Results 1 to 5 of 5

Thread: Need A tutorial or help injecting..

  1. #1
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default Need A tutorial or help injecting..

    I need a tutorial on bypassing ASLR/DEP in either Assembly (any type of asm), C or C++..

    Anyone got any?

    Reason:

    Injecting anything into the RSClient on Windows 8 is impossible without bypassing ASLR. Not just RS but injecting into any process on Windows 8 is impossible without bypassing it :S..


    I tried the following and it prints:



    However it is NOT successful.. It returns all the wrong addresses so there is no way for me to actually know where to load stuff because nothing returns NULL or 0.. The ONLY process I seem to be able to inject into or debug (randomly works sometimes for some reason) is Notepad. -__-

    After googling it seems to be because of Microsoft! http://www.insanitybit.com/2012/11/0...he-next-level/


    I tried hackforums, google, stackoverflow.. No good tutorials on bypassing ASLR. All they keep telling me is "It's extremly hard on 64-bit.." Any ideas or links?

    My code:
    C++ Code:
    #include <winsock2.h>
    #include <windows.h>
    #include <ws2tcpip.h>


    #include "Defines.hpp"
    #include "Strings.hpp"
    #include "System.hpp"

    using namespace std;

    bool Inject(std::string File, std::string Process)
    {
        if (IsProcessRunning(Process.c_str()))
        {
            HANDLE ProcessHandle = nullptr;
            char FilePath[MAX_PATH + 1] = {0};
            void* LoadLibraryHandle = nullptr, *RemoteAddress = nullptr;

            PrintProcessInfo(Process.c_str());
            PROCESSENTRY32 ProcessInfo = GetProcessInfo(Process.c_str());
            _snprintf(FilePath, MAX_PATH, File.c_str());

            if ((ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, false, ProcessInfo.th32ProcessID)))
            {
                ErrorMessage(GetLastError());
                LoadLibraryHandle = reinterpret_cast<void*>(GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"));
                std::cout<<"LoadLibraryHandle: "<<LoadLibraryHandle<<std::endl;
                ErrorMessage(GetLastError());
                RemoteAddress = VirtualAllocEx(ProcessHandle, nullptr, strlen(FilePath), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
                std::cout<<"RemoteAddress: "<<RemoteAddress<<std::endl;
                ErrorMessage(GetLastError());
                WriteProcessMemory(ProcessHandle, reinterpret_cast<void*>(RemoteAddress), FilePath, strlen(FilePath), nullptr);
                ErrorMessage(GetLastError());
                std::cout<<"Remote Thread: "<<CreateRemoteThread(ProcessHandle, nullptr, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(LoadLibraryHandle), reinterpret_cast<void*>(RemoteAddress), 0, nullptr);
                std::cout<<std::endl;
                ErrorMessage(GetLastError());
                CloseHandle(ProcessHandle);
                return true;
            }
        }
        return false;
    }

    int main(int argc, char* argv[])
    {
        if (!Inject("C:/Users/Brandon/Desktop/DontWorry;).dll", "JagexLauncher.exe"))
        {
            std::cout<<"Injection Failed"<<std::endl;
            ErrorMessage(GetLastError());
            std::cout<<std::endl;
            std::cin.get();
            return 0;
        }

        std::cout<<"Injection Successful"<<std::endl;
        std::cin.get();
        return 0;
    }
    Last edited by Brandon; 03-17-2013 at 01:14 AM.
    I am Ggzz..
    Hackintosher

  2. #2
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    Quote Originally Posted by core View Post
    "A registry setting is available to forcibly enable or disable ASLR for all executables and libraries and is found at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages."
    http://stackoverflow.com/questions/9...-windows-7-x64

    If you're comfortable with disabling it globally, I think the setting should be the same in Windows 8 as it is in Windows 7. I don't have windows 8 yet to verify that though.

    Also, the EMET http://www.microsoft.com/en-us/downl....aspx?id=29851 (Tech Preview: http://www.microsoft.com/en-us/downl....aspx?id=30424) apparently has an option to disable ASLR on a per-process basis.

    If you're unable to reach a solution using that, let me know and I'll reach out to some friends who very likely know the answer.

    Thanks. I solved it just now. I injected through Ntdll instead of Kernel32 and brute 256 addresses. It's pretty fast so yeah Thanks for the links though I'll definitely read up on that.
    I am Ggzz..
    Hackintosher

  3. #3
    Join Date
    Sep 2010
    Posts
    5,762
    Mentioned
    136 Post(s)
    Quoted
    2739 Post(s)

    Default

    What do you plan on injecting?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •