Injecting exe file into process fails on windows 7 but works on windows 10 / Exec library function fails, access denied

Forum for discussion about kernel-mode development.
Post Reply
ptr
Posts: 3
Joined: Thu Jan 11, 2018 1:04 pm

Injecting exe file into process fails on windows 7 but works on windows 10 / Exec library function fails, access denied

Post by ptr » Wed Aug 22, 2018 4:03 am

I'm trying to inject my exe payload into remote process. I allocated memory in remote process, I converted raw payload using RVA addressation. I applayed relocations and imports table.

When I'm testing my solution in Windows 10 environment it works fine. Exe is injected and it runs properly, and shows me message box.

But when I'm trying to do the same on Windows 7 64bit(loader, payload and target are compiled in 0x86 mode), I have an error:
Access violation executing location 0x7698FD1E
I checked, and this address is an MessageBoxA function's address from user32.dll library

Here is my main code to inject pe to remote process:

Code: Select all

char* target_n = "InjectTarget.exe";
    char* payload_path  = "C:\\Users\\pb\\source\\repos\\pe-dumper\\Debug\\DummyApp.exe";

    FILE* raw_payload = get_file_buffer(payload_path);
    PIMAGE_NT_HEADERS inth = get_nt_headers(raw_payload);

    DWORD kImageSize = inth->OptionalHeader.SizeOfImage;
    DWORD kTargetProcId = get_process_id(target_n);

    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, kTargetProcId);
    if (hProcess == NULL) {
        printf("Error: Process handle is NULL\n");
    }

    LPVOID imageBaseRemote = VirtualAllocEx(hProcess, NULL, kImageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (imageBaseRemote == NULL) {
        printf("Error: Image base remote is NULL\n");
    }

    LPVOID imageBaseLocal = VirtualAlloc(NULL, kImageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    copy_raw_to_image_local(imageBaseLocal, raw_payload);
    adjust_relocations(imageBaseRemote, imageBaseLocal);
    adjust_imports(imageBaseLocal);

    DWORD bytesWritten;
    if (!WriteProcessMemory(hProcess, imageBaseRemote, imageBaseLocal, kImageSize, &bytesWritten)) {
        printf("Cannot write to remote process!\n");
    }

    LPTHREAD_START_ROUTINE routine = ((ULONG_PTR)imageBaseRemote + inth->OptionalHeader.AddressOfEntryPoint);

    DWORD threadId;
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, routine, NULL, NULL, &threadId);

    if (hThread == NULL) {
        printf("%d", GetLastError());
    }

    VirtualFree(imageBaseLocal, kImageSize, MEM_RELEASE);
    fclose(raw_payload);
Why these differences between windows 10 and windows 7 appears?

User avatar
Vrtule
Posts: 461
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: Injecting exe file into process fails on windows 7 but works on windows 10 / Exec library function fails, access den

Post by Vrtule » Wed Aug 22, 2018 1:24 pm

If I am reading your code correctly, you are resolving imports based on libraries loaded into your process, not the target one. Due to ASLR or a colision of base addresses of multiple DLLs, user32.dll may be placed on different virtual address in the target process.

ptr
Posts: 3
Joined: Thu Jan 11, 2018 1:04 pm

Re: Injecting exe file into process fails on windows 7 but works on windows 10 / Exec library function fails, access den

Post by ptr » Wed Aug 22, 2018 6:30 pm

I'm also think (as you mentioned) that the any imported dll can be placed in different address space...but the application which I'm injecting is a simmple application which only shows message box. It has only one required dll which is user32.dll. As I found - the user32.dll and the kernel32.dll are placed in the same address for all running process, so my loader can call LoadLibrary func, and then get MessageBoxA function's address using GetProcAddress, and then it can use this address to update the Import Table of injected app. So it should works.

The error's code number I'm getting is 0x5 which is "Access is denied."

User avatar
Vrtule
Posts: 461
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Contact:

Re: Injecting exe file into process fails on windows 7 but works on windows 10 / Exec library function fails, access den

Post by Vrtule » Thu Aug 23, 2018 11:37 am

The error's code number I'm getting is 0x5 which is "Access is denied."
Which function call produces this error?

ptr
Posts: 3
Joined: Thu Jan 11, 2018 1:04 pm

Re: Injecting exe file into process fails on windows 7 but works on windows 10 / Exec library function fails, access den

Post by ptr » Thu Aug 23, 2018 11:54 am

Error details from Visual Studio during debugging: Access violation executing location 0x7698FD1E

The 0x7698FD1E is an address of MesssageBoxA function from user32.dll

Post Reply