A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #32019  by ptr
 Wed Aug 22, 2018 4:03 am
I'm trying to inject my exe payload into remote process. I allocated memory in remote process, I converted raw payload using RVA addressation. I applayed relocations and imports table.

When I'm testing my solution in Windows 10 environment it works fine. Exe is injected and it runs properly, and shows me message box.

But when I'm trying to do the same on Windows 7 64bit(loader, payload and target are compiled in 0x86 mode), I have an error:
Access violation executing location 0x7698FD1E
I checked, and this address is an MessageBoxA function's address from user32.dll library

Here is my main code to inject pe to remote process:
Code: Select all
char* target_n = "InjectTarget.exe";
    char* payload_path  = "C:\\Users\\pb\\source\\repos\\pe-dumper\\Debug\\DummyApp.exe";

    FILE* raw_payload = get_file_buffer(payload_path);
    PIMAGE_NT_HEADERS inth = get_nt_headers(raw_payload);

    DWORD kImageSize = inth->OptionalHeader.SizeOfImage;
    DWORD kTargetProcId = get_process_id(target_n);

    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, kTargetProcId);
    if (hProcess == NULL) {
        printf("Error: Process handle is NULL\n");
    }

    LPVOID imageBaseRemote = VirtualAllocEx(hProcess, NULL, kImageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (imageBaseRemote == NULL) {
        printf("Error: Image base remote is NULL\n");
    }

    LPVOID imageBaseLocal = VirtualAlloc(NULL, kImageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    copy_raw_to_image_local(imageBaseLocal, raw_payload);
    adjust_relocations(imageBaseRemote, imageBaseLocal);
    adjust_imports(imageBaseLocal);

    DWORD bytesWritten;
    if (!WriteProcessMemory(hProcess, imageBaseRemote, imageBaseLocal, kImageSize, &bytesWritten)) {
        printf("Cannot write to remote process!\n");
    }

    LPTHREAD_START_ROUTINE routine = ((ULONG_PTR)imageBaseRemote + inth->OptionalHeader.AddressOfEntryPoint);

    DWORD threadId;
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, routine, NULL, NULL, &threadId);

    if (hThread == NULL) {
        printf("%d", GetLastError());
    }

    VirtualFree(imageBaseLocal, kImageSize, MEM_RELEASE);
    fclose(raw_payload);
Why these differences between windows 10 and windows 7 appears?
 #32026  by Vrtule
 Wed Aug 22, 2018 1:24 pm
If I am reading your code correctly, you are resolving imports based on libraries loaded into your process, not the target one. Due to ASLR or a colision of base addresses of multiple DLLs, user32.dll may be placed on different virtual address in the target process.
 #32029  by ptr
 Wed Aug 22, 2018 6:30 pm
I'm also think (as you mentioned) that the any imported dll can be placed in different address space...but the application which I'm injecting is a simmple application which only shows message box. It has only one required dll which is user32.dll. As I found - the user32.dll and the kernel32.dll are placed in the same address for all running process, so my loader can call LoadLibrary func, and then get MessageBoxA function's address using GetProcAddress, and then it can use this address to update the Import Table of injected app. So it should works.

The error's code number I'm getting is 0x5 which is "Access is denied."