Digging inside the operating system does not export the function,will be injected to the end-vulnerability warning-the black bar safety net

2008-01-03T00:00:00
ID MYHACK58:62200817997
Type myhack58
Reporter 佚名
Modified 2008-01-03T00:00:00

Description

InjectCode for Win9x.. Article author:Anskya Original source:see snow Forum Reproduced please retain the copyright~Thank you

Now injected many ways,but without the outer cover three: 1. Using the mapping code and then create a remote thread 2. The use of the message hook to insert the DLL in two 3. Use the Debug API. GetThreadContext,SetThreadContext to change the thread environment startup code

  1. But basically Win9x under almost all is to use a message hook hook mode Of course EliCZ uncle released to EliRT can let us in Win9x can also be used CreateRemoteThread injection function...here is even a simple way in addition a injection method The use of the system's internal function for creating a remote thread.

Here I do not say a bunch of Theory to relevant literature, see EliCZ uncle article... Of course here the use of the injection method to his article and not mentioned...

  1. Principles [1]Locate the target Since it is the boast of the process to create a process,first we doubt is the Debug API How they are made to debug a remote process,such as DebugActiveProcess, He is how to suspend the target process...so for the target process to do a reverse analysis.. (On the problem please...exetools inside view related articles....inside there are discussed)

(This code is to disassemble the DebugActiveProcess function...here attached is a key part of the analysis) Actually in DebugActiveProcess following lines at the position of the...their analysis.

Code:-------------------------------------------------------------------------------- ; IDA output: ;. text:BFF9490D push 8 ; const ;. text:BFF9490F push edi ;. text:BFF94910 push offset sub_BFF9494D ; thread ;. text:BFF94915 push 0FFFFF000h ; tells the kernel to allocate the stack ;. text:BFF9491A push edi ; pdb ;. text:BFF9491B call CreateRemoteThread9x; arbitrary name ;0xE8 = call; 0x85 = push edi; 0xFFFF = higher part of 0xFFFFF000 Feature code:0E857FFFFh(can't read? Their anti-this function will know...1 6-ary code...does the IDA here how to use??? As not to show...) --------------------------------------------------------------------------------

At least the tracking found that this function is not WIndows export function so we can not directly call this function (At least not through the GetProcAddress function searches for the address to come...but we can locate the function address, and the incoming parameter...analysis code see the following article)

  1. Positioning Know the principles..start reverse analysis...where analysis of the target is abroad a very horror of"Backdoor"program Spirit(reverse connection+remote injection of code,upload the DLL or EXE and run it...volume:1.55 k, There is a registry add,since the Delete functions...support Win9x under process insertion-the beginning of the He is very curious^_^)

The key function of the reverse analysis section:The OD TRANS out of the...

Code:-------------------------------------------------------------------------------- 0 0 4 0 0 1 5 8 6 8 4 0 0 0 0 0 0 0 push 4 0 0040015D 6 8 0 0 3 0 0 0 0 8 push 8 0 0 3 0 0 0 0 0 4 0 0 1 6 2 6 8 D5050000 push 5D5 0 0 4 0 0 1 6 7 5 7 push edi 0 0 4 0 0 1 6 8 FF15 4 2 1 4 4 0 0 0 call [4 0 1 4 4 2] ; kernel32. VirtualAlloc 0040016E 6 8 0 8 0 0 0 0 0 0 push 8 0 0 4 0 0 1 7 3 5 7 push edi 0 0 4 0 0 1 7 4 5 0 push eax 0 0 4 0 0 1 7 5 5 7 push edi 0 0 4 0 0 1 7 6 6 8 D1040000 push 4D1 0040017B 8D15 0E114000 lea edx, [40110E] ;this address is the need to insert the code memory address 0 0 4 0 0 1 8 1 5 2 push edx 0 0 4 0 0 1 8 2 5 0 push eax 0 0 4 0 0 1 8 3 5 6 push esi 0 0 4 0 0 1 8 4 FF15 3 2 1 4 4 0 0 0 call [4 0 1 4 3 2] ; kernel32. WriteProcessMemory 0040018A FF15 3E144000 call [40143E] ; kernel32. GetCurrentProcessId 0 0 4 0 0 1 9 0 6 4:3 3 0 5 3 0 0 0 0 0 0>xor eax, fs:[3 0] 0 0 4 0 0 1 9 7 31C3 xor ebx, eax 0 0 4 0 0 1 9 9 8B35 3A144000 mov esi, [40143A] ;kernel32. DebugActiveProcess 0040019F 4 6 inc esi 004001A0 813E FFFF57E8 cmp dword ptr [esi], E857FFFF ;whether the comparison is CreateRemoteThread9x memory feature 004001A6 ^ 7 5 F7 jnz short 0040019F ;is not equal to continue to jump 004001A8 AD lods dword ptr [esi] ;search to after the start acquisition address(scan twice) 004001A9 AD lods dword ptr [esi] 004001AA 01F0 add eax, esi 004001AC 6 8 00F0FFFF push -1000 004001B1 5 3 push ebx 004001B2 FFD0 call eax 004001B4 5 7 push edi 004001B5 5 0 push eax 004001B6 8B35 2A144000 mov esi, [40142A] ; kernel32. OpenProcess 004001BC 4 6 inc esi 004001BD 813E 50FF32E8 cmp dword ptr [esi], E832FF50 004001C3 ^ 7 5 F7 jnz short 004001BC 004001C5 AD lods dword ptr [esi] 004001C6 AD lods dword ptr [esi] 004001C7 01F0 add eax, esi 004001C9 5 3 push ebx 004001CA FFD0 call eax ;call the function 004001CC 6 1 popad 004001CD C3 retn --------------------------------------------------------------------------------

  1. To achieve Do not say it to the above code the reverse to write about it OK... Since the injected code we will make a full...

[1]The application of the remote process space(C code implementation) WinNT I will not say more to anyway, we all know Key to talk about Win9x Reverse analyze what the Chinese hacker virus (CreateKernelThread create a thread...and MoveDataToKnl function(WHG write their own specific look ChineseHacker code))

But he can't seem to let the code injected into other processes internal... Well Google search articles...find the Win9x kernel under 0x8000000 more space is transparent? Why? You better don't ask me,I don't know..I'm a dish...

So the above disassembly out of the code is

Code:-------------------------------------------------------------------------------- 0 0 4 0 0 1 5 8 6 8 4 0 0 0 0 0 0 0 push 4 0 0040015D 6 8 0 0 3 0 0 0 0 8 push 8 0 0 3 0 0 0 0 0 4 0 0 1 6 2 6 8 D5050000 push 5D5 0 0 4 0 0 1 6 7 5 7 push edi 0 0 4 0 0 1 6 8 FF15 4 2 1 4 4 0 0 0 call [4 0 1 4 4 2] ; kernel32. VirtualAlloc --------------------------------------------------------------------------------

Ah ~ well...write specific code well

Code:-------------------------------------------------------------------------------- LPVOID My_VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, DWORD dwSize, DWORD flAllocationType, DWORD flProtect) { if (GetVersion() > 0x80000000) { return VirtualAlloc(lpAddress, dwSize, 0x8000000 + MEM_COMMIT, PAGE_EXECUTE_READWRITE); }else { return VirtualAllocEx(hProcess, lpAddress, dwSize, flAllocationType, flProtect); } } BOOL My_VirtualFreeEx(HANDLE hProcess, LPVOID lpAddress, DWORD dwSize, DWORD dwFreeType) { if (GetVersion() > 0x80000000) { return VirtualFree(lpAddress, dwSize, MEM_RELEASE); }else { return VirtualFreeEx(hProcess, lpAddress, dwSize, dwFreeType); } } --------------------------------------------------------------------------------

Need to pay attention to in Win9x under the application space and release the space previously required to OpenProcess It.... In Win9x under the application space there is a method:SharedMemoryAlloc function Direct Windows head inside as if there is no...everyone can be from ComCtl32. dll inside export... This function is very simple to use..just one parameter. Application space length...

Create a remote thread code in the Annex.... (Put the above OD disassembled code to write it again it is OK to have the necessary???)

Specific sample code see:Annex to inject code into the Notepad.... Support Win9x bet into

References: [1]EliCZ for EliRT code,home page. See the snow on the links [2]y0da the Invisibility code,home page. See the snow on the links

Article author:Anskya Original source:see snow Forum Reproduced please retain the copyright~Thank you

Finally you can upload up to

Code:-------------------------------------------------------------------------------- ;====================================================== ;Remote thread injection dialog box demo Ex By Anskya ;Support Win9x under code injection.. ;Email:Anskya@Gmail.com ;====================================================== .586 . model flat locals @@ include \D. N. ASM\include\useful. inc include \D. N. ASM\include\MZ. INC include \D. N. ASM\include\PE. INC . data notepad db ’Notepad’,0 injected: ;int 3 pushad

call @@delta @@delta: pop ebp sub ebp,offset @@delta

push 0 lea eax,[ebp+offset cap] push eax lea eax,[ebp+offset msg] push eax push 0 call [ebp+__MessageBoxA] @@Exit: push 0 call [ebp+__ExitThread] ;_invoke [ebp+__ExitThread],0 popad ret ;------------------Using the data----------------------------------

msg db "[*] Hello World Coder! (C) Anskya.", 0dh,0ah,0 cap db "MsgBox By Anskya",0

k32_api: db ’kernel32’,0 __ExitThread dd 0058F9201h __WinExec dd 028452C4Fh __OpenProcess dd 033D350C4h __WriteProcessMemory dd 00E9BBAD5h dd 0

u32_api: db ’user32’,0 __MessageBoxA dd 0D8556CF7h __FindWindowA dd 085AB3323h __GetWindowThreadProcessId dd 07B46AF5Eh dd 0

injected_size equ $-injected . code public c entry entry: ;------- Get the associated API function lea eax,k32_api push eax call get_apicrc lea eax,u32_api push eax call get_apicrc ;------- To obtain complete-------execution of the main function section ;call injected

push 5 push offset notepad call __WinExec

push 0 push offset notepad call __FindWindowA ;get window handle

push eax push esp push eax call __GetWindowThreadProcessId pop eax mov ebx,eax push eax push 0 push 1f0fffh ;PROCESS_ALL_ACCESS call __OpenProcess mov ebp,eax

push 40h ;PAGE_EXECUTE_READWRITE push 3000h ;MEM_COMMIT or MEM_RESERVE push injected_size push 0 push ebp ;pid call RT32_VirtualAllocEx mov edi,eax push eax push esp push injected_size lea eax,injected push eax push edi push ebp call __WriteProcessMemory pop eax push eax push esp push 0 push esi push edi push 0 push 0 push ebx call RT32_CreateRemoteThread pop ecx

ExitProc: push 0 callw ExitProcess ret ;------- Using the function address RT32_VirtualAllocEx: pushad mov ebx,[esp+84+4] mov ebp,[esp+84+8] mov edx,[esp+84+1 2] mov esi,[esp+84+1 6] mov edi,[esp+84+2 0] call get_k32base mov ecx,cs xor cl,cl jecxz @@os_nt @@os_9x: push edi or esi,8000000h push esi push edx push ebp push 04402890Eh ;VirtualAlloc push eax call get_addr32crc call eax jmp @@finished @@os_nt: push 0DA89FC22h ;VirtualAllocEx push eax call get_addr32crc push edi push esi push edx push ebp push ebx call eax @@finished: mov [esp+pushad_eax],eax popad ret 45

RT32_CreateRemoteThread: pushad mov ebp,[esp+8*4+4] call get_k32base mov esi,eax push ebp push 0 push 1f0fffh ;PROCESS_ALL_ACCESS push 033D350C4h ;OpenProcess push esi call get_addr32crc call eax mov ebx,eax

push 0CF4A7F65h ;CreateRemoteThread push esi call get_addr32crc mov ecx,cs xor cl,cl jecxz @@os_nt @@os_9x: call get_obfs xor ebp,eax call search_crt9x jnc @@error mov esi,eax

mov edi,[esp+84+1 6] mov eax,[esp+84+2 0] push 8 push eax push edi push 0fffff000h push ebp call esi push eax call search_halloc9x jnc @@error mov edx,eax pop eax

push 0 push eax push ebp call edx jmp @@finished @@os_nt: ; push dwo [esp+84+2 8+ 0] ; push dwo [esp+84+2 4+ 4] ; push dwo [esp+84+2 0+ 8] ; push dwo [esp+84+1 6+1 2] ; push dwo [esp+84+1 2+1 6] ; push dwo [esp+84+8 +2 0] push 6 pop ecx @@loop_push: push dwo [esp+84+2 8] loop @@loop_push push ebx call eax @@finished: mov [esp+pushad_eax],eax popad ret 47 @@error: sub eax,eax dec eax mov [esp+pushad_eax],eax popad ret 4*7

get_obfs: pushad push 0EB1CE85Ch ;GetCurrentProcessId call get_k32base push eax call get_addr32crc call eax mov ebx,eax mov eax,fs:[30h] xor eax,ebx mov [esp+pushad_eax],eax popad retn search_halloc9x: pushad call get_k32base push 033D350C4h ;OpenProcess push eax call get_addr32crc mov esi,eax mov eax,0E832ff50h jmp search_compare

search_crt9x: pushad call get_k32base push 07FC598E3h ;DebugActiveProcess push eax call get_addr32crc mov esi,eax ; IDA output: ;. text:BFF9490D push 8 ; const ;. text:BFF9490F push edi ;. text:BFF94910 push offset sub_BFF9494D ; thread ;. text:BFF94915 push 0FFFFF000h ; tells the kernel to allocate the stack ;. text:BFF9491A push edi ; pdb ;. text:BFF9491B call CreateRemoteThread9x; arbitrary name ;0xE8 = call; 0x85 = push edi; 0xFFFF = higher part of 0xFFFFF000 ; mov eax,0fffff000h mov eax,0E857FFFFh ; DEBUG: CloseHandle ; mov eax,0E8560002h search_compare: sub ecx,ecx mov cl,2 5 5 ;approx. size of DebugActiveProcess, just in case @@compare: cmp eax,[esi] jz @@save inc esi dec ecx jecxz @@exit jmp @@compare @@save: lodsd lodsd ;eax = relative address of CreateRemoteThread9x() add eax,esi ;absolute address mov [esp+pushad_eax],eax stc @@exit: popad retn ;-------- The End~~~[^_^] get_apicrc: pushad mov esi,[esp+8*4+4] call get_k32base push 04134D1ADh ;LoadLibraryA push eax call get_addr32crc

push esi call eax mov ebx,eax

sub eax,eax lodsb test al,al jnz $-3 mov edi,esi @@loop: lodsd test eax,eax jz @@end push eax push ebx call get_addr32crc stosd jmp @@loop @@end: popad retn 4 ;void get_addr32crc(DWORD base, DWORD crc32) get_addr32crc: pushad mov ebx,[esp+84+4] mov esi,[esp+8*4+8]

sub ebp,ebp ;counter mov edx,ebx add edx,[edx. mz_neptr] mov edx,[edx. pe_exportrva] add edx,ebx mov eax,[edx. ex_numofnamepointers] mov edi,[edx. ex_addresstablerva] add edi,ebx mov edi,[edx. ex_namepointersrva] add edi,ebx

push edx mov edx,edi

@@next: mov edx,[edi] add edx,ebx inc ebp pushad mov esi,edx sub ecx,ecx lodsb inc ecx test al,al jnz $-4 mov [esp+pushad_ecx],ecx popad

@@cmpstr: pushad ; mov edx,edx sub eax,eax call xcrc32 cmp eax,esi popad jz @@found

; push eax ; sub eax,eax ; scasb ; jnz $-1 ; pop eax add edi,4 dec eax jz @@error jmp @@next @@found: pop edx dec ebp mov ecx,[edx. ex_ordinaltablerva] add ecx,ebx movzx eax,wo [ecx+ebp2] mov ebp,[edx. ex_addresstablerva] add ebp,ebx mov eax,[ebp+eax4] add eax,ebx @@error: mov [esp+pushad_eax],eax popad ret 42 ;void get_k32base(); get_k32base: pushad sub eax,eax mov eax,fs:[eax+30h] test eax,eax js @@os_9x @@os_nt: mov eax,[eax+0ch] mov esi,[eax+1ch] lodsd mov eax,[eax+8] jmp @@finished @@os_9x: mov eax,[eax+34h] lea eax,[eax+7ch] mov eax,[eax+3ch] @@finished: mov [esp+pushad_eax],eax popad retn ; zhengxi’s crc32(): optimised by Vecna ; input: EDX=data, ECX=size, EAX=crc ; output: EAX=crc, EDX+=ECX, ECX=BL=0 xcrc32: pushad jecxz @@4 not eax @@1: xor al, [edx] inc edx mov bl, 8 @@2: shr eax, 1 jnc @@3 xor eax, 0EDB88320h @@3: dec bl jnz @@2 loop @@1 not eax @@4: mov [esp+pushad_eax],eax popad ret end