problem with CopyFunction

c++ / delphi package - dll injection and api hooking

problem with CopyFunction

Postby Bevan Collins » Thu Nov 19, 2020 3:42 am

Hi,

can someone please help me?
I am having a problem with CopyFunction from madCodeHook4 in the following test code where 6760 is the pid of notepad.exe:
Code: Select all
#include <windows.h>
#include <madchook.h>

DWORD WINAPI remoteProcess(LPVOID) {
  return 1;
}

int main() {
  InitializeMadCHook();

  HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 6760);
  if (process) {
    DWORD result = 0;
    BOOL rc = RemoteExecute(process, &remoteProcess, &result, nullptr, 0); // works 100%

    PVOID remote_proc_buffer = nullptr;
    auto remote_proc = CopyFunction(&remoteProcess, process, FALSE, &remote_proc_buffer);
    if (remote_proc)
      MessageBoxA(0, "ok!", "", MB_OK);
    else
      MessageBoxA(0, "not ok!", "", MB_OK);
  }

  FinalizeMadCHook();
}


for x86, CopyFunction seems to work. For x64 CopyFunction either crashes or fails with GetLastError 1455 even though RemoteExecute always succeeds.

Thanks
Bevan Collins
 
Posts: 26
Joined: Fri Jul 07, 2006 2:50 am

Re: problem with CopyFunction

Postby iconic » Fri Nov 20, 2020 3:43 am

Hello,

I'll make some time tomorrow to check into this. Thanks!

--Iconic
iconic
Site Admin
 
Posts: 973
Joined: Wed Jun 08, 2005 5:08 am

Re: problem with CopyFunction

Postby madshi » Fri Nov 20, 2020 11:40 am

FWIW, here's an extract of the source code:

Code: Select all
SYSTEMS_API BOOL WINAPI RemoteExecute(HANDLE hProcess, PFN_REMOTE_EXECUTE_FUNCTION pFunction, DWORD *pFunctionResult, LPVOID pParameters, DWORD size)
{
  BOOL result = false;
  LPVOID pBuffer;
  LPVOID pProc = CopyFunction(pFunction, hProcess, false, &pBuffer);
  if (pProc != NULL)
  {
    ...
  }
  return result;
}

So considering this, it seems weird that RemoteExecute would always work for you, but CopyFunction would not?
madshi
Site Admin
 
Posts: 10303
Joined: Sun Mar 21, 2004 5:25 pm

Re: problem with CopyFunction

Postby Bevan Collins » Fri Nov 20, 2020 6:51 pm

Similar issue? viewtopic.php?f=5&t=27462

When building for x86, I have to link with madCHook32mt.lib and madCHook32.lib for CopyFunction. For other functions I only need to link with madCHook32mt.lib. Not sure if it's related.
Bevan Collins
 
Posts: 26
Joined: Fri Jul 07, 2006 2:50 am

Re: problem with CopyFunction

Postby iconic » Tue Nov 24, 2020 5:05 am

Hello,

I've tested here on Win 7 x64 SP1 with both target builds of the same .exe (32-bit and 64-bit) and then tried both instances (32-bit and 64-bit) of Notepad to see if it was something related to WOW64 <-> Native execution but it doesn't appear to be. In any case it all worked perfectly fine for me here on my end. I used VS 2015 Community Edition to test and the latest MCH version. What version of MCH are you using?

The exact code I used (your code minus a small mod or two) is below:

Code: Select all
#include "stdafx.h"
#include <Windows.h>
#include "madchook.h"

#pragma comment(lib, "legacy_stdio_definitions.lib") // VS 2015 Community Edition needs this
#ifdef _WIN64
#pragma comment(lib, "madchook64.lib") // md (but renamed)
#else
#pragma comment(lib, "madchook32.lib")
#endif


DWORD WINAPI remoteProcess(LPVOID) {
   return 1;
}


#define PID 504 // change to whatever Notepad's PID is


int _tmain(int argc, _TCHAR* argv[])
{
   InitializeMadCHook();

   HANDLE process = OpenProcess(MAXIMUM_ALLOWED, FALSE, PID);
   if (process) {
      DWORD result = 0;
      BOOL rc = RemoteExecute(process, &remoteProcess, &result, nullptr, 0);
      PVOID remote_proc_buffer = nullptr;
      auto remote_proc = CopyFunction(&remoteProcess, process, FALSE, &remote_proc_buffer);
      if (remote_proc)
         MessageBoxA(0, "ok!", "", MB_OK);
      else
         MessageBoxA(0, "not ok!", "", MB_OK);
      CloseHandle(process);
   }

   FinalizeMadCHook();

   return 0;
}



--Iconic
iconic
Site Admin
 
Posts: 973
Joined: Wed Jun 08, 2005 5:08 am

Re: problem with CopyFunction

Postby iconic » Tue Nov 24, 2020 5:33 am

I’ll test on Windows 10 later today and see if there is any change.

—Iconic
iconic
Site Admin
 
Posts: 973
Joined: Wed Jun 08, 2005 5:08 am

Re: problem with CopyFunction

Postby Bevan Collins » Tue Nov 24, 2020 8:41 am

I'm using MCH 4.1.3 (madCHook64mt.lib), Windows 10 20H2, VisualStudio 16.8.2
Bevan Collins
 
Posts: 26
Joined: Fri Jul 07, 2006 2:50 am

Re: problem with CopyFunction

Postby iconic » Tue Nov 24, 2020 9:10 pm

Hi Bevan,

I've rerun the demo on Windows 10 x64 20H2 and tested a 64-bit .exe compiled with madCHook64mt.lib - it continues to work as expected without issue here. I tested 3x with both the WOW64 version of Notepad as well as the Native 64-bit version of Notepad. Did you want me to upload my pre-built binary (.exe) for you in case you'd like to test on your end? I've allowed you to input the process id in the current test demo through the console window.

--Iconic
iconic
Site Admin
 
Posts: 973
Joined: Wed Jun 08, 2005 5:08 am

Re: problem with CopyFunction

Postby Bevan Collins » Thu Nov 26, 2020 7:40 pm

Hi Iconic

Yes, can you please upload your binary.

CopyFunction still fails for me on 64bit. WOW64 seems to be ok.
Here is my VS2019 test project (*** Edited out ***)

Thanks

***Edit*** I've downloaded your project but have also erased the link of your archive file on this forum, I have a copy locally but need to censor it due to it containing .lib files which anyone can use. Please delete your original link files at your earliest convenience. I'm sure this was done by accident but please refrain from this in the future. Thank you.

--Iconic
Bevan Collins
 
Posts: 26
Joined: Fri Jul 07, 2006 2:50 am

Re: problem with CopyFunction

Postby iconic » Fri Nov 27, 2020 10:25 pm

Hi Bevan,

I've uploaded the pre-built 64-bit binary here https://easyupload.io/mo975t
You may need to disable Windows Defender and/or other security apps in order to download it, it's being detected as a virus likely because MCH was compiled into it and it's using APIs like WriteProcessMemory and CreateRemoteThread etc. It's unsigned so this is also likely part of the issue with AV I imagine. Run in a VM always, not that you can't trust me, but it's common practice when you're downloading any foreign executable. It's a shame that heuristics are lost when digital signatures aren't present but trusted when they are... Let me know if it works for you, I still can't reproduce your issue however which is unfortunate. Anyhow, I'm sure you know this of course.

I'll build your project and see if it's giving me the same issue on x64 and report back. Thanks for uploading it!

P:S: The archive is password protected and the pass = madshi.net

--Iconic
iconic
Site Admin
 
Posts: 973
Joined: Wed Jun 08, 2005 5:08 am

Re: problem with CopyFunction

Postby Bevan Collins » Mon Nov 30, 2020 1:57 am

oops sorry about uploading the .lib files. I've deleted the download.

Your version works on my test machine.
Bevan Collins
 
Posts: 26
Joined: Fri Jul 07, 2006 2:50 am

Re: problem with CopyFunction

Postby iconic » Wed Dec 02, 2020 3:55 am

Hi Bevan,

Thanks for deleting your project online containing the .lib files. Much appreciated. Accidents happen and whether you were in a rush or perhaps forgot that this can be viewed publicly... things happen, but thanks for your quick deletion of such sensitive files.

So... according to your last post, my demo worked for you. Have you tried my code posted a few days ago in your VS IDE? Switched .lib versions etc.? Basically, am I still needing to test your specific project or was it an issue on your end that you believe? I've also noticed some differences in your forum posted code and the one you've uploaded (i.e> auto remote_proc = reinterpret_cast<LPTHREAD_START_ROUTINE>) on the CopyFunction() API. Have you tried the code without such c++ "magic"? If you have and it's an issue then that's likely either a compiler difference (possibly) or an MCH .lib issue. Hard to say. I primarily compile with VS 2015 Community Edition but do have other versions, around 4 actually.

I'm just not sure why the same code you originally shared works fine in my binary build but not yours. Also, I'm not aware of any recent .lib files having an issue with CopyFunction() but perhaps I need to check it out with an older version. I simply don't see why you're experiencing different results than me using _your_ posted code. If you want I can securely send you the project that seems to have worked for you, let me know please. Thanks!


--Iconic
iconic
Site Admin
 
Posts: 973
Joined: Wed Jun 08, 2005 5:08 am


Return to madCodeHook

Who is online

Users browsing this forum: Google [Bot] and 28 guests