Hi all,
Anyone knows if WriteProcessMemory modifies in any way the thread context of the process that im writing?.

Greets and thanks.
Posted on 2003-04-09 21:11:38 by r00t
The problem is that SetWindowsHookEx fails if i call writeprocessmemory in the thread and then i try to set the hook. It fails in some .exe's but not in all exe's.

Cya.
Posted on 2003-04-09 22:54:54 by r00t
Humm, it shouldn't change the thread context. However, in a running task, you ought to suspend all threads before WPMing, and resume them afterwards. Also note that it causes COW (Copy On Write), which means that if you're patching a DLL, you will only be changing the image of that DLL in the process you're patching, not globally.
Posted on 2003-04-10 02:42:58 by f0dder
Look at this code, it makes a DLL injection with SetWindowsHookEx:
(NOTE: All error checking was stripped).

invoke CreateProcess,OFFSET nomArch,OFFSET nomArch,NULL,NULL,NULL,CREATE_SUSPENDED,NULL,NULL,OFFSET proceso,OFFSET pinfo

invoke LoadLibrary,offset nomDll
mov dllid,eax

invoke GetProcAddress,dllid,offset procname
mov procaddy,eax

invoke RegisterWindowMessage,offset nomMsg
mov hMsg,eax

invoke OpenProcess,PROCESS_VM_OPERATION,NULL,pinfo.dwProcessId
mov hProcAb,eax

invoke ReadProcessMemory,hProcAb,puntoEnt,offset oriBytes,2,NULL

; write in the entrypoint the opcode "ebfe"
invoke WriteProcessMemory,hProcAb,puntoEnt,offset jmpEip,2,offset alGas

invoke ResumeThread,pinfo.hThread
mov aux,20 ; maxium tries

; wait until the process reaches the entrypoint
espero:
dec aux
jnz @F
invoke MsgErr,offset msgerrNoSync
@@:
invoke Sleep,50
mov hCon.ContextFlags,-1
invoke GetThreadContext,pinfo.hThread,offset hCon
test eax,eax
jne @F
invoke MsgErr,offset msgerrNoCon
@@:
push hCon.regEip
pop eax
cmp eax,puntoEnt
jne espero

invoke SetWindowsHookEx,WH_GETMESSAGE,procaddy,dllid,pinfo.dwThreadId
mov hookHan,eax

; when i send the message the hook is activated
invoke PostThreadMessage,pinfo.dwThreadId,hMsg,NULL,NULL

; write in the process the original bytes
invoke WriteProcessMemory,hProcAb,puntoEnt,offset oriBytes,2,offset alGas
invoke Sleep,1000 ;i need to be sure the message arrived
invoke CloseHandle,pinfo.hThread
invoke CloseHandle,pinfo.hProcess
invoke UnhookWindowsHookEx,hookHan
invoke FreeLibrary,dllid

ps: This code is based on a thread found in this messageboard.


The problem is:
In some exe's the SetWindowsHookEx fails, and in some others not.

I need to patch the IAT table in the process that is created, before the execution starts, but the process cannot be suspended, bcoz the Hook fails with probability 1.

Greets and thanks.

I've attached the full code.
Posted on 2003-04-11 19:42:57 by r00t
The right order of steps (after reaching entrypoint):
Write oriBytes back
Wait till any thread in the target process enters a msg loop. Check psdk for WaitForInputIdle. (you missed this step)
SetWindowsHookEx
Post a msg
UnhookWindowsHookEx

Then again you can't guarantee your DLL is injected before any code in target process executes. So if you use msg hook, there's no need to replace the first bytes. Just wait till msg loop is established.
You can do without msg hook, I mean why don't you replace the first bytes (at entrypoint) with "invoke LoadLibrary, offset szDllName"? Of course don't forget to copy szDllName, by WriteProcessMemory + either VirtualAllocEx or using memory-mapped file depending on the OS you aim at.
Posted on 2003-04-11 22:21:54 by C.Z.
r00t,

The problem is about the hProcAb variable.

Requirement for the ReadProcessMemory function
===================================

The handle must have PROCESS_VM_READ access to the process.




invoke OpenProcess,PROCESS_VM_OPERATION or PROCESS_VM_READ ,NULL,pinfo.dwProcessId



Try this one.

Regards,

Vortex
Posted on 2003-04-12 03:16:13 by Vortex
Vortex:
Nothing changes adding PROCESS_VM_READ, (either PROCESS_ALL_ACCESSS).

CZ:
The main problem is:
I must inject the dll (and execute the code in the dll) before any instruction is executed in the target exe, that's the reason i write "ebfe" in the entrypoint and then resume the thread.
Note that SetWindowsHookEx always fails if the thread isn't running. The unique way that i can resume the process and it wont execute any instruction is writing "ebfe" in the entrypoint.


Greets and thanks all for the ideas.
Posted on 2003-04-12 16:26:59 by r00t
Hi all,
I was rethinking the SetWindowsHookEx method of dll injection and i think it doesn't meet the needs.
Anyone there have an asm code for injecting a dll with WriteProcessMemory?.
I need to patch the IAT before the exe starts running.

Greets and thanks all.
Posted on 2003-04-12 16:47:06 by r00t
i would suggest writing your code to the end of the .text segment of the exe in memory.theres usally enuf 00000's there for yoor code. just wpm it in then a jump to it and back
Posted on 2003-04-12 17:50:43 by Qages
r00t, haven't you looked at my XCOM loader yet? It does what you ned, and works on both 9x and NT.
Posted on 2003-04-14 02:01:39 by f0dder
Thanks all for the replys.

f0dder: Sorry my little hurry, and the article about XCOM is perfects. Thanks so much.

Cya all.
Posted on 2003-04-15 22:34:30 by r00t