C++ Code Caving (Injecting a function into another process) | video tutorial

[Hitokiri~]

I'd much rather do syscalls directly instead of calling wrappers which are most of the time hooked by Anti-Cheats. If you look at the exported Nt_____ functions on ntdll.dll it should be pretty obvious what you should do.

Example: Instead of calling VirtualAlloc(Ex) you can do this and call it instead:

Code:

__declspec( naked )
NTSTATUS NtAllocateVirtualMemory( HANDLE ProcessHandle, PVOID *BaseAddress, ULONG ZeroBits, PULONG AllocationSize, ULONG AllocationType, ULONG Protect ) {
    __asm
    {
        MOV EAX, 0x17;
        CALL fs : [0xC0];
        RETN 0x18;
    }
}


//somewhere...
if( NT_ERROR( NtAllocateVirtualMemory( 
            GetCurrentProcess(), 
            &m_pBuffer, 
            NULL,
            &dwSize,
            MEM_COMMIT | MEM_RESERVE,
            PAGE_READWRITE ) ) ) {
    throw Exceptions::MemoryAllocationException( "Unable to alocate memory for the image" );
}

System calls are a wide field in Windows programming.

Points:

- Call IDs are specific to the computers they're running on ( Meaning you can't just use static numbers )
- x86 processes use the callgate to enter lower rings which can also be hooked ( mov fs:[c0h], mystub ) -- meaning you'll need to directly find the Cpup function that switches to x64 mode and emulate that directly or risk a hook being placed there and detecting you anyway
- On x64 systems, KiFastSystemCall is used directly ( Which can also be hooked ). To emulate it directly, you'll need to do all sort of annoying-ass calculations like determining the stack size needed to pop back to etc.
- Lastly, calling conventions for system calls differ across OSs. Windows 7 and Windows 8/8.1 differ for sure since I did do research on them.

So, yes system calls are a great way to prevent detections against applications that don't employ drivers but there's far too many variables to consider. At best, you'll only be able to make them for your PC since porting will be hell.

[MarkHC]

System calls are a wide field in Windows programming.

Points:

- Call IDs are specific to the computers they're running on ( Meaning you can't just use static numbers )
- x86 processes use the callgate to enter lower rings which can also be hooked ( mov fs:[c0h], mystub ) -- meaning you'll need to directly find the Cpup function that switches to x64 mode and emulate that directly or risk a hook being placed there and detecting you anyway
- On x64 systems, KiFastSystemCall is used directly ( Which can also be hooked ). To emulate it directly, you'll need to do all sort of annoying-ass calculations like determining the stack size needed to pop back to etc.
- Lastly, calling conventions for system calls differ across OSs. Windows 7 and Windows 8/8.1 differ for sure since I did do research on them.

So, yes system calls are a great way to prevent detections against applications that don't employ drivers but there's far too many variables to consider. At best, you'll only be able to make them for your PC since porting will be hell.

You are completely right, I hook KiFastSystemCall myself for some other stuff... This article is pretty good: https://www.malwaretech.com/2014/06/u...g-betabot.html

If you are really worried about detection you should create your own driver and do not do anything on usermode anyways.

[Hitokiri~]

You are completely right, I hook KiFastSystemCall myself for some other stuff... This article is pretty good: https://www.malwaretech.com/2014/06/u...g-betabot.html

If you are really worried about detection you should create your own driver and do not do anything on usermode anyways.

One last point I forgot to mention is that Intel CPUs use sysenter as their method of entering lower rings and AMD uses syscall. Another reason why that's such a pain in the ass to implement.

[AgresivD]

Overall this is a job for 2 functions: one return pid s qualified name of a certain process, and one DLL injection process with a particular name (of course, this is only her job to take care of things like full path of the DLL). It is important to emphasize that can be several processes with the same name, and therefore need to have a good realization that process until it is successful. Here is an exercise in C ++ 11 I was writing, which takes into account the points I was talking about:

Code:

#include <iostream>​
#include <cstdint>​
#include <memory>​
#include <vector>​
​
#undef UNICODE​
#include <windows.h>​
#include <TlHelp32.h>​
​
using std::uint32_t;​
std::vector<uint32_t> pids(const std::string& processName, uint32_t delay = 100)​
{​
    std::vector<uint32_t> list;​
​
    while (list.empty())​
    {​
        auto snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);​
        PROCESSENTRY32 entry = { sizeof entry };​
​
        if (Process32First(snapshot, &entry))​
            while (Process32Next(snapshot, &entry))​
                if (entry.szExeFile == processName)​
                    list.push_back(entry.th32ProcessID);​
​
        Sleep(delay); // Win32 API is extremely retarded​
        CloseHandle(snapshot);​
    }​
​
    return list;​
}​
​
bool inject(const std::string& processName, std::string dll)​
{​
    char path[MAX_PATH] = "";​
    GetFullPathName(dll.c_str(), sizeof path, path, 0);​
    dll = path;​
​
    // iterate through all matching processes. stop with the first success.​
    for (auto pid : pids(processName))​
    {​
        const auto processFlags = PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD;​
        using ProcessHandle = std::unique_ptr<void, decltype(&::CloseHandle)>;​
        ProcessHandle process(OpenProcess(processFlags, false, pid), CloseHandle);​
        if (!process)​
            continue;​
​
        const auto memFlags = MEM_RESERVE | MEM_COMMIT;​
        auto mem = VirtualAllocEx(process.get(), nullptr, dll.length() + 1, memFlags, PAGE_READWRITE);​
        if (!mem)​
            continue;​
​
        auto rc = WriteProcessMemory(process.get(), mem, dll.c_str(), dll.length() + 1, nullptr);​
        if (!rc)​
            continue;​
​
        auto loadLibrary = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");​
        if (!loadLibrary)​
            continue;​
​
        auto tid = CreateRemoteThread(process.get(), nullptr, 0, loadLibrary, mem, 0, nullptr);​
        if (!tid)​
            continue;​
​
        return true;​
    }​
​
    return false;​
}

How to use the function to inject very simple - it gets there a process where the DLL (without using full path) and returns whether the injection was successful. Use example:

Code:

std::string process;​
std::cout << "Enter process name: ";​
std::cin >> process;​
​
std::string dll;​
std::cout << "Enter DLL: ";​
std::cin >> dll;​
​
if (inject(process, dll))​
    std::cout << "Injection succeeded" << '\n';​
else​
    std::cout << "Injection failed" << '\n';​

[fall3n angel]

uu can use notepad instewad