I am trying here to make my executable run in disguise of svchost.exe. I believe everyone here should be aware of this technique (start real svchost.exe suspended, copy own sections to the created process and resume thread).
It works as long as no packing to my custom executable is applied. When i pack my exe with upx/mpress then forked instance (code running in windows svchost.exe) can not catch c++ exceptions. Throwing exception results in termination of application.
There was another problem - even original non-packed file did not work, to make it work i had to compile it with name svchost.exe (module name is stored somewhere in pe). Doing that made injected uncompressed image process exceptions just fine. Fyyre gave me idea that it could be DEP that is messing things around, and surely when i changed protection flags to PAGE_EXECUTE_READWRITE for whole copied image to windows svchost.exe process - it works with even name changed. I do not know if this problem is relevant, but maybe..
Does anyone have any ideas what could be killing exception support in this situation?
I attached my test executables, would be cool if anyone got curious enough to poke around since i am out of ideas completely..
EDIT:
i forgot to mention what test files do and should do. so here it goes:
process starts svchost.exe suspended, injects itself and resumes process. resumed process then will in 'try' clause throw and exception, and if successfully caught message box should appear signaling of success. There are some debugging messages to be seen via dbgview also.
It works as long as no packing to my custom executable is applied. When i pack my exe with upx/mpress then forked instance (code running in windows svchost.exe) can not catch c++ exceptions. Throwing exception results in termination of application.
There was another problem - even original non-packed file did not work, to make it work i had to compile it with name svchost.exe (module name is stored somewhere in pe). Doing that made injected uncompressed image process exceptions just fine. Fyyre gave me idea that it could be DEP that is messing things around, and surely when i changed protection flags to PAGE_EXECUTE_READWRITE for whole copied image to windows svchost.exe process - it works with even name changed. I do not know if this problem is relevant, but maybe..
Does anyone have any ideas what could be killing exception support in this situation?
I attached my test executables, would be cool if anyone got curious enough to poke around since i am out of ideas completely..
EDIT:
i forgot to mention what test files do and should do. so here it goes:
process starts svchost.exe suspended, injects itself and resumes process. resumed process then will in 'try' clause throw and exception, and if successfully caught message box should appear signaling of success. There are some debugging messages to be seen via dbgview also.
Attachments
(33.54 KiB) Downloaded 42 times