Then you only have to do it once, and it won't be picked up by memory checksums either, since you're only modifying imported code.

[Hdx]

Only problem with that is I 1) Don't know exactly what i'd be overwriting 2) Need to use CreateProcess... Though I could try calling Address+5 and see what that does....

Humm..... CreateProcessInternal

Also, Do you have any clue why WriteProcessMemory and mpmcpy would have diff offsets?
[EXA:]
HMODULE m = GetModuleHandle("Kernel32.dll");
WriteProcessMemory(m, 100, "\x0", 1, 0);
is not
mpmcpy(m+100, "\x0", 1);??

Code: [Select]

  HMODULE gwStart = GetModuleHandleA(0);
  char* CreateAPatch  = "\xE8\x00\x00\x00\x00";
  char* CreateWPatch  = "\xE8\x00\x00\x00\x00";
  WriteMemory(CreateWPatch+1, &CreateProcessWHook, 4);
  WriteMemory(CreateAPatch+1, &CreateProcessAHook, 4);
  HMODULE kernel = GetModuleHandleA("Kernel32.dll");
  FARPROC CreateA = GetProcAddress(kernel, "CreateProcessA");
  FARPROC CreateW = GetProcAddress(kernel, "CreateProcessW");
  WriteProcessMemory(gwStart, CreateA, CreateAPatch, 5, NULL);
  WriteProcessMemory(gwStart, CreateW, CreateWPatch, 5, NULL);My WriteProcessMemory is failing [returning false]


VirtualProctect obviously did not work [VirtualProtect(CreateA, 5, PAGE_READWRITE, null)]

[iago]

1) the function should always start with "push ebp / mov ebp, esp / sub esp, xxxx", which should always be the same number of bytes. Replace that to a jmp to your function, and you're set.

If you actually want to call the function, I generally do something hacky -- restore the first 7 bytes to what they ought to be, call it, then re-write the first 7 bytes. There might be a better way to do that, maybe Skywing can shed some light.

Something you might want to look at is the Detours library or something similar with a less restrictive license. My understanding is that it automates the process of grabbing control of API calls. Could save you a lot of trouble.

[Hdx]

I have already writtin a class to manipulate the IAT, But Like I said its ugly. So I don't wana use it.
Meh I'll clean it and use it.
But like I said, WriteProcessMemory() fails...
I'll see how that goes.

[warz]

so dont write ugly code, or clean it and use it! why write it and then not use it?

[Blaze]

so dont write ugly code, or clean it and use it! why write it and then not use it?

A lot of the "ugly" code I write is when I'm just playing around with something new and just want something to work rather then win an award for optimization/cleanliness.  There is no excuse for lack of whitespace, though.  That is unforgivable.

[iago]

I have already writtin a class to manipulate the IAT, But Like I said its ugly. So I don't wana use it.
Meh I'll clean it and use it.
But like I said, WriteProcessMemory() fails...
I'll see how that goes.

I'm not sure why WriteProcessMemory() would fail, unless the program has some funky ACLs.

Are you calling WPM from inside the program's address space, or from an external program? If you aren't, I recommend doing it from inside. I've never had a problem with that.

What does getlasterror() say?

[MyndFyre]

You could write a kernel-level module and use the PsCreateProcessNotifyRoutine.  Off the cuff, though, I can't seem to find the documentation for it.

The caveat with PsCreateProcessNotify is that it's global and only 8 notification callbacks are supported.