Home › Forum › Programming › C++/C Programming › C++ Code Caving (Injecting a function into another process) | video tutorial

C++ Code Caving (Injecting a function into another process) | video tutorial

Posts 16–20 of 20 · Page 2 of 2

Originally Posted by -InSaNe-

I'd much rather do syscalls directly instead of calling wrappers which are most of the time hooked by Anti-Cheats. If you look at the exported Nt_____ functions on ntdll.dll it should be pretty obvious what you should do.

Example: Instead of calling VirtualAlloc(Ex) you can do this and call it instead:

Code:

__declspec( naked )
NTSTATUS NtAllocateVirtualMemory( HANDLE ProcessHandle, PVOID *BaseAddress, ULONG ZeroBits, PULONG AllocationSize, ULONG AllocationType, ULONG Protect ) {
    __asm
    {
        MOV EAX, 0x17;
        CALL fs : [0xC0];
        RETN 0x18;
    }
}


//somewhere...
if( NT_ERROR( NtAllocateVirtualMemory( 
            GetCurrentProcess(), 
            &m_pBuffer, 
            NULL,
            &dwSize,
            MEM_COMMIT | MEM_RESERVE,
            PAGE_READWRITE ) ) ) {
    throw Exceptions::MemoryAllocationException( "Unable to alocate memory for the image" );
}

System calls are a wide field in Windows programming.

Points:

- Call IDs are specific to the computers they're running on ( Meaning you can't just use static numbers )
- x86 processes use the callgate to enter lower rings which can also be hooked ( mov fs:[c0h], mystub ) -- meaning you'll need to directly find the Cpup function that switches to x64 mode and emulate that directly or risk a hook being placed there and detecting you anyway
- On x64 systems, KiFastSystemCall is used directly ( Which can also be hooked ). To emulate it directly, you'll need to do all sort of annoying-ass calculations like determining the stack size needed to pop back to etc.
- Lastly, calling conventions for system calls differ across OSs. Windows 7 and Windows 8/8.1 differ for sure since I did do research on them.

So, yes system calls are a great way to prevent detections against applications that don't employ drivers but there's far too many variables to consider. At best, you'll only be able to make them for your PC since porting will be hell.

Originally Posted by Hitokiri~

You are completely right, I hook KiFastSystemCall myself for some other stuff... This article is pretty good: http://www.malwaretech.com/2014/06/u...g-betabot.html

If you are really worried about detection you should create your own driver and do not do anything on usermode anyways.

Originally Posted by -InSaNe-

One last point I forgot to mention is that Intel CPUs use sysenter as their method of entering lower rings and AMD uses syscall. Another reason why that's such a pain in the ass to implement.

Overall this is a job for 2 functions: one return pid s qualified name of a certain process, and one DLL injection process with a particular name (of course, this is only her job to take care of things like full path of the DLL). It is important to emphasize that can be several processes with the same name, and therefore need to have a good realization that process until it is successful. Here is an exercise in C ++ 11 I was writing, which takes into account the points I was talking about:

Code:

#include <iostream>
#include <cstdint>
#include <memory>
#include <vector>

#undef UNICODE
#include <windows.h>
#include <TlHelp32.h>

using std::uint32_t;
std::vector<uint32_t> pids(const std::string& processName, uint32_t delay = 100)
{
    std::vector<uint32_t> list;

    while (list.empty())
    {
        auto snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
        PROCESSENTRY32 entry = { sizeof entry };

        if (Process32First(snapshot, &entry))
            while (Process32Next(snapshot, &entry))
                if (entry.szExeFile == processName)
                    list.push_back(entry.th32ProcessID);

        Sleep(delay); // Win32 API is extremely retarded
        CloseHandle(snapshot);
    }

    return list;
}

bool inject(const std::string& processName, std::string dll)
{
    char path[MAX_PATH] = "";
    GetFullPathName(dll.c_str(), sizeof path, path, 0);
    dll = path;

    // iterate through all matching processes. stop with the first success.
    for (auto pid : pids(processName))
    {
        const auto processFlags = PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD;
        using ProcessHandle = std::unique_ptr<void, decltype(&::CloseHandle)>;
        ProcessHandle process(OpenProcess(processFlags, false, pid), CloseHandle);
        if (!process)
            continue;

        const auto memFlags = MEM_RESERVE | MEM_COMMIT;
        auto mem = VirtualAllocEx(process.get(), nullptr, dll.length() + 1, memFlags, PAGE_READWRITE);
        if (!mem)
            continue;

        auto rc = WriteProcessMemory(process.get(), mem, dll.c_str(), dll.length() + 1, nullptr);
        if (!rc)
            continue;

        auto loadLibrary = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
        if (!loadLibrary)
            continue;

        auto tid = CreateRemoteThread(process.get(), nullptr, 0, loadLibrary, mem, 0, nullptr);
        if (!tid)
            continue;

        return true;
    }

    return false;
}

How to use the function to inject very simple - it gets there a process where the DLL (without using full path) and returns whether the injection was successful. Use example:

Code:

std::string process;
std::cout << "Enter process name: ";
std::cin >> process;

std::string dll;
std::cout << "Enter DLL: ";
std::cin >> dll;

if (inject(process, dll))
    std::cout << "Injection succeeded" << '\n';
else
    std::cout << "Injection failed" << '\n';

uu can use notepad instewad

Posts 16–20 of 20 · Page 2 of 2

Post a Reply

Similar Threads

[Tutorial(C++)]How to call functions within another processBy radnomguywfq3 in Programming Tutorials
4Last post 18y ago
How to do OPK + Code Cave with a debugger and C++By radnomguywfq3 in C++/C Programming
4Last post 16y ago
Code for Injector; Importing DLL into ListboxBy Invidus in Visual Basic Programming
5Last post 16y ago
[REQUEST] Code Cave TutBy HeXel in WarRock - International Hacks
10Last post 18y ago
[HELP] How do I inject(???) the mods into CA?By ripper639 in Combat Arms Mods & Rez Modding
11Last post 16y ago

Tags for this Thread

#c++#code cave #executing #heap #inject #injecting #stack

Home › Forum › Programming › C++/C Programming › C++ Code Caving (Injecting a function into another process) | video tutorial

C++ Code Caving (Injecting a function into another process) | video tutorial

Posts 16–20 of 20 · Page 2 of 2

Originally Posted by -InSaNe-

Code:

__declspec( naked )
NTSTATUS NtAllocateVirtualMemory( HANDLE ProcessHandle, PVOID *BaseAddress, ULONG ZeroBits, PULONG AllocationSize, ULONG AllocationType, ULONG Protect ) {
    __asm
    {
        MOV EAX, 0x17;
        CALL fs : [0xC0];
        RETN 0x18;
    }
}


//somewhere...
if( NT_ERROR( NtAllocateVirtualMemory( 
            GetCurrentProcess(), 
            &m_pBuffer, 
            NULL,
            &dwSize,
            MEM_COMMIT | MEM_RESERVE,
            PAGE_READWRITE ) ) ) {
    throw Exceptions::MemoryAllocationException( "Unable to alocate memory for the image" );
}

Originally Posted by Hitokiri~

Originally Posted by -InSaNe-

One last point I forgot to mention is that Intel CPUs use sysenter as their method of entering lower rings and AMD uses syscall. Another reason why that's such a pain in the ass to implement.

Code:

#include <iostream>
#include <cstdint>
#include <memory>
#include <vector>

#undef UNICODE
#include <windows.h>
#include <TlHelp32.h>

using std::uint32_t;
std::vector<uint32_t> pids(const std::string& processName, uint32_t delay = 100)
{
    std::vector<uint32_t> list;

    while (list.empty())
    {
        auto snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
        PROCESSENTRY32 entry = { sizeof entry };

        if (Process32First(snapshot, &entry))
            while (Process32Next(snapshot, &entry))
                if (entry.szExeFile == processName)
                    list.push_back(entry.th32ProcessID);

        Sleep(delay); // Win32 API is extremely retarded
        CloseHandle(snapshot);
    }

    return list;
}

bool inject(const std::string& processName, std::string dll)
{
    char path[MAX_PATH] = "";
    GetFullPathName(dll.c_str(), sizeof path, path, 0);
    dll = path;

    // iterate through all matching processes. stop with the first success.
    for (auto pid : pids(processName))
    {
        const auto processFlags = PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD;
        using ProcessHandle = std::unique_ptr<void, decltype(&::CloseHandle)>;
        ProcessHandle process(OpenProcess(processFlags, false, pid), CloseHandle);
        if (!process)
            continue;

        const auto memFlags = MEM_RESERVE | MEM_COMMIT;
        auto mem = VirtualAllocEx(process.get(), nullptr, dll.length() + 1, memFlags, PAGE_READWRITE);
        if (!mem)
            continue;

        auto rc = WriteProcessMemory(process.get(), mem, dll.c_str(), dll.length() + 1, nullptr);
        if (!rc)
            continue;

        auto loadLibrary = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
        if (!loadLibrary)
            continue;

        auto tid = CreateRemoteThread(process.get(), nullptr, 0, loadLibrary, mem, 0, nullptr);
        if (!tid)
            continue;

        return true;
    }

    return false;
}

How to use the function to inject very simple - it gets there a process where the DLL (without using full path) and returns whether the injection was successful. Use example:

Code:

std::string process;
std::cout << "Enter process name: ";
std::cin >> process;

std::string dll;
std::cout << "Enter DLL: ";
std::cin >> dll;

if (inject(process, dll))
    std::cout << "Injection succeeded" << '\n';
else
    std::cout << "Injection failed" << '\n';

uu can use notepad instewad

Posts 16–20 of 20 · Page 2 of 2

Post a Reply

Similar Threads

[Tutorial(C++)]How to call functions within another processBy radnomguywfq3 in Programming Tutorials
4Last post 18y ago
How to do OPK + Code Cave with a debugger and C++By radnomguywfq3 in C++/C Programming
4Last post 16y ago
Code for Injector; Importing DLL into ListboxBy Invidus in Visual Basic Programming
5Last post 16y ago
[REQUEST] Code Cave TutBy HeXel in WarRock - International Hacks
10Last post 18y ago
[HELP] How do I inject(???) the mods into CA?By ripper639 in Combat Arms Mods & Rez Modding
11Last post 16y ago

Tags for this Thread

#c++#code cave #executing #heap #inject #injecting #stack