PDA

View Full Version : Code injection problem


garph0
October 31st, 2000, 14:42
hello, i'm coding a little code injector wich works also under win9x, so i can't use VirtualAllocEx() and CreateRemoteThread().
i used a tecnique like the one iceman was talking about in iceman1.htm on fravia's site (it was 1998 i think):
1) save the original page and thread context
2) copy your code on that page
3) change context's eip to run your code
4) put everithing back like original code

i've done it rather sucessfully, but i've got a problem:
when i inject my code i a thread that is stopped when it's lost somewhere in the kernel, my code it's executed ok, but i get an access violation resuming the original thread, while if i can stop it while it is into the program code all goes well.
i noticed that the proble arises also when i modify a program that loads some DLL after my intervention... i cannot understand why this happens... can somebody
1) tell me hoe to prevent this
or
2) suggest me a method to detect when a process has done its initial work with dll and so on?

excuse me for my poor english and thank you

garph0

The Owl
October 31st, 2000, 15:06
did you take care of the remote thread's stack (as in 'memory', not 'ESP') as well? ie, make sure you don't modify anything that's at/above the current ESP (of the remote thread).

garph0
November 1st, 2000, 07:20
Quote:
The Owl (10-31-2000 04:06 a.m.):
did you take care of the remote thread's stack (as in 'memory', not 'ESP') as well? ie, make sure you don't modify anything that's at/above the current ESP (of the remote thread).

garph0
November 1st, 2000, 07:30
Sorry about the previous message... i hit enter before starting my reply

Actually what i insert in the target process is just an INT 1 to make SoftIce popup and verify the code gets executed, later i think i will inject a loadlibrary and do the heavy work comfortably from a DLL
Anyhow thank you for the stack suggestion; a little question: if a imake some room for my local variables under the ESP i shouldn't have problems, am i right ?

thank you.

garph0

The Owl
November 2nd, 2000, 15:54
yes, below the ESP it should be safe (although you'll leave your traces there, some smart sw might decide to detect such attempts one day ;-).

garph0
November 3rd, 2000, 14:40
it seems i found the problem!
gheee! i want to play with debug API and i'm not able to use a simple printf!
so the problem was in my code, particularly in the 'trace' infos i gave.
shame on me ;( now that i fixed that ugly printf it seems to work quit well.
anyhow thanks for help i hadn't realized that problem with ESP.
well now i have two more problems:
1) can i detach from a process i have created as debugged without killing it?
2) how can i detect input idle or something like that for console apps?

thank you and, btw, i was a fravia's reader time ago, but life stealed my playing time... . now that i'm back on reversing, it has been really nice to find you again
garph0

The Owl
November 4th, 2000, 10:07
Quote:

1) can i detach from a process i have created as debugged without killing it?
2) how can i detect input idle or something like that for console apps?


welcome back then ;-).

1. as far as i know, you cannot (ie, MS APIs won't let you), but that doesnt mean there couldn't be a workaround. without some reverse engineering it's hard to tell, perhaps someone else will know. also try to ask EliCZ at http://elicz.cjb.net or .tsx.org (he has his own msgboard).

2. no clues. does waitforinputidle() not work?

garph0
November 12th, 2000, 12:16
ok people, it seems i've found the right way...
kill3xx suggested me a way to emulate the CreateRemoteThread() under win9x without getting stuck with debug apis
so now i'm working in that direction.
than you all for your help

garph0