@OrionMaster:
Can I use this function to block WINDOWS API's?
code:

HELP?

Hi,

I think you need to learn before you Copy & Paste, especially when experimenting with lower-level Windows API. Next, use 0x90 rather than 0xC3 keeping in mind 0x90 is a memory NOP however 0xC3 is NOPS compiler inserts during a declspec(naked) instances to make space. Or better be replace 0xC3 with a retn.

Next, to protect the memory as well use VirtualProtectEx and place guard page there rather than using one specific protection why not be creative. I have dozen more ways to ensure protection and blockage here.

forget about this!,
BTW, the old post I made on code cave
injection,
Can you kill csrss.exe,
and such process using that code cave injection at rohitab?

Hi,

Yes (NOT csrss.exe though) however you need to remove few privilege settings in order to. Additionally the biggest problem is protected processes. This is due to UAC as all SYSTEM and Administrator need the injection to be run under elevated mode, thus you need to get UAC allowance.

Thanks!

What privileges I need to remove?
And if I get UAC allowance
to run as administrator can I kill CSRSS.EXE?
HELP!

One more thing:
take a look at this link:
https://rstforums.com/forum/43070-c-direct-code-injection-examples-no-dll-injection.rst
There they dont calculate function size like stub-func,
they only do sizeof RemoteData, for all, will that work on the example from rohitab.com???

help...

Please read all the posts above,
still no reply?

I'll pick up where Orion Master left off. With thread injection the amount of memory you allocate does not have to be exact, it just has to be large enough. When I was playing around with thread injection I would just use the "GetProcessWorkingSetSize()" function on the process injecting the code and base the amount of memory to allocate on the target process on the value returned in the "lpMaximumWorkingSetSize" variable.


Why are you trying to kill CSRSS.exe? Doing that just causes the system to crash and reboot.

@Computergeek01

The GetProcessWorkingSetSize() is not a ideal function keeping in mind if we are performing system-wide allocations and threads with around 50\60\70+ processes, it would reduce a lot of RAM and memory and if there are 100+ processes it can cause memory swapping.

I think Smoke Loader (Malware), does that when it injects and allocates it uses 1GB of allocation from system-wide injection. Normally it shouldnt even take 500KB let alone 1GB.

@ OrionMaster: That would be an after the fact design consideration if I've ever seen one. System wide hooks are done with DLL's and the "SetWindowsHookEx()" function anyway so you wouldn't be using any of the methods the OP mentioned in this thread to begin with.

No I would use the methods, I just mean to say I would not use GetProcessWorkingSetSize function as it is wasteful of CPU and RAM resources.

That function is what you think is wasteful and not having to elevate your privileges for everything and then shotgun your thread into every process when the OP clearly has a set target in mind? Come on now, you know that is an AV red flag right there.

Hi,

True, but I enjoy answering these type question anyway I know it is aravind so I am not really bothered cuz he has been spending at least a month doing something too simple. Anyway I have no clue if he is legit or illegal.

Nevertheless:
Viruses don't harm, ignorance does!

#VX_IS_BACK.

You know what though, you have got me thinking about this again. Knowing how much space to allocate before you inject your thread was one of the more challenging parts for me and I've always hated every ones half-baked "solutions". As you can see the solution I settled on was just "good enough" and not really elegant in anyway.

Tell me what you think about this:

Process_A is the executable that is doing the injection and Process_B is the target that is being injected into.

As soon as you launch Process_A have it call "GetProcessMemoryInfo()" and save it's current working set size. Then just before you allocate memory for your remote thread in Process_B, launch the thread you intend to inject locally in Process_A with the 'Create_SUSPEND' attribute set and then call "GetProcessMemoryInfo()" again to grab the working set size with the remote thread loaded locally. Compare the two values and the difference between them should be the minimum amount of memory you need to allocate in Process_B, "VirtualAllocEx()" will just round up to the next page anyway so your precision is limited. A draw back I can think of is that you wouldn't want the potentially malicious thread to execute any code of course, but killing it with "TerminateThread()" wouldn't allow it to call any destructors so you would potentially have a memory leak. Any thoughts on how this might be improved?

EDIT: Maybe having something in the lpParameters variable you pass to the thread tell it to exit cleanly when you call "ResumeThread()"? I may not get anything poductive done today.

Hi,

We can easily incorporate atomic changes this would protect the EIP from going haywire if anything terminates CPU is counting the next bytes of EIP transfer. Additionally, there is little we can do except from my suggestion about memory leaks keeping in mind that if a operation is terminated it can crash the process or lose vital information.

So yeah.

Will this code work without changes?
https://rstforums.com/forum/43070-c-direct-code-injection-examples-no-dll-injection.rst
Help...
Please dont confuse me!

Hi,

Why don't you try it yourself it would be far more effective for your learning process. Rather than ask us to even compile and run it for you.

Hi,
I asked because the code at rohitab made my notepad exit!
so will the code at the link I gave work without any changes?
and my computer is broke!
I am doing this thread from my mobile...
So, I cant test the code...
Thats why I asked you to do this for me...
I just wanna know if it injects and displays message box...
Its not like im copy pasting...

Please read the above post...
One more thing:
in the rohitab link why cant I do sizeof(myfunc) rather than stub-useless ?