A few Nooberish Questions...

delphi package - getting into other processes

A few Nooberish Questions...

Postby Milk-in-a-Can » Thu Jul 01, 2004 10:06 am

Here we go...

What kind of code can be injected via "remote"?

Say...if i wanted to open a socket...connect...send a string through...then close it again...can it be done in the "injected function" or do i have to open the socket in the main function...then send the data via a pointer in the "remote" function...

Confusing, confusing, confusing :-(
Milk-in-a-Can
 
Posts: 2
Joined: Thu Jul 01, 2004 10:01 am

Re: A few Nooberish Questions...

Postby nildo » Thu Jul 01, 2004 11:15 am

Milk-in-a-Can wrote:Here we go...

What kind of code can be injected via "remote"?

Say...if i wanted to open a socket...connect...send a string through...then close it again...can it be done in the "injected function" or do i have to open the socket in the main function...then send the data via a pointer in the "remote" function...

Confusing, confusing, confusing :-(


Your problem is sending data trought a Socket witch is openned by another process?

If yes you could use DuplicateHandle passing the Socket ID as the TargetHandle, then you could use SEND normaly to send a string. All this can be donne by your applicationg without the need of injecting code.
nildo
 
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am

Postby madshi » Thu Jul 01, 2004 1:34 pm

I've not that much knowledge about winSock functions. So listen to nildo there.

Generally: You can remote execute *any* code, as long as you follow the rules. The most important ones are: No usage of global variables/constants (that includes global string constants!). No calls to any functions/APIs except exported APIs which are available in the target process.

If the code you want/need to execute inside of another process is too complex, I'd suggest putting it into a dll and to inject the dll into the target process. Not so nice, but much easier to realize.
madshi
Site Admin
 
Posts: 9339
Joined: Sun Mar 21, 2004 5:25 pm

Re: A few Nooberish Questions...

Postby Milk-in-a-Can » Thu Jul 01, 2004 3:00 pm

Thank you for both your time, and your quick replys.

You have cleared some very important "perspective issues" i had.

Oh...one more thing. The injected code...has it some kind of...maximum size?
Milk-in-a-Can
 
Posts: 2
Joined: Thu Jul 01, 2004 10:01 am

Postby madshi » Thu Jul 01, 2004 3:20 pm

No. Hmmm... Well, it should be smaller than 2 GB... :lol:
madshi
Site Admin
 
Posts: 9339
Joined: Sun Mar 21, 2004 5:25 pm

Postby nildo » Thu Jul 01, 2004 3:41 pm

Mathias, if you have access to VirtualAllocEX under Win9X, why don't you do a Code Hook Library using the your Remote execute method? So will have no need for DLLs. And can you explain me too, how can Regmon and Filemon from InternalSys can hook APIs without using DLLs?
nildo
 
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am

Postby madshi » Thu Jul 01, 2004 5:08 pm

why don't you do a Code Hook Library using the your Remote execute method?

Check out HookAPI(..., SYSTEM_WIDE_9x). It's exactly what you're describing!

how can Regmon and Filemon from InternalSys can hook APIs without using DLLs?

AFAIK, those programs are using drivers, which are incorporated into the exe and temporarily extracted to the harddisk.
madshi
Site Admin
 
Posts: 9339
Joined: Sun Mar 21, 2004 5:25 pm

Postby nildo » Thu Jul 01, 2004 5:21 pm

madshi wrote:Check out HookAPI(..., SYSTEM_WIDE_9x). It's exactly what you're describing!


Ahn, interesting!

AFAIK, those programs are using drivers, which are incorporated into the exe and temporarily extracted to the harddisk.


:o
Ohhh, this I did not know!
nildo
 
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am

Postby madshi » Thu Jul 01, 2004 5:26 pm

nildo wrote:Ohhh, this I did not know!

Well, I didn't really examine it, but it must be this way. Earlier versions of RegMon and FileMon shipped with driver files (even with full sources some years ago). Now the driver files are gone, but the functionality is the same. So I'm quite sure that the drivers are just stored inside of the exe (and get temporarily extracted). madCodeHook does it the same way. The dll injection into newly created process in the NT family is done by a little kernel mode driver.
madshi
Site Admin
 
Posts: 9339
Joined: Sun Mar 21, 2004 5:25 pm

Postby nildo » Thu Jul 01, 2004 5:38 pm

madshi wrote:
nildo wrote:Ohhh, this I did not know!

Well, I didn't really examine it, but it must be this way. Earlier versions of RegMon and FileMon shipped with driver files (even with full sources some years ago). Now the driver files are gone, but the functionality is the same. So I'm quite sure that the drivers are just stored inside of the exe (and get temporarily extracted). madCodeHook does it the same way. The dll injection into newly created process in the NT family is done by a little kernel mode driver.


Ohh I understand!
What method do you use for merging and unmarging this little kernel mode driver from and into your pack?
nildo
 
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am

Postby madshi » Thu Jul 01, 2004 5:51 pm

I've written a special tool which converts the driver file into a big static Delphi style hex array constant. This I can copy&paste into my Delphi code. Then when the driver is needed, the Delphi code writes it to a temporare file, installs the driver and deletes the file again (after the driver was installed, it can immediately be deleted again!). This way the driver file is as good as invisible to anyone. I've not done this to hide anything (of course), but only to make things easier to distribute and to also make uninstallation easier. The driver is automatically gone with the next reboot.
madshi
Site Admin
 
Posts: 9339
Joined: Sun Mar 21, 2004 5:25 pm

Postby nildo » Thu Jul 01, 2004 6:11 pm

Wow, very nice idea!
I know that I am using your time, but, may I know from how mutch time do you code this low level stuff? Size when are you a system developer?
nildo
 
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am

Postby madshi » Thu Jul 01, 2004 6:27 pm

madCodeHook.pas said "Copyright (C) 1999 - 2004", so I guess a bit over 5 years?
madshi
Site Admin
 
Posts: 9339
Joined: Sun Mar 21, 2004 5:25 pm

Postby nildo » Thu Jul 01, 2004 6:40 pm

Anh! Cool!

So your utility is something like this anh?

Code: Select all
var
   fsArquivo: TFileStream;
   OutStr: string;
   nAux: Byte;
begin
   fsArquivo := TFileStream.Create( leArquivo.Text, fmOpenRead );

   try
      OutStr := 'var NomeArray : array [0..' + IntToStr( fsArquivo.Size - 1 ) + '] of byte = ' + #13#10 + '(' + #13#10;

      while fsArquivo.Position <> fsArquivo.Size do
      begin
         fsArquivo.read( nAux, 1 );
         OutStr := OutStr + '$' + IntToHex( nAux, 2 ) + ', ';

         if fsArquivo.Position mod 16 = 0 then
            OutStr := OutStr + #13#10;
      end;

      OutStr := OutStr + ');';
   finally
      fsArquivo.Free;

      Memo1.Clear;
      Memo1.Lines.Add( OutStr )
   end;
end;


May I use this technic with my programs too? :wink: I like this!!
nildo
 
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am

Postby madshi » Thu Jul 01, 2004 7:14 pm

Sure you may use that. I've no patent on that.

YET :sceptic:
madshi
Site Admin
 
Posts: 9339
Joined: Sun Mar 21, 2004 5:25 pm

Next

Return to madRemote

Who is online

Users browsing this forum: No registered users and 1 guest

cron