Home › Forum › Programming › Visual Basic Programming › [Help]WriteProcessMemory - Write byte array?
[Help]WriteProcessMemory - Write byte array?
[Help]WriteProcessMemory - Write byte array?
Is it possible to inject an array of bytes? (lol, fail title)
I tried this, didn't work:
[highlight=vb.net] Public Declare Function VirtualAllocEx Lib "kernel32" ( _
ByVal hProcess As Integer, _
ByVal lpAddress As Integer, _
ByVal dwSize As Integer, _
ByVal flAllocationType As Integer, _
ByVal flProtect As Integer) As Integer
Public Declare Function WriteProcessMemory Lib "kernel32" ( _
ByVal hProcess As Integer, _
ByVal lpBaseAddress As Integer, _
ByVal lpBuffer As Byte(), _
ByVal nSize As Integer, _
ByRef lpNumberOfBytesWritten As Integer) As Integer
Private Declare Function CloseHandle Lib "kernel32" Alias "CloseHandle" ( _
ByVal hObject As Integer) As Integer
Public Declare Function CreateRemoteThread Lib "kernel32" ( _
ByVal hProcess As Integer, _
ByVal lpThreadAttributes As Integer, _
ByVal dwStackSize As Integer, _
ByVal lpStartAddress As Integer, _
ByVal lpParameter As Integer, _
ByVal dwCreationFlags As Integer, _
ByRef lpThreadId As Integer) As Integer
Public Declare Function OpenProcess Lib "kernel32" ( _
ByVal dwDesiredAccess As Integer, _
ByVal bInheritHandle As Integer, _
ByVal dwProcessId As Integer) As Integer
Public Declare Function GetProcAddress Lib "kernel32" ( _
ByVal hModule As Integer, ByVal lpProcName As String) As Integer
Private Declare Function GetModuleHandle Lib "Kernel32" Alias "GetModuleHandleA" ( _
ByVal lpModuleName As String) As Integer
Private TargetProcessHandle As Integer
Private pfnStartAddr As Integer
Public Const MEM_COMMIT = 4096
Public Const PAGE_READWRITE = 4
Public Const PROCESS_CREATE_THREAD = (&H2)
Public Const PROCESS_VM_OPERATION = (&H8)
Public Const PROCESS_VM_WRITE = (&H20)
Private Sub doCrap()
Dim TargetProcess As Process() = Process.GetProcessesByName("test")
TargetProcessHandle = OpenProcess(PROCESS_CREATE_THREAD Or PROCESS_VM_OPERATION Or PROCESS_VM_WRITE, False, TargetProcess(0).Id)
pfnStartAddr = GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA")
Dim LoadLibParamAdr As Integer
Dim fileBytes() As Byte = IO.File.ReadAllBytes("C:\test.dll")
Dim LoadLibParamAdr As Integer = VirtualAllocEx(TargetProcessHandle, 0, UBound(fileBytes), MEM_COMMIT, PAGE_READWRITE)
WriteProcessMemory(TargetProcessHandle, LoadLibParamAdr, fileBytes, UBound(fileBytes), 0)
CreateRemoteThread(TargetProcessHandle, 0, 0, pfnStartAddr, LoadLibParamAdr, 0, 0)
CloseHandle(TargetProcessHandle)
End Sub[/highlight]
I'm pretty sure it's something to do with LoadLibParamAdr or WriteProcessMemory. Btw, I'm just testing various injection methods.
I tried this, didn't work:
[highlight=vb.net] Public Declare Function VirtualAllocEx Lib "kernel32" ( _
ByVal hProcess As Integer, _
ByVal lpAddress As Integer, _
ByVal dwSize As Integer, _
ByVal flAllocationType As Integer, _
ByVal flProtect As Integer) As Integer
Public Declare Function WriteProcessMemory Lib "kernel32" ( _
ByVal hProcess As Integer, _
ByVal lpBaseAddress As Integer, _
ByVal lpBuffer As Byte(), _
ByVal nSize As Integer, _
ByRef lpNumberOfBytesWritten As Integer) As Integer
Private Declare Function CloseHandle Lib "kernel32" Alias "CloseHandle" ( _
ByVal hObject As Integer) As Integer
Public Declare Function CreateRemoteThread Lib "kernel32" ( _
ByVal hProcess As Integer, _
ByVal lpThreadAttributes As Integer, _
ByVal dwStackSize As Integer, _
ByVal lpStartAddress As Integer, _
ByVal lpParameter As Integer, _
ByVal dwCreationFlags As Integer, _
ByRef lpThreadId As Integer) As Integer
Public Declare Function OpenProcess Lib "kernel32" ( _
ByVal dwDesiredAccess As Integer, _
ByVal bInheritHandle As Integer, _
ByVal dwProcessId As Integer) As Integer
Public Declare Function GetProcAddress Lib "kernel32" ( _
ByVal hModule As Integer, ByVal lpProcName As String) As Integer
Private Declare Function GetModuleHandle Lib "Kernel32" Alias "GetModuleHandleA" ( _
ByVal lpModuleName As String) As Integer
Private TargetProcessHandle As Integer
Private pfnStartAddr As Integer
Public Const MEM_COMMIT = 4096
Public Const PAGE_READWRITE = 4
Public Const PROCESS_CREATE_THREAD = (&H2)
Public Const PROCESS_VM_OPERATION = (&H8)
Public Const PROCESS_VM_WRITE = (&H20)
Private Sub doCrap()
Dim TargetProcess As Process() = Process.GetProcessesByName("test")
TargetProcessHandle = OpenProcess(PROCESS_CREATE_THREAD Or PROCESS_VM_OPERATION Or PROCESS_VM_WRITE, False, TargetProcess(0).Id)
pfnStartAddr = GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA")
Dim LoadLibParamAdr As Integer
Dim fileBytes() As Byte = IO.File.ReadAllBytes("C:\test.dll")
Dim LoadLibParamAdr As Integer = VirtualAllocEx(TargetProcessHandle, 0, UBound(fileBytes), MEM_COMMIT, PAGE_READWRITE)
WriteProcessMemory(TargetProcessHandle, LoadLibParamAdr, fileBytes, UBound(fileBytes), 0)
CreateRemoteThread(TargetProcessHandle, 0, 0, pfnStartAddr, LoadLibParamAdr, 0, 0)
CloseHandle(TargetProcessHandle)
End Sub[/highlight]
I'm pretty sure it's something to do with LoadLibParamAdr or WriteProcessMemory. Btw, I'm just testing various injection methods.
Yes it is.. That's the point of writing to memory - you writes bytes.
Would help but can't see code now (mobile mode) :L
Would help but can't see code now (mobile mode) :L
Originally Posted by freedompeace
Yes it is.. That's the point of writing to memory - you writes bytes.
Would help but can't see code now (mobile mode) :L
Would help but can't see code now (mobile mode) :L
Originally Posted by master131
No but the standard way of injecting something just involves in passing the string of the DLL location. I'm trying to pass an array of bytes which contains the bytes of a DLL.
Injecting a DLL = reference to DLL location.
Originally Posted by freedompeace
Hmm... to save both you and I some trouble, I'm going to go ahead and say you can't do that , not how you're doing it ..
Injecting a DLL = reference to DLL location.
/solved now
I remember talking to david about this a few days back coincidentally, he seems to think it IS in fact possible, though as freedom said, not with your current method. I'm 'Memory Retarded' (not my memory, but my comprehension of program memory 
) so David got rather exasperated at me, perhaps you should ask him, you may have more luck than I did understanding.,
) so David got rather exasperated at me, perhaps you should ask him, you may have more luck than I did understanding.,The problem with this is that modules are loaded into memory once, and they aren't loaded in a single programs allocated memory.
I'll do a bit of research on this for you, see what I can come up with.
Edit: Wow I'm dumb, I'm pretty sure this technique is called manual mapping.
I'll do a bit of research on this for you, see what I can come up with.
Edit: Wow I'm dumb, I'm pretty sure this technique is called manual mapping.
If you knew what the code did (instead of random copy/paste), you'd know why the parameter is a string. DLL injection is not using WriteProcessMemory to write the path to the DLL, there is much more than that.
Originally Posted by Iamazn1
If you knew what the code did (instead of random copy/paste), you'd know why the parameter is a string. DLL injection is not using WriteProcessMemory to write the path to the DLL, there is much more than that.
Anyway, the LoadLibrary function does the writing of the memory for you, so you don't have to do it yourself. In short, you give it a path, it looks for the path and checks if the DLL exists, if it does, it loads the DLL into some allocated memory and calls the module's entry point.
I'm guessing you can do this yourself with VirtualAlloc and WriteProcessMemory then call the main function ( export the main function so you can explicitly find the function's address ) you'd just be rewriting another version of LoadLibrary. Except, LoadLibrary probably fills some hidden data structures somewhere in the kernel, like which modules are loaded, how many modules, base address, dll path, threads, etc etc.
Originally Posted by Iamazn1
If you knew what the code did (instead of random copy/paste), you'd know why the parameter is a string. DLL injection is not using WriteProcessMemory to write the path to the DLL, there is much more than that.
Originally Posted by master131
I did say that it was a fail title
If this work.... maybe i can get injection method for my Blue file... i dont like outputing to temporary location... which takes time to create the file
Originally Posted by topblast
If this work.... maybe i can get injection method for my Blue file... i dont like outputing to temporary location... which takes time to create the file
Originally Posted by Iamazn1
If you knew what the Injection code actually did, you'd know that writing the Byte Array to the Process's Memory instead of the DLL Path won't work.
No one wants you here Trolling your wannabe pro ness
Originally Posted by Iamazn1
If you knew what the Injection code actually did, you'd know that writing the Byte Array to the Process's Memory instead of the DLL Path won't work.
Edit: Agreed with whit.