- Forum
- Windows Programming
- How will you do code cave injection!?
How will you do code cave injection!?
Pages: 12
Hey guys,
this is a link:
http://www.rohitab.com/discuss/topic/39357-code-cave-injection-tutorial-c/
I did the code it crashed
notepad!
I did with declaring the functions as static...
But that also didnt work?
Help:)
this is a link:
http://www.rohitab.com/discuss/topic/39357-code-cave-injection-tutorial-c/
I did the code it crashed
notepad!
I did with declaring the functions as static...
But that also didnt work?
Help:)
closed account (13bSLyTq)
Hi,
It is due to the current tool setting you have. What tool set are you using and what IDE\Compiler are you using.
It is due to the current tool setting you have. What tool set are you using and what IDE\Compiler are you using.
closed account (13bSLyTq)
Sorry, You need to wait man.
Anyway this is becuase of the compiler generating wrong code. As normally statics are set into alpha-numeric order however Dev C++ does not do that therefore cannot find the size.
Additionally it generates different code which breaks the stack at vital blocks therefore this error is comming. Sorry to say I have no cure here as I don't use Dev C++ to do these things. Thats why I suggest you use VS2010 NOT VS2012. VS2010 toolset is used in VS2012 as VS2010 has the best generated code for me but VS2012 is for advanced debugging and coding support.
Anyway this is becuase of the compiler generating wrong code. As normally statics are set into alpha-numeric order however Dev C++ does not do that therefore cannot find the size.
Additionally it generates different code which breaks the stack at vital blocks therefore this error is comming. Sorry to say I have no cure here as I don't use Dev C++ to do these things. Thats why I suggest you use VS2010 NOT VS2012. VS2010 toolset is used in VS2012 as VS2010 has the best generated code for me but VS2012 is for advanced debugging and coding support.
closed account (13bSLyTq)
Yes, actually it worked very well. However I made few changes. Such as relocation of function addresses and such.
What did you mean when you
said:
"Such as
relocation of function addresses and
such.
"
BTW, did you declared functions as static?
how did you calculate the function size?
Please tell me?
said:
"Such as
relocation of function addresses and
such.
"
BTW, did you declared functions as static?
how did you calculate the function size?
Please tell me?
closed account (13bSLyTq)
So you need to rename the function names with the stub being zUseless and the injection thread being aInjection, this could mean that the functions doeSnT move around. Just calculte the function sizes normally. like shown
Okay, so does the code work as it is in rohitab.com?
without any changes, you made?
without any changes, you made?
closed account (13bSLyTq)
Yes, depending on the project settings. I am saying in some environments it works in some it does not.
Can you please tell me your project settings?
Is this the correct way to declare those functions:
Help, please...
Is this the correct way to declare those functions:
|
|
Help, please...
Last edited on
closed account (13bSLyTq)
No as I said you need to do relocation and renaming.
Anyway the code generation must be /MT this allows injection to actually run next, if the notepad crashed it is a good thing mainly keeping in mind that the thread did get spawned in the processes so it is matter of correctly running it.
The reason it crashes without /MT is because VS normally creates Call gates for all functions like this:
All the call gate do is rather than use the real function it uses a different method which is useful for debugging in terms for the VS.
This means the call gates are not global address unlike NtOpenProcess or such. This means they have no entries in IAT, EAT. This means when you use MessageBoxA or whatever using the local address in foreign process spaces. You are basically jumping to a memory address where there is different instructions stored, and as there is memory protection. You are basically performing a Access Violation in a specific Memory Address, thus it gets crashed.
Next, if you are confused why you must rename and relocate, let me elaborate.
Visual Studio tries to attempt to optimize the code to the maximum and make the executable as neat as possible. This means VS incorporates a alpha-numeric order in all functions this ensures the code looks sweet and neat. However this has it's downs such as when calculating sizes of address, you are getting different addresses:
A Quick Example:
However if you set the code generation to /MT, the code generated would differ and not rename vital functions and such.
Hope I helped.
Anyway the code generation must be /MT this allows injection to actually run next, if the notepad crashed it is a good thing mainly keeping in mind that the thread did get spawned in the processes so it is matter of correctly running it.
The reason it crashes without /MT is because VS normally creates Call gates for all functions like this:
|
|
All the call gate do is rather than use the real function it uses a different method which is useful for debugging in terms for the VS.
This means the call gates are not global address unlike NtOpenProcess or such. This means they have no entries in IAT, EAT. This means when you use MessageBoxA or whatever using the local address in foreign process spaces. You are basically jumping to a memory address where there is different instructions stored, and as there is memory protection. You are basically performing a Access Violation in a specific Memory Address, thus it gets crashed.
Next, if you are confused why you must rename and relocate, let me elaborate.
Visual Studio tries to attempt to optimize the code to the maximum and make the executable as neat as possible. This means VS incorporates a alpha-numeric order in all functions this ensures the code looks sweet and neat. However this has it's downs such as when calculating sizes of address, you are getting different addresses:
A Quick Example:
|
|
However if you set the code generation to /MT, the code generated would differ and not rename vital functions and such.
Hope I helped.
why you need to rename functions and when you said relocation you meant
:
myfunc-useless
or
as it is in rohitab
useless-myfunc.
I am confused help!?
:
myfunc-useless
or
as it is in rohitab
useless-myfunc.
I am confused help!?
closed account (13bSLyTq)
To simple it down to the bones do this:
- Set Code Generation to /MT
- rename useless to zUseless
- rename myfunc to amyfunc
do this, anyway I was showing you what the compiler generates normally and one with additional optimization. Hope you understand now.
- Set Code Generation to /MT
- rename useless to zUseless
- rename myfunc to amyfunc
do this, anyway I was showing you what the compiler generates normally and one with additional optimization. Hope you understand now.
You need to rename functions because of 'Z' to 'A' order, right?
Can I use this function to calculate size?
DO I NEED TO DECLARE THE FUNCTIONS AS STATIC?
HELP!
Can I use this function to calculate size?
|
|
DO I NEED TO DECLARE THE FUNCTIONS AS STATIC?
HELP!
Last edited on
The code works , one more thing:
user32.dll is NOT loaded by default injector application, the fix is either use some function from user32 to force the linker automatically loads user32 in our process space or just use LoadLibrary instead of GetModuleHandle.
user32.dll is NOT loaded by default injector application, the fix is either use some function from user32 to force the linker automatically loads user32 in our process space or just use LoadLibrary instead of GetModuleHandle.
closed account (13bSLyTq)
Your Welcome, anytime.
I am only 14 now you see, but been programming for years nevertheless check my blog to find out: http://codeempire.blogspot.co.uk/
I am only 14 now you see, but been programming for years nevertheless check my blog to find out: http://codeempire.blogspot.co.uk/
Pages: 12