A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #26526  by EP_X0FF
 Sun Aug 16, 2015 6:29 am
Nice, does it work on win10?
 #26528  by kerpow1
 Sun Aug 16, 2015 9:23 am
Looking at code it will just work on Win7 but looks very good :)
 #26533  by EP_X0FF
 Mon Aug 17, 2015 4:12 am
The question was about method not this code exactly. As far as I remember all the secret is "call eax/rax" inside Explorer function which make it interesting to see if win10 CFG handle this.
 #26536  by p4r4n0id
 Mon Aug 17, 2015 9:28 am
Sorry for the late response guys,

It wasn't tested on windows 10 yet, but i dont think there will be any problem with CFG (as EP_X0FF said, due to the call eax/rax).

Will check and let u know,

Thanks for your feedback guys,

p4r4n0id
 #26548  by Brock
 Mon Aug 17, 2015 11:35 pm
Will be interesting to see if immersive UI/modern UI apps like their windows played with. I just checked Windows 10 and Explorer is immersive, but it's not a traditional metro app (to inject into these the DLL must have the ALL APPLICATION PACKAGES group added to the file permissions and contain no manifest). Explorer still allows any DLL to be injected so it doesn't follow the strict rules of DLL loading that traditional metro apps require. Interesting code, keep us updated
 #28709  by jacks.alex
 Sun Jun 19, 2016 2:22 pm
Code: Select all
PVOID KiUserApcDispatcher = (PVOID)GetProcAddress(LoadLibrary(_T("ntdll.dll")), "KiUserApcDispatcher");
    PVOID WriteProcessMemory = (PVOID)GetProcAddress(LoadLibrary(_T("kernel32.dll")), "WriteProcessMemory");
    PVOID ntchkstk = (PVOID)GetProcAddress(LoadLibrary(_T("ntdll.dll")), "_chkstk");
    PVOID atan = (PVOID)GetProcAddress(LoadLibrary(_T("ntdll.dll")), "atan");
    PVOID LoadLibraryAddr = (PVOID)GetProcAddress(LoadLibrary(_T("kernel32.dll")), "LoadLibraryA");
What about ASLR?
 #28714  by Vrtule
 Sun Jun 19, 2016 7:40 pm
Hello,

with a slight modification, you can use the result of the GetProcAddress calls as offset into the corresponding DLLs (kernel32.dll, ntdll.dll).
Code: Select all
ULONG_PTR GetRoutineOffset(PWCHAR LibraryName, PCHAR RoutineName)
{
  ULONG_PTR ret = 0;
  HMODULE modHandle = GetModuleHandleW(LibraryName);

  if (modHandle != NULL)
    ret = (ULONG_PTR)GetProcAddress(modHandle, RoutineName) - (ULONG_PTR)modHandle;

  return ret;
}
The routine uses GetModuleHandle rather than LoadLibrary function to get module handles. You usually do not need to call LiadLibrary for kernel32.dll and ntdll.dll since they are loaded nearly in all processes (ntdll.dll is, at least).

If you get the offsets, you can then obtain base addresses for the modules for the target process. Use Tool Help Library (CreateToolHelp32Snapshot, Module32First, Module32Next). Then, you get addresses of the routines in the address space of the target process.
 #28725  by jacks.alex
 Tue Jun 21, 2016 8:35 am
CreateToolHelp32Snapshot, Module32First, Module32Next. OpenProcess FOR READ (without aslr bypass no need in this code) so for what was all this i don't know...
 #28726  by jacks.alex
 Tue Jun 21, 2016 8:37 am
"Injection without reading memory from the target process" without aslr bypass it will not work, for bypass aslr it's need to read memory of target process