@@@@@@@ @@@@@@@ @@@@@@@@ @@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@ @@! @@@ @@! @@@ @@@ @@!!@ !@! @!@ !@! @!@ @!@ !@ @! @!@!!@! @!@!!@! !!@! @@@!! !!@!@!!! !!@!@! !!@ !!!!! !!: !!! !!: :!! !!!::!!! !!::! :!: !:! :!: !:! !:!:!::! :!:!! :!!:::!! :: ::: ::!: :::! ::!!:!! : : : : :: ::: : Tutorial on Code Injection - Part 3 - Injecting a ShellExecute API by brzi ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ Released under DEViOUS (http://www.devious.tsongkie.com) ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ brzi@devious.tsongkie.com ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ Best viewed in WordPad, font Courier New, Regular, 10 TABLE OF CONTENTS ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ 1. Introduction 2. Tools Needed 3. API Explanation 4. The Injection 5. Final Words 6. Greets 1.INTRODUCTION - a short one :) ************** Well here i'm again, in front of my PC writting another tutorial as I promised in my previous tutorial. In this one i'll show you how to inject a very useful API function called ShellExecute. It is used for many things as opening documents, executable files, webpages and so on. Again i'll use Tsongkie's Code Cave Tool because: 1. It's a very good and useful program. 2. It has a lot of functions that we can use. 3. Because Tsongkie is the author and he's a good friend of mine and he wont be angry if we play with his progie as long as it used for learning or will you Tsongkie??? I know that this is not a real "introduction" but who gives a f**k... Let's continue.. 2.TOOLS NEEDED ************** -> TSearch - www.gamehacking.com -> Tsongkie's Code Cave Tool - www.tsonggkie.com -> W32Dasm89 - Windows Disassembler - wwww.gamehacking.com -> API reference - i had a link for thiss but i forgot it, sorry :) -> Piece of paper 3. API EXPLANATION ****************** As i sad well use ShellExecute Api for this tutorial. The explanation is a little long but it's very good. Here it is .. The ShellExecute function opens or prints a specified file. The file can be an executable file or a document file. See HINSTANCE ShellExecute( HWND hwnd, // handle to parent window LPCTSTR lpOperation, // pointer to string that specifies operation to perform LPCTSTR lpFile, // pointer to filename string LPTSTR lpParameters, // pointer to string that specifies executable-file parameters LPCTSTR lpDirectory, // pointer to string that specifies default directory INT nShowCmd // whether file is shown when opened ); Parameters hwnd Specifies a parent window. This window receives any message boxes that an application produces. For example, an application may report an error by producing a message box. lpOperation Pointer to a null-terminated string that specifies the operation to perform. The following operation strings are valid: String Meaning "open" The function opens the file specified by lpFile. The file can be an executable file or a document file. "print" The function prints the file specified by lpFile. The file should be a document file. If the file is an executable file, the function opens the file, as if "open" had been specified. The lpOperation parameter can be NULL. In that case, the function opens the file specified by lpFile. lpFile Pointer to a null-terminated string that specifies the file to open or print. The function can open an executable file or a document file. The function can print a document file. lpParameters If lpFile specifies an executable file, lpParameters is a pointer to a null-terminated string that specifies parameters to be passed to the application. If lpFile specifies a document file, lpParameters should be NULL. lpDirectory Pointer to a null-terminated string that specifies the default directory. nShowCmd If lpFile specifies an executable file, nShowCmd specifies how the application is to be shown when it is opened. This parameter can be one of the following values: Value Meaning SW_HIDE Hides the window and activates another window. SW_MAXIMIZE Maximizes the specified window. SW_MINIMIZE Minimizes the specified window and activates the next top-level window in the Z order. SW_RESTORE Activates and displays the window. If the window is minimized or maximized, Windows restores it to its original size and position. An application should specify this flag when restoring a minimized window. SW_SHOW Activates the window and displays it in its current size and position. SW_SHOWDEFAULT Sets the show state based on the SW_ flag specified in the STARTUPINFO structure passed to the CreateProcess function by the program that started the application. An application should call ShowWindow with this flag to set the initial show state of its main window. SW_SHOWMAXIMIZED Activates the window and displays it as a maximized window. SW_SHOWMINIMIZED Activates the window and displays it as a minimized window. SW_SHOWMINNOACTIVE Displays the window as a minimized window. The active window remains active. SW_SHOWNA Displays the window in its current state. The active window remains active. SW_SHOWNOACTIVATE Displays a window in its most recent size and position. The active window remains active. SW_SHOWNORMAL Activates and displays a window. If the window is minimized or maximized, Windows restores it to its original size and position. An application should specify this flag when displaying the window for the first time. If lpFile specifies a document file, nShowCmd should be zero. Return Value If the function succeeds, the return value is the instance handle of the application that was run, or the handle of a dynamic data exchange (DDE) server application. If the function fails, the return value is an error value that is less than or equal to 32. The following table lists these error values: Value Meaning 0 The operating system is out of memory or resources. ERROR_FILE_NOT_FOUND The specified file was not found. ERROR_PATH_NOT_FOUND The specified path was not found. ERROR_BAD_FORMAT The .EXE file is invalid (non-Win32 .EXE or error in .EXE image). SE_ERR_ACCESSDENIED Windows 95 only: The operating system denied access to the specified file. SE_ERR_ASSOCINCOMPLETE The filename association is incomplete or invalid. SE_ERR_DDEBUSY The DDE transaction could not be completed because other DDE transactions were being processed. SE_ERR_DDEFAIL The DDE transaction failed. SE_ERR_DDETIMEOUT The DDE transaction could not be completed because the request timed out. SE_ERR_DLLNOTFOUND Windows 95 only: The specified dynamic-link library was not found. SE_ERR_FNF Windows 95 only: The specified file was not found. SE_ERR_NOASSOC There is no application associated with the given filename extension. SE_ERR_OOM Windows 95 only: There was not enough memory to complete the operation. SE_ERR_PNF Windows 95 only: The specified path was not found. SE_ERR_SHARE A sharing violation occurred. 4. THE INJECTION **************** First let's explore Tsongkie's Code Cave Tool a little. If you run it you will see that it has: 1. A logo -> This does nothing 2. A listbox -> Display Code Cave's found in the specified process 3. An EditBox -> You type the Window Name here 4. And three buttons: * Search -> Searches and opens a process with the Wnd Name given * Help -> Runs the Readme.txt file <- this btn is useful for this tut * About -> Displays information about who coded the program So if you press the help button it will open the Readme.txt which can be found in the program directory or if the file does not exist it will open your Windows Readme File. Now we will inject the ShellExecute function so it will open another file or executable. Let's make a little MSGBOX program that we will use for opening. The first example is in mASM and the second in Visual Basic. You can use any program you like, this is just an example. -> MASM - don't type this :) .386 .model flat, stdcall option casemap: none include \masm32\windows.inc include \masm32\user32.inc include \masm32\kernel32.inc includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib .data MsgText db "Brzi's Code Injection Tut #3",0 MsgCap db "Info",0 .code start: invoke MessageBox,NULL,addr MsgText,addr MsgCap,MB_OK invoke ExitProcess,NULL end start Well i think that it is something like this :) In VB remove the Form1 form and add a module and type this in it Sub Main() MsgBox "Brzi's Code Injection Tut #3", "Info", vbOkOnly End Sub Compile it. Ok now let's disassemble the file with W32Dsm89. Click on the ImpFn button on the toolbar and then double click on the ShellExecuteA function. I have this code: :0040106A 6A03 push 00000003 <- whether file is show when opened :0040106C 6A00 push 00000000 <- pointer to string that specifies default directory :0040106E 6A00 push 00000000 <- pointer to string that specifies executable-file parameters * Possible StringData Ref from Data Obj ->"README.TXT" | :00401070 683E304000 push 0040303E <- pointer to filename string :00401075 6A00 push 00000000 <- pointer to string that specifies operation to perform :00401077 6A00 push 00000000 <- handle to parent window * Reference To: SHELL32.ShellExecuteA, Ord:006Eh | :00401079 E890010000 Call 0040120E <- call ShellExecute :0040107E EB3A jmp 004010BA <- we jmp back here So now we know everything that we need so run TSearch and open EasyWrite. I found some code caves so you don't have to bother to search for them. //[BEGIN TSEARCH SCRIPT - ShellExecute] //First we will write our .exe name offset 0040125C asc "MsgBox.exe" //change the MsgBox.exe to whatever program you want to run //NOTE: If you specify only the .exe name then you will have to copy the exe //to TCCT directory or you will need to specify the whole path but that will //use lots of bytes //this is null terminator needed for all string hex 00 //Now we will write the operation offset 0040126C //this is the operation that will be performed asc "open" //null terminator hex 00 //Now we will inject the most important things //Here we will land when we jump from the main code offset 0040127C //whether the file is show when opened push 00000003 //push pointer to string that specifies default directory push 00000000 //push pointer to string that specifies executable-file parameters push 00000000 //push the name of the file to be opened //this was 0040303E push 0040125C //push the operation that will be performed push 0040126C //push the handle of window push 00000000 //call ShellExecute Call 0040120E //jump back jmp 0040107E //Now we will jmp from the main code to our code offset 0040106A jmp 0040127C //[END TSEARCH SCRIPT - ShellExecute] This is how to code looks without the explanation Our Code: push 00000003 push 00000000 push 00000000 push 0040125C push 0040126C push 00000000 Call 0040120E jmp 0040107E The game code (replaced): jmp 0040127C push ..... .......... Well add a hotkey to the script and try it. It opened our program! Interesting stuff eh.. Or you can replace the MsgBox.exe with TCCT and that way when you press the help button it will open Tcct.exe. Until next time cya... Take care :) 5.FINAL WORDS ************* Always when you do code injection, always poke your code first then the main code because the game/program will crash in some cases and it is save and better. And i need a favor - will somebody make me a good ascii logo cuz mine sucks - please!. For any suggestions/questions, crittics are welcome mail me at brzi@devious.tsongkie.com And one other thing.. I think that these tutorials can help you how to learn to code in ASM ->Tasm. This is how the code will look in TASM way. Just the function. I'm not saying that i know how to code in TASM, but i know how to do some stuff so.. push 3 push 0 push 0 push 0040125C push 0040126C push 0 Call ShellExecute ->brzi 'at the end of days, at the end of time... when the sun burns out,will any of this matter? who will be there to remember who we were.. who will know that any of this had meaning for us...' 6.GREETS ******** + Stoner + Omega + Tsongkie + EEDOK + Bie + Micral + Invader + VBTrainer + + PCP + [sheep] + snow + ddh + rat + SubZero and everybody else.. -> Greets in no special order ...