No as I said you need to do relocation and renaming.
Anyway the code generation must be /MT this allows injection to actually run next, if the notepad crashed it is a good thing mainly keeping in mind that the thread did get spawned in the processes so it is matter of correctly running it.
The reason it crashes without /MT is because VS normally creates Call gates for all functions like this:
1 2 3 4 5 6
|
;Basic Example
MsgBoxCallgate:
mov esp[0x4], 0
jmp User32.dll!MessageBoxA
|
All the call gate do is rather than use the real function it uses a different method which is useful for debugging in terms for the VS.
This means the call gates are not global address unlike NtOpenProcess or such. This means they have no entries in IAT, EAT. This means when you use MessageBoxA or whatever using the local address in foreign process spaces. You are basically jumping to a memory address where there is different instructions stored, and as there is memory protection. You are basically performing a Access Violation in a specific Memory Address, thus it gets crashed.
Next, if you are confused why you must rename and relocate, let me elaborate.
Visual Studio tries to attempt to optimize the code to the maximum and make the executable as neat as possible. This means VS incorporates a alpha-numeric order in all functions this ensures the code looks sweet and neat. However this has it's downs such as when calculating sizes of address, you are getting different addresses:
A Quick Example:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
|
Let's say your original address of Useless() is - 0x20
and size is - 0x1
Now lets say the original address of myfunc() is - 0x10
and size is - 0x5
the function size is - 0x5 - 0x1
As you may see the address are correctly lined up to perform correct calculations however when VS optimizes it this is what happens:
Optimized address of Useless() is - 0x30
and size is - 0x1
Optimized address of myfunc() is - 0x40
and size is - 0x10
The function size of new code is - 0x1 - 0x10
Clearly this is wrong because a size cannot be -0x9
But VS also re-optimizes the calculations depending of addresses. This means the foreign allocation may be allocated but when you write it the actual code to the allocated address space. This causes a "access violation" which basically crashes the process when you run the code.
As CPU would locate EIP trying to access protected memory pages and addresses. Thus the processes crashes.
|
However if you set the code generation to /MT, the code generated would differ and not rename vital functions and such.
Hope I helped.