This is a C program I've written in Visual Studio 2015 to hook OpenProcess API calls to prevent a target application from obtaining a handle to a ProcessId of our choice which can render other APIs dependent on process handles useless(such as TerminateProcess) when acting on the ProcessId.
I was trying to do inline assembly injection in Delphi 7 to this very effect but the disassembler viewer, and the IDE in general was not very smooth. So I gave Microsoft Visual C++ a go recalling I had a copy of the latest Visual Studio 2015. The IDE was just amazingly productive. So, working on and off, with a lot of debugging and disassembling and hours of scouring the internet for answers to questions that arose along the way, I finally managed to write a functioning program.
The code is, I think, fairly well commented. So it should be easy enough to understand:
I was trying to do inline assembly injection in Delphi 7 to this very effect but the disassembler viewer, and the IDE in general was not very smooth. So I gave Microsoft Visual C++ a go recalling I had a copy of the latest Visual Studio 2015. The IDE was just amazingly productive. So, working on and off, with a lot of debugging and disassembling and hours of scouring the internet for answers to questions that arose along the way, I finally managed to write a functioning program.
The code is, I think, fairly well commented. So it should be easy enough to understand:
//the characterset property is set to "Not Set" which defaults everything to ANSI(non-unicode)
//disable optimization under C/C++=>Optimization from Project=>Project Properties. otherwise a lot of variables
//are "optimized away" when debugging; you can't see their values from the IDE while debugging.
//also, optimize for small code under C/C++=>Optimization. otherwise, the compiler will append
//a ton of INT 3 instructions to your assembly functions.
//so, make a custom optimization profile with the above criteria met
#include "stdafx.h"
#include <conio.h>
#include <Windows.h>
void jmp();
void trampoline();
void fake();
int main()
{
/*This part isn't very relevant to the above code but is still informative and is something I wrote when I was trying a simple mov and jmp combination.
//Process Killer program
repeat:
DWORD pid = 0;
HANDLE hProcess = 0;
printf("Enter PID to terminate ");
scanf_s("%d", &pid);
hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
if (hProcess == 0)
{
printf("Cannot get a handle to the PID!\n");
printf("Error : %d\n\n", GetLastError());
goto repeat;
}
if (!TerminateProcess(hProcess, 0) )
{
printf("Cannot terminate PID : %d\n", pid);
printf("Error : %d\n\n", GetLastError());
goto repeat;
}
else
{
printf("Killed!\n\n");
}
goto repeat;
*/
DWORD protectpid;
DWORD hookpid;//process to inject to
printf("Enter the PID to inject to : ");
scanf_s("%d", &hookpid);
printf("Enter the PID to protect : ");
scanf_s("%d", &protectpid);
LPVOID OPPt = GetProcAddress(GetModuleHandle("kernel32.dll"), "OpenProcess");
/****************Read the raw jmp and trampoline functions from own memory************/
HANDLE myhProcess = OpenProcess(PROCESS_ALL_ACCESS, false, GetCurrentProcessId());
SIZE_T size = SIZE_T((long)(&fake) - (long)(&trampoline));//size of trampoline
SIZE_T size2 = (SIZE_T)(((long)(&trampoline) - (long)(&jmp)));//size of jmp
SIZE_T readbytes;
char *jmpBytes = (char *)calloc((size_t)size2,sizeof(char));
ReadProcessMemory(myhProcess, &jmp, jmpBytes, size2, &readbytes);//read the jmp function into jmpBytes
char *trampolineBytes = (char *)calloc((size_t)size, sizeof(char));
ReadProcessMemory(myhProcess, &trampoline, trampolineBytes, size, &readbytes);//read the trampoline function into trampolineBytes
/*************************************************************************************/
/************Allocate space in the remote process for trampoline function************/
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, hookpid);
LPVOID hAddress = VirtualAllocEx(hProcess, (LPVOID)0, size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);//address of trampoline
/************************************************************************************/
/**********************Fix the jmp address and the pid to filter********************/
memcpy(&jmpBytes[1], &hAddress,(size_t) 4);
memcpy(&trampolineBytes[5], &protectpid, (size_t)4);
/***********************************************************************************/
CloseHandle(myhProcess);
/********************Shellcode read!*************************************/
SIZE_T writtenbytes;
if (WriteProcessMemory(hProcess, hAddress, trampolineBytes, size, &writtenbytes))//write the fixed trampoline
{
if (WriteProcessMemory(hProcess, OPPt, jmpBytes, size2, &writtenbytes))//write the fixed jmp
{
//jmp was written
MessageBox(0, "Patched!", ":D", 0);
}
}
DWORD laterror = GetLastError();
return 0;
}
__declspec(naked) void jmp()
/* the __declspec(naked) suppresses the extra opcodes the compiler would automatically add
before and after a function which would be bad for our to-be-injected asm block */
{
__asm
{
mov eax, 0x93250000//trampoline address to be patched
call trick
trick:
pop esi//esi=address of this statement
jmp eax
/*
Must be careful not to do a partial overwrite:
The normal opcodes before overwriting the OpenProcess code in kernel32.dll are:
75891952 > 8BFF MOV EDI,EDI ; ucrtbase.60682104
75891954 55 PUSH EBP
75891955 8BEC MOV EBP,ESP
75891957 5D POP EBP
75891958 EB 05 JMP SHORT <JMP.&API-MS-Win-Core-Synch-L1-1-0.OpenProcess> ; relative jump to the JMP below
7589195A 90 NOP
7589195B 90 NOP
7589195C 90 NOP
7589195D 90 NOP
7589195E 90 NOP
7589195F -FF25 54098975 JMP DWORD PTR DS:[<&API-MS-Win-Core-Synch-L1-1-0.OpenProcess>] ; KERNELBA.OpenProcess
Say we have only a mov and a jmp code. It ends up overwriting the above opcodes starting from the
first byte 8B. The corresponding opcodes are:
00C7118C B8 00 00 25 93 mov eax,93250000h
00C71191 FF E0 jmp eax
Clearly, the size of opcodes to be written is 7(one byte each for B8, 00, 00, 25, 93, FF, E0)
After being overwritten, the modified OpenProcess code in kernel32.dll looks like:
75891952 > B8 00002593 MOV EAX,93250000
75891957 FFE0 JMP EAX
75891959 05 90909090 ADD EAX,90909090
7589195E 90 NOP
7589195F -FF25 54098975 JMP DWORD PTR DS:[<&API-MS-Win-Core-Synch-L1-1-0.OpenProcess>] ; KERNELBA.OpenProcess
Clearly, the original bytes 8B, FF, 55, 8B, EC, 5D, EB, a total of 7 bytes have been overwritten
as expected by our mov and jmp. But the remaining 05, 90, 90... bytes give a different opcode
altogether, the ADD EAX,90909090 thing, which is unwanted. So, the 05 byte is replaced with an extra
opcode, a simple nop i.e. 90 so that the modified version looks like:
75891952 > B8 00002593 MOV EAX,93250000
75891957 FFE0 JMP EAX
75891959 90 NOP
7589195A 90 NOP
7589195B 90 NOP
7589195C 90 NOP
7589195D 90 NOP
7589195E 90 NOP
7589195F -FF25 54098975 JMP DWORD PTR DS:[<&API-MS-Win-Core-Synch-L1-1-0.OpenProcess>] ; KERNELBA.OpenProcess
which is what we would want if we needed only a mov and jmp injected.
*/
/*
Now what our code does:
Original contents inside the OpenProcess procedure in the target process' kernel32:
76571952 > 8BFF MOV EDI,EDI ; ucrtbase.74772104
76571954 55 PUSH EBP
76571955 8BEC MOV EBP,ESP
76571957 5D POP EBP
76571958 EB 05 JMP SHORT <JMP.&API-MS-Win-Core-Synch-L1>
7657195A 90 NOP
7657195B 90 NOP
7657195C 90 NOP
7657195D 90 NOP
7657195E 90 NOP
7657195F -FF25 54095776 JMP DWORD PTR DS:[<&API-MS-Win-Core-Sync>; KERNELBA.OpenProcess
The disassembly of our jmp() code:
00B91218 B8 00 00 25 93 mov eax,93250000h
00B9121D E8 00 00 00 00 call 0B91222h
00B91222 5E pop esi
00B91223 FF E0 jmp eax
The OpenProcess routine after injection:
76571952 > B8 00002593 MOV EAX,93250000
76571957 E8 00000000 CALL kernel32.7657195C
7657195C 5E POP ESI
7657195D FFE0 JMP EAX
7657195F -FF25 54095776 JMP DWORD PTR DS:[<&API-MS-Win-Core-Sync>; KERNELBA.OpenProcess
*/
}
}
__declspec(naked) void trampoline()
{
__asm
{
pop edx
pop ecx
pop ebx
pop eax
cmp eax, 14902//pid to protect
jne skipper
xor eax, eax
skipper:
push eax
push ebx
push ecx
push edx
add esi,3//coz instruction at esi is followed by a jmp which is 2 bytes
jmp esi
}
}
__declspec(naked) void fake()
{
__asm
{
}
}
No comments:
Post a Comment