EMO Style ForumPro - Hos Geldiniz
Giriş yap

Şifremi unuttum

Istatistikler
Toplam 203 kayıtlı kullanıcımız var
Son kaydolan kullanıcımız: posta59

Kullanıcılarımız toplam 1186 mesaj attılar bunda 862 konu
Tarıyıcı
 Kapı
 Indeks
 Üye Listesi
 Profil
 SSS
 Arama
Arama
 
 

Sonuç :
 


Rechercher çıkıntı araştırma

RSS akısı


Yahoo! 
MSN 
AOL 
Netvibes 
Bloglines 


Anahtar-kelime

Kimler hatta?
Toplam 8 kullanıcı online :: 0 Kayıtlı, 0 Gizli ve 8 Misafir

Yok

[ Bütün listeye bak ]


Sitede bugüne kadar en çok 92 kişi Paz Ağus. 28, 2016 6:58 am tarihinde online oldu.
En son konular
» İnternetten Para Kazandıran Oyun ! Ödeme Alt Limiti Yok ! DEV KONU
Cuma Ağus. 29, 2014 8:33 am tarafından Hello EMO

» goldenchase.net maden yaparak para kazanma
Cuma Ağus. 29, 2014 8:18 am tarafından Hello EMO

» etichal hacker görsel egitim seti
Çarş. Ağus. 06, 2014 4:57 am tarafından Hello EMO

» KO TBL Source C#
Ptsi Ara. 09, 2013 6:36 am tarafından Hello EMO

» x86 Registers
C.tesi Ağus. 24, 2013 5:02 am tarafından Hello EMO

» [Tutorial] Pegando Address, Pointers de WYD
Çarş. Tem. 10, 2013 7:25 am tarafından Hello EMO

» [Tutorial] Pegando Address, Pointers de CS Metodo²
Çarş. Tem. 10, 2013 7:23 am tarafından Hello EMO

» [Tutorial] Aprendendo basico deASM OLLYDBG
Çarş. Tem. 10, 2013 7:22 am tarafından Hello EMO

» Basic C# DLL injector
Ptsi Tem. 08, 2013 7:48 am tarafından Hello EMO

Reklam

[Tutorial] Thread Injection

Önceki başlık Sonraki başlık Aşağa gitmek

[Tutorial] Thread Injection

Mesaj tarafından Hello EMO Bir Paz Ağus. 14, 2011 6:23 pm

[quote='DarkstaR69' pid='14652305' dateline='1313339898']
This tutorial for thread injection works on x86 processes. Due to register differences it wont work in x64, but can be easily converted.

Codecaving is the practice of injecting machine code into a remote process and making it execute. In this tutorial, I will cover a method of codecaving which I like to call thread injection. Thread inject is an 8 step process.

  1. Find target process
  2. Detect main thread
  3. Suspend the thread
  4. Find main threads current instruction pointer
  5. Allocate memory in target process for a codecave
  6. Write the codecave to memory
  7. Spoof instruction pointer to the location of the codecave
  8. Resume the thread


Below, I will explain exactly how to achieve the task of injecting code into a thread. At the very end of this post you will find the full source code.

First, we must obtain our process ID. There are many ways of doing this. I'll do it by using FindWindowA()
Kod:

   windowHandle = FindWindowA(NULL, windowName);
   GetWindowThreadProcessId(windowHandle, &procID);

The next thing we must do is create a structure for the TIB (Thread Information Block). We only need to create a partial structure since we only need limited information.
Kod:
//thanks to http://en.wikipedia.org/wiki/Win32_Thread_Information_Block
struct partialTIB
{
   DWORD SEHFrame;
   DWORD StackTopPointer;
   DWORD StackBottomPointer;
   DWORD Unknown;
   DWORD FiberData;
   DWORD ArbitraryDataSlot;
   DWORD LinearAddressOfTIB; //This is the linear address of this block of data!
   DWORD EnviromentPointer;
   DWORD ProcessID;
   DWORD CurrentThreadID; //This is the last pf what we need, so we'll stop here
};

Now we must actually get the TIB of our target process. There is no documented conventional way of doing so, so we must use a small trick. The FS register points to the current processes TIB. The TIB contains a member named LinearAddressOfTIB. As the name suggests, this member points to the memory address of the TIB. This address is universal for every process. In order to get the TIB for a remote process, we will simply get our TIB from the FS register, grab the memory address of the TIB, and then read memory from that location in our target application.
Kod:

    _asm
    {
     MOV EAX, FS:[0x18]
     MOV [pointerTID], EAX
    }

    HANDLE hProcess = OpenProcess(PROCESS_VM_READ, false, procID);
    ReadProcessMemory(hProcess, (const void*)pointerTID, &TIB, sizeof(partialTIB), NULL);
    CloseHandle(hProcess);

Now that we have our threadID, we must open the thread and suspend it. This is very simple since we have the WinAPI at our disposal.
Kod:

   HANDLE thread = OpenThread((THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME | THREAD_SET_CONTEXT), false, threadID);
   SuspendThread(thread);

With the thread suspended, it is time to get its control context. We suspended the thread first so it wont be executing and jumping from instruction to instruction once we get the context.
Kod:

   CONTEXT threadContext;
   threadContext.ContextFlags = CONTEXT_CONTROL;
   GetThreadContext(thread, &threadContext);

The next step is to create our codecave. Since this is just a proof of concept, I will be using a simple code cave. All the codecave will do is return right back to the threads original instruction pointer. You may be asking "How do we know it works, then?" Simple: If you remove the return to the original instruction pointer, the application crashes.

The first thing to do when creating our codecave is to allocate the memory for it. To do this, we use OpenProcess() and VirtualAllocEx()
Kod:
   HANDLE process = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, false, TIB.ProcessID);
   LPVOID codeCave = VirtualAllocEx(process, NULL, 6, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

Next we must write our codecave to memory in the form of bytecode (Assembler). You can actually write this code in a naked asm function and just copy the memory, but I found this way easier for such a small cave.
Kod:

   DWORD push = 0x68;
   DWORD retn = 0xC3;
   
   WriteProcessMemory(process, codeCave, &push, 1, NULL); // "PUSH" opcode
   WriteProcessMemory(process, (LPVOID)((DWORD)codeCave+1), &InstructionPointer, 4, NULL); //return address
   WriteProcessMemory(process, (LPVOID)((DWORD)codeCave+5), &retn, 4, NULL); //"RETN" opcode

Now that our codecave is in place, we need to do the actual hijack. Hijacking the thread is as easy as changing its instruction pointer to the address of our codecave, and then letting it resume execution.

Kod:

   threadContext.Eip = (DWORD)codeCave;

   threadContext.ContextFlags = CONTEXT_CONTROL;
   SetThreadContext(thread, &threadContext);

   ResumeThread(thread);

And boom. The thread will resume, executing our codecave before continuing with what it was doing. The only thing left to do is free our resources. However, since the thread may not be done executing we must give it some time before we free our codecave. A typical codecave will execute in a matter of nanoseconds, but being safe and waiting 2 seconds will never hurt.

Kod:

   Sleep(2000);

   VirtualFreeEx(process, codeCave, 6, MEM_DECOMMIT);
   CloseHandle(process);
   CloseHandle(thread);

And we're done.
Since I didn't unify everything in this tutorial, the full source code can be found below. It will hopefully help you see how everything ties together and better your understanding of thread injection.
Kod:
#include <iostream>
#include <tchar.h>
#include <windows.h>

using namespace std;

//thanks to http://en.wikipedia.org/wiki/Win32_Thread_Information_Block
struct partialTIB
{
   DWORD SEHFrame;
   DWORD StackTopPointer;
   DWORD StackBottomPointer;
   DWORD Unknown;
   DWORD FiberData;
   DWORD ArbitraryDataSlot;
   DWORD LinearAddressOfTIB; //This is the linear address of this block of data!
   DWORD EnviromentPointer;
   DWORD ProcessID;
   DWORD CurrentThreadID; //This is what we need, so we'll stop here
};


partialTIB GetWindowThreadInformation(char* windowName)
{
    DWORD pointerTID, procID;
   partialTIB TIB;

    HWND windowHandle = FindWindowA(NULL, windowName);
    GetWindowThreadProcessId(windowHandle, &procID);


   //The FS register points to the ThreadInformationBlock
   //As you may recall from our structure, offset 0x18 is the linear address of the TIB
   //So if we get read from FS + 0x18, we can find the address of this block in a remote proccess and
   //get the current thread of that proccess
    _asm
   {
     MOV EAX, FS:[0x18]
     MOV [pointerTID], EAX
    }

    HANDLE hProcess = OpenProcess(PROCESS_VM_READ, false, procID);
    ReadProcessMemory(hProcess, (const void*)pointerTID, &TIB, sizeof(partialTIB), NULL);
    CloseHandle(hProcess);

    return TIB;
}

HANDLE OpenAndSuspendThread(DWORD threadID)
{
   HANDLE thread = OpenThread((THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME | THREAD_SET_CONTEXT), false, threadID);
   SuspendThread(thread);
   return thread;
}

LPVOID CreateCodeCave(HANDLE process, DWORD InstructionPointer)
{
   LPVOID codeCave = VirtualAllocEx(process, NULL, 6, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
   
   DWORD push = 0x68;
   DWORD retn = 0xC3;
   
   WriteProcessMemory(process, codeCave, &push, 1, NULL); // "PUSH" opcode
   WriteProcessMemory(process, (LPVOID)((DWORD)codeCave+1), &InstructionPointer, 4, NULL); //return address
   WriteProcessMemory(process, (LPVOID)((DWORD)codeCave+5), &retn, 4, NULL); //"RETN" opcode

   return codeCave;
}

CONTEXT RetriveThreadControlContext(HANDLE thread)
{
   CONTEXT threadContext;
   threadContext.ContextFlags = CONTEXT_CONTROL;
   GetThreadContext(thread, &threadContext);
   return threadContext;
}

int _tmain(int argc, _TCHAR* argv[])
{
   char windowTitle[128];
   cout << "Enter the title of the window to inject the code into:" << endl;
   cin >> windowTitle;
   cout << endl;
   
   partialTIB TIB = GetWindowThreadInformation(windowTitle);
   cout << "Detected proc: " << TIB.ProcessID << endl;
   cout << "Detected thread: " << TIB.CurrentThreadID << endl;


   HANDLE thread = OpenAndSuspendThread(TIB.CurrentThreadID);
   CONTEXT threadContext = RetriveThreadControlContext(thread);

   HANDLE process = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, false, TIB.ProcessID);
   LPVOID codeCave = CreateCodeCave(process, threadContext.Eip);

   threadContext.Eip = (DWORD)codeCave;

   threadContext.ContextFlags = CONTEXT_CONTROL;
   SetThreadContext(thread, &threadContext);

   ResumeThread(thread);
   Sleep(2000);

   VirtualFreeEx(process, codeCave, 6, MEM_DECOMMIT);
   CloseHandle(process);
   CloseHandle(thread);


   while (true)
      Sleep(100);
   return 0;
}


I hope you guys enjoyed this tutorial.
I have many other, more advanced things I would love to make tutorials about, but it will depend on the response I get from this one - all feedback is welcome!

Thanks for reading.
//DarkstaR
[/quote]


Hello Kitty
vs
eMoStyLe



avatar
Hello EMO
EMO Team
EMO Team

Cinsiyet : Erkek
Burçlar : Yay
Yılan
Mesaj Sayısı : 935
Puan : 250393
Rep Puanı : 18
Doğum tarihi : 28/11/89
Kayıt tarihi : 21/07/09
Yaş : 27
Nerden : EMO WorlD
İş/Hobiler : RCE Student / Game Hacking / Learn Beginner C#,C++,Delphi
Lakap : EMO

Kullanıcı profilini gör http://emostyle.myforumpro.com

Sayfa başına dön Aşağa gitmek

Önceki başlık Sonraki başlık Sayfa başına dön


 
Bu forumun müsaadesi var:
Bu forumdaki mesajlara cevap veremezsiniz