@@@@@@@ @@@@@@@ @@@@@@@@ @@@@@
@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@
@@! @@@ @@! @@@ @@@ @@!!@
!@! @!@ !@! @!@ @!@ !@ @!
@!@!!@! @!@!!@! !!@! @@@!!
!!@!@!!! !!@!@! !!@ !!!!!
!!: !!! !!: :!! !!!::!!! !!::!
:!: !:! :!: !:! !:!:!::! :!:!!
:!!:::!! :: ::: ::!: :::!
::!!:!! : : : : ::
:::
:
Tutorial on Code Injection - Part 3 - Injecting a ShellExecute API by brzi
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Released under DEViOUS (http://www.devious.tsongkie.com)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
brzi@devious.tsongkie.com
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Best viewed in WordPad, font Courier New, Regular, 10
TABLE OF CONTENTS
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
1. Introduction
2. Tools Needed
3. API Explanation
4. The Injection
5. Final Words
6. Greets
1.INTRODUCTION - a short one :)
**************
Well here i'm again, in front of my PC writting another tutorial as I
promised in my previous tutorial. In this one i'll show you how to inject
a very useful API function called ShellExecute. It is used for many things
as opening documents, executable files, webpages and so on. Again i'll use
Tsongkie's Code Cave Tool because:
1. It's a very good and useful program.
2. It has a lot of functions that we can use.
3. Because Tsongkie is the author and he's a good friend of mine and he
wont be angry if we play with his progie as long as it used for learning
or will you Tsongkie??? I know that this is not a real "introduction"
but who gives a f**k... Let's continue..
2.TOOLS NEEDED
**************
-> TSearch - www.gamehacking.com
-> Tsongkie's Code Cave Tool - www.tsonggkie.com
-> W32Dasm89 - Windows Disassembler - wwww.gamehacking.com
-> API reference - i had a link for thiss but i forgot it, sorry :)
-> Piece of paper
3. API EXPLANATION
******************
As i sad well use ShellExecute Api for this tutorial. The explanation is a
little long but it's very good. Here it is ..
The ShellExecute function opens or prints a specified file. The file can be
an executable file or a document file. See
HINSTANCE ShellExecute(
HWND hwnd, // handle to parent window
LPCTSTR lpOperation, // pointer to string that specifies operation to perform
LPCTSTR lpFile, // pointer to filename string
LPTSTR lpParameters, // pointer to string that specifies executable-file parameters
LPCTSTR lpDirectory, // pointer to string that specifies default directory
INT nShowCmd // whether file is shown when opened
);
Parameters
hwnd
Specifies a parent window. This window receives any message boxes that an
application produces. For example, an application may report an error by
producing a message box.
lpOperation
Pointer to a null-terminated string that specifies the operation to perform.
The following operation strings are valid:
String Meaning
"open" The function opens the file specified by lpFile. The file can be
an executable file or a document file.
"print" The function prints the file specified by lpFile. The file
should be a document file. If the file is an executable file, the function
opens the file, as if "open" had been specified.
The lpOperation parameter can be NULL. In that case, the function opens the
file specified by lpFile.
lpFile
Pointer to a null-terminated string that specifies the file to open or
print. The function can open an executable file or a document file.
The function can print a document file.
lpParameters
If lpFile specifies an executable file, lpParameters is a pointer to a
null-terminated string that specifies parameters to be passed to the
application.
If lpFile specifies a document file, lpParameters should be NULL.
lpDirectory
Pointer to a null-terminated string that specifies the default directory.
nShowCmd
If lpFile specifies an executable file, nShowCmd specifies how the
application is to be shown when it is opened. This parameter can be one of
the following values:
Value Meaning
SW_HIDE Hides the window and activates another window.
SW_MAXIMIZE Maximizes the specified window.
SW_MINIMIZE Minimizes the specified window and activates the next top-level
window in the Z order.
SW_RESTORE Activates and displays the window. If the window is minimized or
maximized, Windows restores it to its original size and position.
An application should specify this flag when restoring a minimized window.
SW_SHOW Activates the window and displays it in its current size and position.
SW_SHOWDEFAULT Sets the show state based on the SW_ flag specified in
the STARTUPINFO structure passed to the CreateProcess function by the
program that started the application. An application should call ShowWindow
with this flag to set the initial show state of its main window.
SW_SHOWMAXIMIZED Activates the window and displays it as a maximized window.
SW_SHOWMINIMIZED Activates the window and displays it as a minimized window.
SW_SHOWMINNOACTIVE Displays the window as a minimized window.
The active window remains active.
SW_SHOWNA Displays the window in its current state. The active window
remains active.
SW_SHOWNOACTIVATE Displays a window in its most recent size and position.
The active window remains active.
SW_SHOWNORMAL Activates and displays a window. If the window is
minimized or maximized, Windows restores it to its original size and
position. An application should specify this flag when displaying the
window for the first time.
If lpFile specifies a document file, nShowCmd should be zero.
Return Value
If the function succeeds, the return value is the instance handle of the
application that was run, or the handle of a dynamic data exchange (DDE)
server application.
If the function fails, the return value is an error value that is less than
or equal to 32. The following table lists these error values:
Value Meaning
0 The operating system is out of memory or resources.
ERROR_FILE_NOT_FOUND The specified file was not found.
ERROR_PATH_NOT_FOUND The specified path was not found.
ERROR_BAD_FORMAT The .EXE file is invalid (non-Win32 .EXE or error in .EXE
image).
SE_ERR_ACCESSDENIED Windows 95 only: The operating system denied access
to the specified file.
SE_ERR_ASSOCINCOMPLETE The filename association is incomplete or invalid.
SE_ERR_DDEBUSY The DDE transaction could not be completed because other
DDE transactions were being processed.
SE_ERR_DDEFAIL The DDE transaction failed.
SE_ERR_DDETIMEOUT The DDE transaction could not be completed because the
request timed out.
SE_ERR_DLLNOTFOUND Windows 95 only: The specified dynamic-link library
was not found.
SE_ERR_FNF Windows 95 only: The specified file was not found.
SE_ERR_NOASSOC There is no application associated with the given filename
extension.
SE_ERR_OOM Windows 95 only: There was not enough memory to complete the
operation.
SE_ERR_PNF Windows 95 only: The specified path was not found.
SE_ERR_SHARE A sharing violation occurred.
4. THE INJECTION
****************
First let's explore Tsongkie's Code Cave Tool a little. If you run it you
will see that it has:
1. A logo -> This does nothing
2. A listbox -> Display Code Cave's found in the specified process
3. An EditBox -> You type the Window Name here
4. And three buttons:
* Search -> Searches and opens a process with the Wnd Name given
* Help -> Runs the Readme.txt file <- this btn is useful for this tut
* About -> Displays information about who coded the program
So if you press the help button it will open the Readme.txt which can be
found in the program directory or if the file does not exist it will open
your Windows Readme File. Now we will inject the ShellExecute function so
it will open another file or executable. Let's make a little MSGBOX program
that we will use for opening. The first example is in mASM and the second in
Visual Basic. You can use any program you like, this is just an example.
-> MASM - don't type this :)
.386
.model flat, stdcall
option casemap: none
include \masm32\windows.inc
include \masm32\user32.inc
include \masm32\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
.data
MsgText db "Brzi's Code Injection Tut #3",0
MsgCap db "Info",0
.code
start:
invoke MessageBox,NULL,addr MsgText,addr MsgCap,MB_OK
invoke ExitProcess,NULL
end start
Well i think that it is something like this :)
In VB remove the Form1 form and add a module and type this in it
Sub Main()
MsgBox "Brzi's Code Injection Tut #3", "Info", vbOkOnly
End Sub
Compile it.
Ok now let's disassemble the file with W32Dsm89. Click on the ImpFn button
on the toolbar and then double click on the ShellExecuteA function.
I have this code:
:0040106A 6A03 push 00000003 <- whether file is show when opened
:0040106C 6A00 push 00000000 <- pointer to string that specifies default directory
:0040106E 6A00 push 00000000 <- pointer to string that specifies executable-file parameters
* Possible StringData Ref from Data Obj ->"README.TXT"
|
:00401070 683E304000 push 0040303E <- pointer to filename string
:00401075 6A00 push 00000000 <- pointer to string that specifies operation to perform
:00401077 6A00 push 00000000 <- handle to parent window
* Reference To: SHELL32.ShellExecuteA, Ord:006Eh
|
:00401079 E890010000 Call 0040120E <- call ShellExecute
:0040107E EB3A jmp 004010BA <- we jmp back here
So now we know everything that we need so run TSearch and open EasyWrite.
I found some code caves so you don't have to bother to search for them.
//[BEGIN TSEARCH SCRIPT - ShellExecute]
//First we will write our .exe name
offset 0040125C
asc "MsgBox.exe"
//change the MsgBox.exe to whatever program you want to run
//NOTE: If you specify only the .exe name then you will have to copy the exe
//to TCCT directory or you will need to specify the whole path but that will
//use lots of bytes
//this is null terminator needed for all string
hex 00
//Now we will write the operation
offset 0040126C
//this is the operation that will be performed
asc "open"
//null terminator
hex 00
//Now we will inject the most important things
//Here we will land when we jump from the main code
offset 0040127C
//whether the file is show when opened
push 00000003
//push pointer to string that specifies default directory
push 00000000
//push pointer to string that specifies executable-file parameters
push 00000000
//push the name of the file to be opened
//this was 0040303E
push 0040125C
//push the operation that will be performed
push 0040126C
//push the handle of window
push 00000000
//call ShellExecute
Call 0040120E
//jump back
jmp 0040107E
//Now we will jmp from the main code to our code
offset 0040106A
jmp 0040127C
//[END TSEARCH SCRIPT - ShellExecute]
This is how to code looks without the explanation
Our Code:
push 00000003
push 00000000
push 00000000
push 0040125C
push 0040126C
push 00000000
Call 0040120E
jmp 0040107E
The game code (replaced):
jmp 0040127C
push .....
..........
Well add a hotkey to the script and try it. It opened our program!
Interesting stuff eh.. Or you can replace the MsgBox.exe with TCCT and that
way when you press the help button it will open Tcct.exe.
Until next time cya... Take care :)
5.FINAL WORDS
*************
Always when you do code injection, always poke your code first then the main
code because the game/program will crash in some cases and it is save and
better. And i need a favor - will somebody make me a good ascii logo cuz
mine sucks - please!. For any suggestions/questions, crittics are welcome
mail me at brzi@devious.tsongkie.com
And one other thing.. I think that these tutorials can help you how to learn
to code in ASM ->Tasm. This is how the code will look in TASM way. Just the
function. I'm not saying that i know how to code in TASM, but i know how to
do some stuff so..
push 3
push 0
push 0
push 0040125C
push 0040126C
push 0
Call ShellExecute
->brzi
'at the end of days, at the end of time...
when the sun burns out,will any of this matter?
who will be there to remember who we were..
who will know that any of this had meaning for us...'
6.GREETS
********
+ Stoner + Omega + Tsongkie + EEDOK + Bie + Micral + Invader + VBTrainer +
+ PCP + [sheep] + snow + ddh + rat + SubZero and everybody else..
-> Greets in no special order ...
|
