SetThreadContext DLL Injection

void __declspec(naked) InjectFunction()
{
 __asm
 {
  PUSHAD
   MOV EAX, 0xAAAAAAAA //eventually the address of LoadLibraryA

   PUSH 0xBBBBBBBB //eventually the module name
   call EAX

   POPAD
   //vc is pissy and requires us to emit the hardcoded jump
   __emit 0xE9
   __emit 0xCC
   __emit 0xCC
   __emit 0xCC
   __emit 0xCC
 }
}

void __declspec(naked) AfterFunction()
{
}

void InjectDll( HANDLE hProc, HANDLE hThread, char *DllName )
{
 //hold up
 SuspendThread( hThread );

 //get the thread context
 CONTEXT ThreadContext;
 ThreadContext.ContextFlags = CONTEXT_FULL;
 GetThreadContext( hThread, &ThreadContext );

 //copy the function to a tmp buffer
 ULONG FunctionSize = (PBYTE)AfterFunction - (PBYTE)InjectFunction;
 PBYTE LocalFunction = new BYTE[FunctionSize];
 memcpy( LocalFunction, InjectFunction, FunctionSize );

 //allocate a remote buffer
 PBYTE InjData =
  (PBYTE)VirtualAllocEx( hProc, NULL, FunctionSize + strlen(DllName)+1,
  MEM_COMMIT, PAGE_EXECUTE_READWRITE );

 //fixup the tmp buff
 for( ULONG i = 0;i < FunctionSize-3; i++ )
 {
  if ( *(PULONG)&LocalFunction[i] == 0xAAAAAAAA )
  {
   *(PULONG)&LocalFunction[i] = (ULONG)GetProcAddress( GetModuleHandle( "kernel32.dll" ), "LoadLibraryA" );
  }
  if ( *(PULONG)&LocalFunction[i] == 0xBBBBBBBB )
  {
   *(PULONG)&LocalFunction[i] = (ULONG)InjData + FunctionSize;
  }
  if ( *(PULONG)&LocalFunction[i] == 0xCCCCCCCC )
  {
   *(PULONG)&LocalFunction[i] = ThreadContext.Eip - ((ULONG)&InjData[i] + 4) ;
  }
 }

 //write the tmp buff + dll
 //Format: [RemoteFunction][DllName][null char]
 ULONG dwWritten;
 WriteProcessMemory( hProc, InjData, LocalFunction, FunctionSize, &dwWritten );
 WriteProcessMemory( hProc, InjData + FunctionSize, DllName, strlen(DllName)+1, &dwWritten );

 //set the EIP
 ThreadContext.Eip = (ULONG)InjData;
 SetThreadContext( hThread, &ThreadContext );

 //resume the thread
 ResumeThread( hThread );
}

by nerd | 2007/01/16 14:46 | Garage | 트랙백 | 핑백(2) | 덧글(0)


트랙백 주소 : http://nerd.egloos.com/tb/2940083
☞ 내 이글루에 이 글과 관련된 글 쓰기 (트랙백 보내기) [도움말]
Linked at Sacrafice Dll I.. at 2008/07/06 13:27

... ... more

Linked at Sacrafice Dll I.. at 2008/07/06 13:58

... ... more

:         :

:

비공개 덧글

◀ 이전 페이지다음 페이지 ▶