[ptr]

I'm trying to inject my exe payload into remote process. I allocated memory in remote process, I converted raw payload using RVA addressation. I applayed relocations and imports table.

When I'm testing my solution in Windows 10 environment it works fine. Exe is injected and it runs properly, and shows me message box.

But when I'm trying to do the same on Windows 7 64bit(loader, payload and target are compiled in 0x86 mode), I have an error:

Access violation executing location 0x7698FD1E

I checked, and this address is an MessageBoxA function's address from user32.dll library

Here is my main code to inject pe to remote process:

Code: Select all

char* target_n = "InjectTarget.exe";
    char* payload_path  = "C:\\Users\\pb\\source\\repos\\pe-dumper\\Debug\\DummyApp.exe";

    FILE* raw_payload = get_file_buffer(payload_path);
    PIMAGE_NT_HEADERS inth = get_nt_headers(raw_payload);

    DWORD kImageSize = inth->OptionalHeader.SizeOfImage;
    DWORD kTargetProcId = get_process_id(target_n);

    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, kTargetProcId);
    if (hProcess == NULL) {
        printf("Error: Process handle is NULL\n");
    }

    LPVOID imageBaseRemote = VirtualAllocEx(hProcess, NULL, kImageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (imageBaseRemote == NULL) {
        printf("Error: Image base remote is NULL\n");
    }

    LPVOID imageBaseLocal = VirtualAlloc(NULL, kImageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    copy_raw_to_image_local(imageBaseLocal, raw_payload);
    adjust_relocations(imageBaseRemote, imageBaseLocal);
    adjust_imports(imageBaseLocal);

    DWORD bytesWritten;
    if (!WriteProcessMemory(hProcess, imageBaseRemote, imageBaseLocal, kImageSize, &bytesWritten)) {
        printf("Cannot write to remote process!\n");
    }

    LPTHREAD_START_ROUTINE routine = ((ULONG_PTR)imageBaseRemote + inth->OptionalHeader.AddressOfEntryPoint);

    DWORD threadId;
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, routine, NULL, NULL, &threadId);

    if (hThread == NULL) {
        printf("%d", GetLastError());
    }

    VirtualFree(imageBaseLocal, kImageSize, MEM_RELEASE);
    fclose(raw_payload);

Why these differences between windows 10 and windows 7 appears?

[Vrtule]

If I am reading your code correctly, you are resolving imports based on libraries loaded into your process, not the target one. Due to ASLR or a colision of base addresses of multiple DLLs, user32.dll may be placed on different virtual address in the target process.

[ptr]

I'm also think (as you mentioned) that the any imported dll can be placed in different address space...but the application which I'm injecting is a simmple application which only shows message box. It has only one required dll which is user32.dll. As I found - the user32.dll and the kernel32.dll are placed in the same address for all running process, so my loader can call LoadLibrary func, and then get MessageBoxA function's address using GetProcAddress, and then it can use this address to update the Import Table of injected app. So it should works.

The error's code number I'm getting is 0x5 which is "Access is denied."

[Vrtule]

The error's code number I'm getting is 0x5 which is "Access is denied."

Which function call produces this error?

[ptr]

Error details from Visual Studio during debugging: Access violation executing location 0x7698FD1E

The 0x7698FD1E is an address of MesssageBoxA function from user32.dll