How will you do code cave injection!?

Pages: 12
Hey guys,
this is a link:
http://www.rohitab.com/discuss/topic/39357-code-cave-injection-tutorial-c/
I did the code it crashed
notepad!
I did with declaring the functions as static...
But that also didnt work?
Help:)
Hi,

It is due to the current tool setting you have. What tool set are you using and what IDE\Compiler are you using.
Well I use Dev c++ ...
BTW, Im using windows XP.
Help!
Still, no reply...
Sorry, You need to wait man.

Anyway this is becuase of the compiler generating wrong code. As normally statics are set into alpha-numeric order however Dev C++ does not do that therefore cannot find the size.

Additionally it generates different code which breaks the stack at vital blocks therefore this error is comming. Sorry to say I have no cure here as I don't use Dev C++ to do these things. Thats why I suggest you use VS2010 NOT VS2012. VS2010 toolset is used in VS2012 as VS2010 has the best generated code for me but VS2012 is for advanced debugging and coding support.

Have you tried that code in
VS2010 ?
Did it work?
Yes, actually it worked very well. However I made few changes. Such as relocation of function addresses and such.
What did you mean when you
said:
"Such as
relocation of function addresses and
such.
"
BTW, did you declared functions as static?
how did you calculate the function size?
Please tell me?
So you need to rename the function names with the stub being zUseless and the injection thread being aInjection, this could mean that the functions doeSnT move around. Just calculte the function sizes normally. like shown
Okay, so does the code work as it is in rohitab.com?
without any changes, you made?
Yes, depending on the project settings. I am saying in some environments it works in some it does not.
Can you please tell me your project settings?
Is this the correct way to declare those functions:
1
2
3
4
5
6
7
8
9
10
__declspec(naked) static DWORD myfunc(){
//...//
}

__declspec(naked) static DWORD Useless()
{
return 0;
}
//and size...
DWORD size=(PBYTE)Useless-(PBYTE)myfunc;

Help, please...
Last edited on
No as I said you need to do relocation and renaming.

Anyway the code generation must be /MT this allows injection to actually run next, if the notepad crashed it is a good thing mainly keeping in mind that the thread did get spawned in the processes so it is matter of correctly running it.

The reason it crashes without /MT is because VS normally creates Call gates for all functions like this:

1
2
3
4
5
6
;Basic Example 

MsgBoxCallgate:

mov esp[0x4], 0 
jmp User32.dll!MessageBoxA



All the call gate do is rather than use the real function it uses a different method which is useful for debugging in terms for the VS.

This means the call gates are not global address unlike NtOpenProcess or such. This means they have no entries in IAT, EAT. This means when you use MessageBoxA or whatever using the local address in foreign process spaces. You are basically jumping to a memory address where there is different instructions stored, and as there is memory protection. You are basically performing a Access Violation in a specific Memory Address, thus it gets crashed.

Next, if you are confused why you must rename and relocate, let me elaborate.

Visual Studio tries to attempt to optimize the code to the maximum and make the executable as neat as possible. This means VS incorporates a alpha-numeric order in all functions this ensures the code looks sweet and neat. However this has it's downs such as when calculating sizes of address, you are getting different addresses:

A Quick Example:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Let's say your original address of Useless() is - 0x20 
and size is - 0x1

Now lets say the original address of myfunc() is - 0x10
and size is - 0x5

the function size is - 0x5 - 0x1  
As you may see the address are correctly lined up to perform correct calculations however when VS optimizes it this is what happens:


Optimized address of Useless() is - 0x30
and size is - 0x1

Optimized address of myfunc() is - 0x40
and size is - 0x10

The function size of new code is -  0x1 - 0x10

Clearly this is wrong because a size cannot be -0x9 

But VS also re-optimizes the calculations depending of addresses. This means the foreign allocation may be allocated but when you write it the actual code to the allocated address space. This causes a "access violation" which basically crashes the process when you run the code.

As CPU would locate EIP trying to access protected memory pages and addresses. Thus the processes crashes.  


However if you set the code generation to /MT, the code generated would differ and not rename vital functions and such.

Hope I helped.
why you need to rename functions and when you said relocation you meant
:
myfunc-useless
or
as it is in rohitab
useless-myfunc.
I am confused help!?

To simple it down to the bones do this:

- Set Code Generation to /MT
- rename useless to zUseless
- rename myfunc to amyfunc

do this, anyway I was showing you what the compiler generates normally and one with additional optimization. Hope you understand now.
You need to rename functions because of 'Z' to 'A' order, right?
Can I use this function to calculate size?
1
2
3
4
5
6
7
8
9
10
11
12
LPBYTE GetFunctionAddr(LPVOID
lpFunc)
{
return (LPBYTE)lpFunc;
}
//and stub
void RemoteThreadEnd() {}

//and size...
DWORD dwFuncSize =
(GetFunctionAddr(RemoteThreadEnd)
- GetFunctionAddr(RemoteThread));

DO I NEED TO DECLARE THE FUNCTIONS AS STATIC?
HELP!
Last edited on
1.Yes
2. No use (PBYTE)zUseless - (PBYTE)amyfunc
2. Yes
Thankyou very much!
you are awesome!
BTW, what is your real name?
The code works , one more thing:
user32.dll is NOT loaded by default injector application, the fix is either use some function from user32 to force the linker automatically loads user32 in our process space or just use LoadLibrary instead of GetModuleHandle.
Your Welcome, anytime.
I am only 14 now you see, but been programming for years nevertheless check my blog to find out: http://codeempire.blogspot.co.uk/
Pages: 12