Autor
sin dejarlos de lado, me podes decir porque este code no funcionaria, es solo una prueba de concepto y ni compila pero necesitaria entender algunos puntos sobre el, antes de avanzar
el codigo ha cambiado un poco eso si, pero con este ejemplo es mas figurado y si entendes ingles que me parece que si porque me recomendaste textos en ingles, etnonces vas a endender los comentarios
lo que quisiera saber sobre este code es especificamente porque no funcionaria o quedaria sin comunicacion entre el proceso local y remoto, osea si en algun momento alguna direccion es invalida a causa de esa desconexion. luego voy a pasar a los trucos
Código
/*---------------------------*/
typedef struct _PROCESS_info
{
DWORD pid;
char* name;
HANDLE oHandle;
} PROCESS_info, *PPROCESS_info;
/*---------------------------*/
//Structure who will be copied
struct lib_struct
{
/* these are from kernel32.dll that is at a static virtual address */
tLoadLibrary pLoadLibrary;//---------> pointer to function
tGetProcAddress pGetProcAddress;//---------> pointer to function
tGetModuleHandleA pGetModuleHandleA;//---------> pointer to function
tCreateThread pCreateThread;//---------> pointer to function
/*------------------------------------*/
/* from msvcrt.dll */
tSleep pSleep;//---------> pointer to function
tSrand pSrand;//---------> pointer to function
tRand; pRand;//---------> pointer to function
/* from opengl32.dll */
tglBegin pglBegin;//---------> pointer to the hook function
tglBegin Orig_glBegin;//---------> return address for the hook function
char str_glBegin[128];//will hold the name of the function
char strOpengl32[MAX_PATH];//will hold the name of the DLL
};
/*---------------------------*/
//Function who will be copied in the remote process
void APIENTRY New_glBegin(GLenum m)
{
lib_struct *Plib;
Plib->Orig_glBegin(m);
}
/*---------------------------*/
//Function who will be copied in the remote process
static DWORD WINAPI HookFunction(LPVOID libs_struct)
{
lib_struct *Plib=(lib_struct)libs_struct;
HMODULE load_lib = Plib->pLoadLibrary(plib->strOpengl32);
//Initialize the original address for glBegin hook return
Plib->Orig_glBegin= (tglBegin)Plib->pGetProcAddress(load_lib, plib->str_glBegin);
/* detour on glBegin at remote process (pseudocode) */
*glBegin=Plib->pglBegin;//pglBegin is the address of the hook function in the remote process
return 0;
}
/*---------------------------*/
//Function who will be copied in the remote process
static int WINAPI test_func(LPVOID libs_struct)
{
lib_struct *Plib=(lib_struct)libs_struct;
//this function will be copied in the remote process; I would like to start a thread here
//and the hooking thread will hook glBegin.
//in order to do that I need to copy New_glBegin and init pointer pglBegin to locate it
//in the remote process
//I also need to init Orig_glBegin so the hook can return to the original glBegin
//but the pointer value has to be the glBegin address in the remote process
PLib->pCreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)Plib->HookFunction, libs_struct, 0, NULL);
return 1;
}
/*---------------------------*/
static void __declspec(naked) end_proc() {}
/*---------------------------*/
int main()
{
lib_struct libs;
//PASO 1
PROCESS_info process;
process.pid = GetProcessPid(process.name
printf("[*] Getting full access...");
//PASO 2
libs.pLoadLibrary = (pLoadLibrary)GetProcAddress(kernel32, "LoadLibraryA");
libs.pGetProcAddress = (pGetProcAddress)GetProcAddress(kernel32, "GetProcAddress");
strcpy(libs.strOpeng32, "opengl32.dll");
strcpy(libs.str_glBegin, "glBegin");
printf("[*] Filling up lib_struct...");
//PASO 3
process.oHandle = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_OPERATION|PROCESS_VM_READ|PROCESS_VM_WRITE, FALSE, process.pid);
printf("[*] Opening process %s...", process.name);
//PASO 4
DWORD proc_size = (DWORD)end_proc - (DWORD)test_func;
printf("[*] Function size: %d\n", proc_size);
//PASO 5
LPVOID [b]glbeginhook_addr[/b] = VirtualAllocEx(process.oHandle, NULL, proc_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
LPVOID [b]hookfunction_addr[/b] = VirtualAllocEx(process.oHandle, NULL, proc_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
LPVOID [b]testfunc_addr[/b] = VirtualAllocEx(process.oHandle, NULL, proc_size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
printf("[*] Allocating memory space in %s for test_func...", process.name);
//PASO 6 (getting the addreses where I alloc'ed memory for New_glBegin)
[b]libs.Orig_glBegin[/b] = *(tglBegin)glbeginhook_addr;
printf("[*] Filling up lib_struct again!!!!! ...");
//PASO 7
LPVOID struct_addr = VirtualAllocEx(process.oHandle, NULL, sizeof(libs), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
printf("[*] Allocating memory space in %s for lib_struct libs...", process.name);
//PASO 8 (writting the 3 functions)
WriteProcessMemory(process.oHandle, [b]glbeginhook_addr[/b], New_glBegin, proc_size, &written_bytes);
WriteProcessMemory(process.oHandle, [b]hookfunction_addr[/b], HookFunc, proc_size, &written_bytes);
WriteProcessMemory(process.oHandle, [b]testfunc_addr[/b], test_func, proc_size, &written_bytes);
printf("[*] Writing \'test_func\' in %s...", process.name);
//PASO 9 (writting the structure)
WriteProcessMemory(process.oHandle, struct_addr, &libs, sizeof(libs), &written_bytes);
printf("[*] Writing \'lib_struct libs\' in %s...", process.name);
//PASO 10
DWORD thread_id;
HANDLE remote_thread = CreateRemoteThread(process.oHandle, NULL, 0, (LPTHREAD_START_ROUTINE)func_addr, struct_addr, 0, &thread_id);
printf("[*] Creating remote thread for test_func in %s...", process.name);
//PASO 11
printf(" done\n[*] Thread id: %d\n", thread_id);
}
[/quote]
obviamente el primer problema a primera impresion es en New_glBegin porque no tiene la address de la struct como para retornar Orig_glBegin :(
En línea
