http://www.security.org.sg/code/loadexe.html
http://pastebin.com/QFHASx75
I've compiled this but can't get it to work properly, It runs fine and shows no errors in the console
console output:
C:\~\~\Documents\Visual Studio 2010\Projects\loadEXE\Debug>开发者_开发百科;loadEXE.exe AcceleratedC++Exe_2-0.exe
Original EXE loaded (PID = 4068).
Original Base Addr = 110000, Size = 29000
Unmapped and Allocated Mem for New EXE at 400000
EIP = 772501C4
EAX = 12141F
EBX = 7EFDE000
ECX = 0
EDX = 0
New EXE Image Size = 25000
New EXE image injected into process.
********> EIP = 772501C4
********> EAX = 411307
Process resumed (PID = 4068).
However I get this application error.
"The application was unable to start correctly (0xc0000005). Click OK to close the application."
I'm new to the PE format and can't figure out why this is happening, the article is old so I'm not sure if it even works on 64b but I don't have a spare 32b CD to test. From what I've read of the PE Format, code for 32b should work on 64b.
Can anyone confirm if this works on 32b? or know why I'm getting this error?
The code modifies the entrypoint of the new process like this:
ctx.Eax = (DWORD)v + inpeXH->addressOfEntryPoint;
On Windows x64 (both 64-bit and wow64) this doesn't work anymore, I'm actually surprised this trick was usable for so long.
To quickly fix this, you'd need to write a small sample project that starts a suspended process and reads all registers from ctx and checks which one is the entrypoint. Try as many exes as you can on as many Windows versions you have.
This really is undefined behaviour at best, things like weird access violations start happening once that little trick doesn't work anymore (it will stop working again, sooner than later). I suggest you look for a better way to inject code into a process, but then I don't know what exactly you're trying to do...
Ensure that you have proper VC runtime redistributable installed. Correct means:
- 32-bit if application is 32-bit (doesn't matter if OS is 64-bit).
- 64-bit if application is 64-bit
- Appropriate VC runtime version (VC8/2005, VC9/2008, VC10/2010).
- Correct service pack of VC++ redist.
精彩评论