Changes on login sequence? 5018 - Now (5212)

02/09/2010 20:02 Nullable#16
Code:
[DllImport("kernel32.dll")]
public static extern IntPtr CreateRemoteThread(int hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32.dll", CharSet=CharSet.Ansi)]
public static extern IntPtr GetModuleHandle(string Module);
[DllImport("kernel32.dll")]
public static extern int CloseHandle(IntPtr hHandle);
[DllImport("kernel32.dll", CharSet=CharSet.Ansi)]
public static extern IntPtr GetProcAddress(IntPtr hModule, string Procedure);
[DllImport("kernel32.dll")]
public static extern int OpenProcess(uint dwAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);
// so on with others, WriteProcessMemory, VirtualAllocEx and VirtualFreeEx

int ProcId;
string DllName;
IntPtr LoadLibAddr = GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA");
int HandleProc = OpenProcess(0x1fffff, false, ProcId);
int DllSize = DllName.Length + 1;
IntPtr Remotedll = VirtualAllocEx(HandleProc, IntPtr.Zero, DllSize, 0x1000, 4);
// WriteDllString to the allocated memory..
// Call CreateRemoteThread;
IntPtr Hndl = CreateRemoteThread(ProcId, IntPtr.Zero, 0, LoadLibAddr, Remotedll, 0, IntPtr.Zero);
VirtualFreeEx(ProcId, Hndl, DllSize, 0x8000);
CloseHandle(Hndl);
.
EDIT:
Wait, you can't use gabrola's code in C#, unless managed dll's can be injected nowadays..
You have to do it C# style.. Marshal.GetFunctionPointerForDelegate(Delegate d), WriteProcessMemory, VirtualAllocEx, VirtualFreeEx, CloseHandle, OpenProcess.. etc
02/09/2010 20:24 gabrola#17
As Nullable said you can't create the DLL in C# since it's managed, it has to be in C++.
02/09/2010 20:57 Trigorio#18
Quote:
Originally Posted by gabrola View Post
As Nullable said you can't create the DLL in C# since it's managed, it has to be in C++.
Nono I never said I was creating the DLL in C#, I am going to create the DLL in C++ as a ATL COM Component and then use Interop COM to use the methods in C# ;).
02/09/2010 21:05 Trigorio#19
Quote:
Originally Posted by Nullable View Post
Code:
[DllImport("kernel32.dll")]
public static extern IntPtr CreateRemoteThread(int hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32.dll", CharSet=CharSet.Ansi)]
public static extern IntPtr GetModuleHandle(string Module);
[DllImport("kernel32.dll")]
public static extern int CloseHandle(IntPtr hHandle);
[DllImport("kernel32.dll", CharSet=CharSet.Ansi)]
public static extern IntPtr GetProcAddress(IntPtr hModule, string Procedure);
[DllImport("kernel32.dll")]
public static extern int OpenProcess(uint dwAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);
// so on with others, WriteProcessMemory, VirtualAllocEx and VirtualFreeEx

int ProcId;
string DllName;
IntPtr LoadLibAddr = GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA");
int HandleProc = OpenProcess(0x1fffff, false, ProcId);
int DllSize = DllName.Length + 1;
IntPtr Remotedll = VirtualAllocEx(HandleProc, IntPtr.Zero, DllSize, 0x1000, 4);
// WriteDllString to the allocated memory..
// Call CreateRemoteThread;
IntPtr Hndl = CreateRemoteThread(ProcId, IntPtr.Zero, 0, LoadLibAddr, Remotedll, 0, IntPtr.Zero);
VirtualFreeEx(ProcId, Hndl, DllSize, 0x8000);
CloseHandle(Hndl);
.
EDIT:
Wait, you can't use gabrola's code in C#, unless managed dll's can be injected nowadays..
You have to do it C# style.. Marshal.GetFunctionPointerForDelegate(Delegate d), WriteProcessMemory, VirtualAllocEx, VirtualFreeEx, CloseHandle, OpenProcess.. etc
Ahhh, looks like music to my eyes, compared to C++ atleast haha.
02/09/2010 21:11 gabrola#20
Quote:
Originally Posted by Trigorio View Post
Nono I never said I was creating the DLL in C#, I am going to create the DLL in C++ as a ATL COM Component and then use Interop COM to use the methods in C# ;).
What's the point behind this? I mean all what needs to happen is once the c++ dll gets injected using winject or whatever this code runs
Code:
*(PDWORD)&OrigConnect = APIHook((DWORD)GetProcAddress(GetModuleHandle("Ws2_32.dll"), "connect"), (DWORD)MyConnect, (DWORD)OrigConnect);
Quote:
Originally Posted by Trigorio View Post
Ahhh, looks like music to my eyes, compared to C++ atleast haha.
That code only injects the unmanaged DLL into the process
02/10/2010 09:27 Nullable#21
Quote:
Originally Posted by Trigorio View Post
Nono I never said I was creating the DLL in C#, I am going to create the DLL in C++ as a ATL COM Component and then use Interop COM to use the methods in C# ;).
Quote:
Originally Posted by gabrola View Post
That code only injects the unmanaged DLL into the process
And i think that is what he needed :P