C++

Forum

 
Why is this global injection failing

closed account (G309216C)
Hi,

I created a simple Proof-Of-Concept code which injects & executes a Message Box. The thing is that when I inject into all processes some crash. IS there any thing I am doing wrong.

Code so Far:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
 
#include<Windows.h>
#include<TlHelp32.h>
#include<iostream>
using namespace std;
typedef int (WINAPI* msgparam)(HWND, LPSTR , LPSTR , UINT);
typedef int (WINAPI* sleep)(_In_ DWORD szMillieseconds);
struct PARAMETER{
	DWORD MshInj;
};
DWORD getPid(string procName);
int privileges();
DWORD Injection(PARAMETER* structure);
DWORD FunctionStub();
int main()
{
	privileges();
	PROCESSENTRY32 Process;
	HANDLE hProcess;
	hProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
	Process32First(hProcess,&Process);
	
	while(Process32Next(hProcess,&Process))
	{
		cout<<Process.szExeFile<<endl;
		if(strcmp(Process.szExeFile , "devenv.exe")==0) 
		{
			goto hello;
		}
		DWORD PID = getPid(Process.szExeFile);
		if(PID == 0) {} 

		HANDLE OpenRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,false,PID);
		if(OpenRemoteProcess == 0) { _asm {nop}; }
		PARAMETER injectedParameters;
		injectedParameters.MshInj = (DWORD) GetProcAddress(LoadLibrary("User32.dll"),"MessageBoxA");

		DWORD szFunctionSize = (PBYTE) FunctionStub - (PBYTE) Injection;

		LPVOID szFunctionAllocation = VirtualAllocEx(OpenRemoteProcess,0,szFunctionSize,MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);
		WriteProcessMemory(OpenRemoteProcess,szFunctionAllocation,(void*)Injection,szFunctionSize,0);
		LPVOID szParameterAddress = VirtualAllocEx(OpenRemoteProcess,0,sizeof(PARAMETER),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
		WriteProcessMemory(OpenRemoteProcess,szParameterAddress,&injectedParameters,sizeof(PARAMETER),0);
		HANDLE Thread = CreateRemoteThread(OpenRemoteProcess,0,0,(LPTHREAD_START_ROUTINE)szFunctionAllocation,szParameterAddress,0,0);
		if(Thread != 0 ) {
WaitForSingleObject(Thread,INFINITE);
		}
		hello:;
	}
	return 0;
}



DWORD getPid(string procName){
   HANDLE hsnap;
   PROCESSENTRY32 pt;
   hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
   pt.dwSize = sizeof(PROCESSENTRY32);
   do{
		  if(!strcmp(pt.szExeFile, procName.c_str())){
			 DWORD pid = pt.th32ProcessID;
			 CloseHandle(hsnap);
			 return pid;
		  }
   } while(Process32Next(hsnap, &pt));
   CloseHandle(hsnap);
   return 0;		  
}
DWORD Injection(PARAMETER* structure)
{
	msgparam msgbox = (msgparam) structure->MshInj;
	msgbox(0,"Hello from Partial System Wide Injection","Injection",MB_OK|MB_SYSTEMMODAL|MB_NOFOCUS);
	return 0;
}
DWORD FunctionStub(){
	return 0;
}
int privileges(){
  HANDLE Token;
  TOKEN_PRIVILEGES tp;
  if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
  {
	LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
		if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
   		 return 1; //FAIL
		}else{
   		 return 0; //SUCCESS
		}
   }	  
   return 1;
}


**Note**: I filtered devenv.exe out to make sure in event of mailfunction or crash the Visual Studio would not crash.

Thanks
modoran (2077)
Interesting use of goto when C++ already has continue statement for exactly this kind of thing.

The continue statement causes the program to skip the rest of the loop in the current iteration as if the end of the statement block had been reached, causing it to jump to the start of the following iteration.

http://www.cplusplus.com/doc/tutorial/control/
closed account (G309216C)
Interesting... Edited my source code now to use continue.

Thanks! Will be great use for me.

On Other notice: Does any one know what is causing this error behavior.

When I inject into functions alone. This code tends to work where as in here when injecting into whole system there seems to be error.

Hopefully I get this problem out the way and carry on with my Project.

Note:
When Injecting into system as a whole, some well known processes such as MSBuild.exe and Devenv.exe seem to crash without a valid reason. When I inject into them singularly it works flawless.

I hope it is not because of any 3rd Party Protection Software.

EDIT: Let me try creating a specific thread dedicated to injection. Will post soon as results come out.
closed account (G309216C)
Finished the program. It is working Great. I used a dedicated thread for injecting. But it in higher memory in ram than of injected function to reduce any errors such as JMPs.
Topic archived. No new replies allowed.