A few Nooberish Questions...

delphi package - getting into other processes
Milk-in-a-Can
Posts: 2
Joined: Thu Jul 01, 2004 10:01 am

A few Nooberish Questions...

Post by Milk-in-a-Can »

Here we go...

What kind of code can be injected via "remote"?

Say...if i wanted to open a socket...connect...send a string through...then close it again...can it be done in the "injected function" or do i have to open the socket in the main function...then send the data via a pointer in the "remote" function...

Confusing, confusing, confusing :-(
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Re: A few Nooberish Questions...

Post by nildo »

Milk-in-a-Can wrote:Here we go...

What kind of code can be injected via "remote"?

Say...if i wanted to open a socket...connect...send a string through...then close it again...can it be done in the "injected function" or do i have to open the socket in the main function...then send the data via a pointer in the "remote" function...

Confusing, confusing, confusing :-(
Your problem is sending data trought a Socket witch is openned by another process?

If yes you could use DuplicateHandle passing the Socket ID as the TargetHandle, then you could use SEND normaly to send a string. All this can be donne by your applicationg without the need of injecting code.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

I've not that much knowledge about winSock functions. So listen to nildo there.

Generally: You can remote execute *any* code, as long as you follow the rules. The most important ones are: No usage of global variables/constants (that includes global string constants!). No calls to any functions/APIs except exported APIs which are available in the target process.

If the code you want/need to execute inside of another process is too complex, I'd suggest putting it into a dll and to inject the dll into the target process. Not so nice, but much easier to realize.
Milk-in-a-Can
Posts: 2
Joined: Thu Jul 01, 2004 10:01 am

Re: A few Nooberish Questions...

Post by Milk-in-a-Can »

Thank you for both your time, and your quick replys.

You have cleared some very important "perspective issues" i had.

Oh...one more thing. The injected code...has it some kind of...maximum size?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

No. Hmmm... Well, it should be smaller than 2 GB... :lol:
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Post by nildo »

Mathias, if you have access to VirtualAllocEX under Win9X, why don't you do a Code Hook Library using the your Remote execute method? So will have no need for DLLs. And can you explain me too, how can Regmon and Filemon from InternalSys can hook APIs without using DLLs?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

why don't you do a Code Hook Library using the your Remote execute method?
Check out HookAPI(..., SYSTEM_WIDE_9x). It's exactly what you're describing!
how can Regmon and Filemon from InternalSys can hook APIs without using DLLs?
AFAIK, those programs are using drivers, which are incorporated into the exe and temporarily extracted to the harddisk.
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Post by nildo »

madshi wrote:Check out HookAPI(..., SYSTEM_WIDE_9x). It's exactly what you're describing!
Ahn, interesting!
AFAIK, those programs are using drivers, which are incorporated into the exe and temporarily extracted to the harddisk.
:o
Ohhh, this I did not know!
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

nildo wrote:Ohhh, this I did not know!
Well, I didn't really examine it, but it must be this way. Earlier versions of RegMon and FileMon shipped with driver files (even with full sources some years ago). Now the driver files are gone, but the functionality is the same. So I'm quite sure that the drivers are just stored inside of the exe (and get temporarily extracted). madCodeHook does it the same way. The dll injection into newly created process in the NT family is done by a little kernel mode driver.
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Post by nildo »

madshi wrote:
nildo wrote:Ohhh, this I did not know!
Well, I didn't really examine it, but it must be this way. Earlier versions of RegMon and FileMon shipped with driver files (even with full sources some years ago). Now the driver files are gone, but the functionality is the same. So I'm quite sure that the drivers are just stored inside of the exe (and get temporarily extracted). madCodeHook does it the same way. The dll injection into newly created process in the NT family is done by a little kernel mode driver.
Ohh I understand!
What method do you use for merging and unmarging this little kernel mode driver from and into your pack?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

I've written a special tool which converts the driver file into a big static Delphi style hex array constant. This I can copy&paste into my Delphi code. Then when the driver is needed, the Delphi code writes it to a temporare file, installs the driver and deletes the file again (after the driver was installed, it can immediately be deleted again!). This way the driver file is as good as invisible to anyone. I've not done this to hide anything (of course), but only to make things easier to distribute and to also make uninstallation easier. The driver is automatically gone with the next reboot.
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Post by nildo »

Wow, very nice idea!
I know that I am using your time, but, may I know from how mutch time do you code this low level stuff? Size when are you a system developer?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

madCodeHook.pas said "Copyright (C) 1999 - 2004", so I guess a bit over 5 years?
nildo
Posts: 249
Joined: Mon Mar 22, 2004 11:32 am
Contact:

Post by nildo »

Anh! Cool!

So your utility is something like this anh?

Code: Select all

var
   fsArquivo: TFileStream;
   OutStr: string;
   nAux: Byte;
begin
   fsArquivo := TFileStream.Create( leArquivo.Text, fmOpenRead );

   try
      OutStr := 'var NomeArray : array [0..' + IntToStr( fsArquivo.Size - 1 ) + '] of byte = ' + #13#10 + '(' + #13#10;

      while fsArquivo.Position <> fsArquivo.Size do
      begin
         fsArquivo.read( nAux, 1 );
         OutStr := OutStr + '$' + IntToHex( nAux, 2 ) + ', ';

         if fsArquivo.Position mod 16 = 0 then
            OutStr := OutStr + #13#10;
      end;

      OutStr := OutStr + ');';
   finally
      fsArquivo.Free;

      Memo1.Clear;
      Memo1.Lines.Add( OutStr )
   end;
end;
May I use this technic with my programs too? :wink: I like this!!
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Sure you may use that. I've no patent on that.

YET :sceptic:
Post Reply