Code injection with CreateRemoteThread

[mce]

I am trying to do code injection into one of my dialog application exe.

Code:

#define cbInjectFunc	192
HANDLE	hProcess = 0; 
HANDLE	hThread	   = 0;	// The handle and ID of the thread executing
DWORD	dwThreadId = 0;	// the remote InjectFunc.

DWORD dwNumBytesXferred = 0; // Number of bytes written to the remote process.

static DWORD WINAPI InjectFunc () 
{

//How to invoke the following function in the remote process once InjectFunc is copied into the remote process?	
//GetModuleHandle(__TEXT("kernel32"));

return 0;
}

//hWnd is the handle to the dialog application exe
::GetWindowThreadProcessId( hWnd, (DWORD*)&PID );

hProcess = ::OpenProcess(	PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ,FALSE, PID);

DWORD	*pCodeRemote;
pCodeRemote = (PDWORD) VirtualAllocEx( hProcess, 0, cbInjectFunc, MEM_COMMIT, PAGE_EXECUTE_READWRITE );	

WriteProcessMemory( hProcess, pCodeRemote, &InjectFunc, cbInjectFunc, &dwNumBytesXferred );

hThread = CreateRemoteThread(hProcess, NULL, 0, 
(LPTHREAD_START_ROUTINE)pCodeRemote,
0, 0 , &dwThreadId);

The remote application crashed when CreateRemoteThread is called. I couldn't find the reason..

What went wrong?

[pengch]

InjectFunc is only in yourself process, that is not in remote application.

So a lot of Inject process is use LoadLibrary API to run on remote application because all process has LoadLibrary API in memory.

[mce]

But this is external injection. The line
WriteProcessMemory( hProcess, pCodeRemote, &InjectFunc, cbInjectFunc, &dwNumBytesXferred );

should have copied the function into the remotely allocated memory.

[mce]

Basically what i want to achieve in the InjectFunc is to replace a WIN32 function address in the remote process to a similar function that is copied over by WriteProcessMemory. So when the rmote application is invoking the win32 function, the function that is copied into the remote address space is invoked. How can i achieved with WriteProcessMemory?

[pengch]

At first, you need define your InjectFunc like as:

DWORD WINAPI InjectFunc(void* param)
{
return 0;
}

And you need sure these code have not include jmp, jne, call which will cause change eip and so on.

[Igor Vartanov]

Basically what i want to achieve in the InjectFunc is to replace a WIN32 function address in the remote process to a similar function that is copied over by WriteProcessMemory. So when the rmote application is invoking the win32 function, the function that is copied into the remote address space is invoked. How can i achieved with WriteProcessMemory?

Man, I'll give you some hints.

Your remote thread must have not only a code injected. The second important part is a thread data. I tell you why this is so important.

Say you have this code:

Code:

DWORD WINAPI RemoteThread(LPVOID pData)
{
    GetModuleHandle(TEXT("kernel32.dll"));
    return 0;
}

It looks clean. But is it? No. It will crash with no doubt. The problem is the text string address. It is valid for your process only, and there's no "kernel32.dll" text string existing in a remote process at the address you pass to GetModuleHandle.

The correct code looks like following:

Code:

typedef struct _RemoteThreadData 
{
    TCHAR kernel32_name[128];
    HANDLE (WINAPI *_GetModuleHandle)(LPCTSTR);
} RemoteThreadData, *PRemoteThreadData;

// then you must fill the remote data with valid values
// write the copy of the structure to remote process
// and pass the copied data address to remote thread

DWORD WINAPI RemoteThread(LPVOID pData)
{
   PRemoteThreadData prd = (PRemoteThreadData)pData;
   prd->_GetModuleHandle(prd->kernel32_name);
   return 0;
}

The same thing must be done to remote process dll entries to be used dynamically (remember, some dll may be loaded to base addredd different from your process address). Tricky.

PS. Could you give me a hint why do you need that kernel32.dll module handle to be obtained this complex way? The trivial Module32First/Next can give you MODULEENTRY32.modBaseAddr with no deeping into remote thread creation things. BTW, kernel32.dll is always loaded at the same address in any process. Surprise!

PPS. I'd advise you to intercept the APIs with some proven methods. Just google for Intercept API and API hooking.

[mce]

The correct code looks like following:

Code:

typedef struct _RemoteThreadData 
{
    TCHAR kernel32_name[128];
    HANDLE (WINAPI *_GetModuleHandle)(LPCTSTR);
} RemoteThreadData, *PRemoteThreadData;

// then you must fill the remote data with valid values
// write the copy of the structure to remote process
// and pass the copied data address to remote thread

Thanks for ur hints., But what values should i initialized the _GetModuleHandle with?
Use GetProcAddress to get the address of this function in the dll within my address spece !?

But since this is from kernel32, so the address is the same in my process and the remote process....?

[Igor Vartanov]

Thanks for ur hints., But what values should i initialized the _GetModuleHandle with?
Use GetProcAddress to get the address of this function in the dll within my address spece !?

Yes, exactly.

But since this is from kernel32, so the address is the same in my process and the remote process....?

I see, you didn't listen to me.

PS. Could you give me a hint why do you need that kernel32.dll module handle to be obtained this complex way? The trivial Module32First/Next can give you MODULEENTRY32.modBaseAddr with no deeping into remote thread creation things. BTW, kernel32.dll is always loaded at the same address in any process. Surprise!

This is standard MS approach - all vital Windows system dlls are loaded in any process at fixed base addresses specific to each such dll.