C++

Forum

 
Why is this Injection Not Working

closed account (G309216C)
Hi,

I needed to learn Injection to inject my hook into a function so I was learning Inline Injection, without DLL or such and basically I created a Proof-Of-Concept to just understand how it works but the thing is that for some reason it is not working why is that.

CODE SO FAR:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 

#include<Windows.h>
#include<iostream>
#include<TlHelp32.h>
#include<stdlib.h>
using namespace std;
int privileges();
DWORD getPid(string Procname);
static DWORD Stub();
static DWORD HookFunction();
int main()
{
	privileges();
	DWORD GetPID = getPid("Skynet - Attacker.exe");

	if(GetPID == 0) return 1; //Error

	HANDLE p = OpenProcess(PROCESS_ALL_ACCESS,false,GetPID);
    if(p == 0) return 1; //Error

	DWORD szFuncSize = (PBYTE) Stub - (PBYTE) HookFunction; //For us to get the size of Orginal Function
	LPVOID Functionaddress = VirtualAllocEx(p,NULL,szFuncSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(p,Functionaddress,(void*)HookFunction,szFuncSize,0);

	HANDLE Thread= CreateRemoteThread(p,0,0,(LPTHREAD_START_ROUTINE)Functionaddress,(LPVOID)0,0,0);
	if(Thread !=0)
	{
		WaitForSingleObject(Thread,INFINITE);
	}
}
static DWORD HookFunction()
{
	exit(1);
return 0;
}
DWORD getPid(string procName){
   HANDLE hsnap;
   PROCESSENTRY32 pt;
   hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
   pt.dwSize = sizeof(PROCESSENTRY32);
   do{
		  if(!strcmp(pt.szExeFile, procName.c_str())){
			 DWORD pid = pt.th32ProcessID;
			 CloseHandle(hsnap);
			 return pid;
		  }
   } while(Process32Next(hsnap, &pt));
   CloseHandle(hsnap);
   return 0;		  
}
int privileges(){
  HANDLE Token;
  TOKEN_PRIVILEGES tp;
  if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
  {
	LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
		if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
   		 return 1; //FAIL
		}else{
   		 return 0; //SUCCESS
		}
   }	  
   return 1;
}
static DWORD Stub() //Just to get Functions size 
{
	return 0;
}


If you understand can someone tell me where I am going wrong.

Thanks
Last edited on
closed account (G309216C)
Don't worry guys I solved it myself. Working code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
 
#include<Windows.h>
#include<iostream>
#include<TlHelp32.h>
#include<stdlib.h>
using namespace std;
typedef int (WINAPI* msgparam)(HWND,LPSTR,LPSTR,UINT);
DWORD getPid(string procname);
int privileges();
struct PARAMETERS
{
	DWORD MessageBoxinj;
	char szText[50];
	char szCaption[50];
    int  szButtons;
};
static DWORD MyFunc(PARAMETERS* Message);
static DWORD Stub();



int main()
{
	if(privileges() ==0)
	{

	DWORD pid = getPid("Skynet - Attacker.exe");
	if(pid == 0) return 1;

	HANDLE p = OpenProcess(PROCESS_ALL_ACCESS,false,pid);

	if(p == 0) return 1;

	PARAMETERS szInjectionData;
	szInjectionData.MessageBoxinj = (DWORD)GetProcAddress(LoadLibrary("User32.dll"),"MessageBoxA");
	szInjectionData.szButtons = MB_ICONERROR|MB_OK;
	strcpy_s(szInjectionData.szCaption,"Hello World");
	strcpy_s(szInjectionData.szText,"Called from Code Injection");

	DWORD szFunctionSize = (DWORD) Stub - (DWORD)MyFunc;
	LPVOID szFunctionAddress = VirtualAllocEx(p,0,szFunctionSize,MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(p,szFunctionAddress,(VOID*)MyFunc,szFunctionSize,0);
	LPVOID szDataAdress = VirtualAllocEx(p,0,sizeof(PARAMETERS),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
	WriteProcessMemory(p,szDataAdress,&szInjectionData,sizeof(PARAMETERS),0);

	HANDLE Thread = CreateRemoteThread(p,0,0,(LPTHREAD_START_ROUTINE)szFunctionAddress,szDataAdress,0,0);
	if(Thread !=0)
	{
	WaitForSingleObject(Thread, INFINITE);
	VirtualFree(szFunctionAddress, 0, MEM_RELEASE); //free myFunc memory
		VirtualFree(szDataAdress, 0, MEM_RELEASE); //free data memory
		CloseHandle(Thread);
		CloseHandle(p);  //don't wait for the thread to finish, just close the handle to the process
		cout<<"Injection completed!"<<endl;
	return 0;
	}
	}
	else
	{
		exit(1);
	}
}
DWORD getPid(string procName){
   HANDLE hsnap;
   PROCESSENTRY32 pt;
   hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
   pt.dwSize = sizeof(PROCESSENTRY32);
   do{
		  if(!strcmp(pt.szExeFile, procName.c_str())){
			 DWORD pid = pt.th32ProcessID;
			 CloseHandle(hsnap);
			 return pid;
		  }
   } while(Process32Next(hsnap, &pt));
   CloseHandle(hsnap);
   return 0;		  
}
static DWORD MyFunc(PARAMETERS * myparam){
	msgparam MsgBox = (msgparam)myparam->MessageBoxinj;
	 MsgBox(0, myparam->szText, myparam->szCaption, myparam->szButtons);
           for(;;)
		   {

			}
             return 0;
}
 
static DWORD Stub(){  
  return 0;
}

int privileges(){
  HANDLE Token;
  TOKEN_PRIVILEGES tp;
  if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
  {
	LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
		if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
   		 return 1; //FAIL
		}else{
   		 return 0; //SUCCESS
		}
   }	  
   return 1;
}
Topic archived. No new replies allowed.