Remote thread injection
 

Played the remote control's friends may often read that the so-called Trojan horse (of course, a little stronger) generally claim to thread into the technology or use of DLL injection, remote thread into the so
which in the end what? What's the use? How to achieve it?
If you want to listen and follow my debugging needs of NT System, who is 9X/Me say if you need to slightly change some code
only listen to it does not matter under the
must first understand what is Speaking of thread would have to thread
process
SDK documentation that describes it
process is a running program, it has its own address space, with its own code, data and other systems resources. A process contains one or more runs in the process the thread.
bluntly, in fact, the process is a program loaded into memory on the disk after the execution of things
open the Task Manager to see, there are a lot of progress ...
be seen from the definition of the process must be thread, the thread is an independent entity in the process of memory.
talk so much nonsense
actually want to run, it becomes a process, your code by the threads.
back to the topic, the thread insert is it? Is to get other process executes a thread
you may find it strange that there is a process that they are not good it? In fact, the role of
big, first talk about Trojan mentioned at the beginning
a result, some of the more experienced users by the sometimes open the Task Manager and found a strange process? ! Think of your horse can live it?
then insert the key process in Explorer, if you want to use the computer better not kill the process (do not believe try)
Secondly, we now have installed a firewall, and network connectivity will often be considered lost, Trojan Qi is not no use?
well into IE, the firewall to consider? Unless you do not want to see pages
course, there are many uses, such as into the system level processes, ha ha, we have Ring0 rights, and (do not tell me you do not know Ring0 ... is that even the physical memory can be written in the super- permission)
HookAPI also need to know the code into another process
his role would like to know how to achieve it?
Do not worry, take your
First, it should belong to the system programming, system programming API
API can not help but know what? Simply say that Windows provides us with some of the functions and use them a lot of things we can do a lot of energy spent
Delphi VCL some mess with the class to allow us to try not to be programmed so the API
but do not know was possible
API API is encapsulated in kernel32.dll, user32.dll and other dynamic-link library, the program used when the DLL is mapped to its own memory of the
the time of writing we often need to export from a DLL These functions
function Beep; external 'kernel32.dll' name 'Beep';

this function to export a beep, of course, do not bother
Delphi actually has to write these statements in a number of units exported inside (such as windows unit)
uses windows can be directly used after
(and default will create a window reference when many units)
so in fact we can use this to understand what

began to talk like a thread into the thread into the general
There are 2 ways
1.DLL into
2. directly into the remote thread into the
DLL written in relatively simple when , methods more, but there is a drawback process will be more modules, the remote thread can be found
direct way to modify the other memory, although good for hiding, but not the point of care may be problems, such as you let The process can not have a screen pop-up windows, the process can not access the Internet to open a port, then wait for it

crash focus of talk today DLL injection
first to know what is DLL, dll is dynamic link library , we should know?
how to write DLL?
and writing about the same general procedure
create a new project, select DLL Wizard
find it? In addition to program into a library
remains almost the same, just need to load the program entry point
he prepared us a simple DLL
library TestDll;
uses
; Windows; {$ R *. res}
procedure func_a;
begin
MessageBox (0, 'I love delphi', 'Function form Tset DLL ', 0);
end;
procedure func_b (MSG: pchar);
begin
MessageBox (0, MSG, 'Function form Tset DLL', 0);
end;
begin
func_a;
func_b ('I like it too!');
end.
is that testdll.dpr
able to understand it, the pop-up message box
2 Well preserved, F9 to run .. wrong, ha ha, DLL can not be run directly
how to do? Compile the next (according to F9 would not have, and will be compiled)
saw the DLL, right?
we get hold of it loaded a new entry point

normal procedure to add a button
button event just write a loadlibrary ('testdll.dll');
MainShow.dpr
Run, click the button, how to raise? Of course, things pop up right
can do DLL library, resource library, etc. not be discussed today
now know how to write a DLL, right? Program into a library is just
you can write your own program of
DLL to write, and now the question is how we injected
each other's purpose is to run a loadlibrary ('testdll.dll' ); it all to OK the

usually have just a few injection method
1. using a global message hook
Win32 program to spend the next send and receive messages
hook with a hook under the global , the program received any messages are loading our DLL's entry point
, of course, after entering the DLL in this way is not to judge themselves to be inserted into the target process
is the case, do not exit code

This method is cumbersome, but very versatile, can be used as long as the WINDOWS (but there is a hook system could not process the message, so the injection can not)
DLL into the early majority of this principle is implemented
2. write registry
write HKEY_LOCAL_MAHINE Software Microsoft Windows NT CurrentVersion Windows AppInit_DLLs
but only NT, and must be called off user32.dll (Windows of a kernel, interface programs as long as it is called) of the procedures, the boot program will automatically load all the DLL, but this dll can not be uninstalled, but can not call certain functions, or the system will hang (dangerous Oh)
not recommended
3. using remote thread injection to achieve the DLL into the
open as long as the handle can be successful (strong, right?) and relatively simple to implement 9X kernel
drawback is a bit difficult ( is not very difficult)

today to talk about using the remote thread injection to achieve the DLL into it!
you may want to ask, since you can just say that the remote thread injected directly into a thread, why bother then in turn call DLL?
This is because the remote thread technique is generally the memory directly on the target program to operate
we know the different procedures of virtual memory is not the same as the address of
so many functions and procedures is not necessarily the same
When running Call the function address is actually a function call
so we should pay attention to a lot of offset calculation
like this is a very cumbersome thing
and like the above said process so that the interface can not have pop-up windows, it is not fun
the DLL?
DLL call is mapped to the process memory which
DLL has its own import table, resources, functions and other things, is actually a complete program
greet the memory, and implementation of a program effect is
the same so that we do not consider those things a mess, as long as the peace of mind to write a good feature to
,
remote thread to understand the process first of all, the local thread should clear the
do not know We compiled the time multi-threaded program is not all use tthread class?
Anyway, I do not like that
we look to our original Windows API it (tthread class also use it to write)
function CreateThread (
lpThreadAttributes: Pointer;
/ / Security general can be a nil pointer
dwStackSize: DWORD;
/ / initialize the size of the thread, the general use of 0, to obtain the same size with the main thread (not that they will increase, do not worry)
lpStartAddress: TFNThreadStartRoutine;
/ / a pointer to a pointer to the thread function to perform this function must comply with stdcall convention, and can take a parameter, the parameter must be a pointer type
lpParameter: Pointer;
/ / function parameters
dwCreationFlags: DWORD;
/ / control creation of signs, with 0 threads immediately implement
var lpThreadId: DWORD)
/ / return identity variable I feel useless, anyway, the handle has a
: THandle;
/ / returns thread handle
stdcall; / / Standard call the Windows API are generally under the standard we look at the next call

seem more complicated, such as for example under
we copying the DLL source code inside the func_b
just a slight modification on the EXE under
procedure func_b (MSG: pchar); stdcall;
begin
MessageBox (0, MSG, 'Function form Tset DLL', 0);
sleep (10000); / / thread N long pause (no more than 10s)
end;
with 2 buttons
first
procedure TForm1.Button2Click (Sender: TObject);
begin
func_b ('123 ');
end;
second
procedure TForm1.Button3Click (Sender: TObject);
var tid: longword; / / put the return value, and hold her not to perform, depressed
; str: pchar; / / easy to get pointer
begin
str: = '123 ';
createthread (nil,
0,
; @ func_b, / / ​​function name is preceded by a function pointer
@ pointer (str), / / ​​str is a pointer though, but it is to delphi pointer type, then it'll type
0, tid); / / tid placed purely accounting format, generally we can not
end;
/ / above CreateThread can read it, almost all the default settings, go after the sets are actually using it wants
call func_b, only the second process a new thread with the letter
but the effect is not the same
The first pop-up button is pressed, the program card died (pause 10000)
the second but not
Why? We can understand

window as a main thread, the Executive func_b, pop-up window, and then hang the main thread, so card dead
while the second procedure to create a new thread, new thread func_b , pop-up window, hang 10,000, but because the main thread does not hang off the window so it looks like nothing happened (in fact, that thread is still secretly executed until the thread is finished running the code, but it will not affect you stuck )

understand this if it is easy to understand the following
look at this function
function CreateRemoteThread (
hProcess : THandle;
lpThreadAttributes: Pointer;
dwStackSize: DWORD;
lpStartAddress: TFNThreadStartRoutine;
lpParameter: Pointer;
dwCreationFlags: DWORD;
var lpThreadId: DWORD)
;: THandle; stdcall;
not the same as the function name in addition to, the following parameters of more than a hProcess: THandle;, remaining exactly the same
Oh, this thing is the The key lesson of the
look at the function name used to know what the 'Create a remote thread'
usage and have basically the same
is hProcess: THandle what is it?
Here is injected to fill in the line of the handle
What is the process handle?
analogy, the object is a door handle is the handle through the handle we can operate
door handles that we use to operate some of the things (including processes, threads, etc.)
you have not noticed, CreateThread and CreateRemoteThread return a THandle, handle is threaded DLL
there loadlibrary also returns a handle, we can use them to operate on the related objects so how
get process handle it?
generally use the first get the process PID and then the following function to obtain the handle
function OpenProcess (
dwDesiredAccess: DWORD;
/ / access signs are generally filled PROCESS_ALL_ACCESS, so that the handle for maximum operating authority
bInheritHandle: BOOL;
/ / can inherit with the subroutine that is related does not matter, filling false and true can be, they can operate for a long time since we can
dwProcessId: DWORD): / / to get handle the process ID
THandle; stdcall; / / return handle
sometimes returns 0, indicating failure to open the handle of your rights
is generally not enough (for example, you want to Winlogon these system-level operation of the program)
elevation at this time we need Debug privileges to the general (in fact the highest authority to operate inside a)
enhance the process of written
I can directly call the (changes to the process token Debug level, why not write here about the details,beats by dre, go online to search for their next)
procedure GetDebugPrivs;
var
hToken: THandle;
tkp: TTokenPrivileges;
retval: dword;
begin
If (OpenProcessToken (GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken)) then
begin
; LookupPrivilegeValue (nil, 'SeDebugPrivilege', tkp.Privileges [0]. Luid);
tkp.PrivilegeCount: = 1;
tkp.Privileges [0]. Attributes: = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges (hToken, False, tkp, 0, nil, retval);
; end;
end;
not faint, right?
should remember I mentioned the need to PID, then how so?
GetWindowThreadProcessId general use FindWindow and complementary to the
write
first var Pid: longword; / / store the PID
GetWindowThreadProcessId (FindWindow ('Notepad', nil), @ PID);
This will find the notebook PID, Again 'Shell_TrayWnd' can be found in Explorer's window class name is said
can use SPY + + query, but I have not seen this thing, huh, huh
course, can also determine the process name enumeration process so
the first end.

Well, take the laptop to start Windows, right
procedure TmyForm.Button4Click (Sender: TObject);
var h: longword;
/ / PID and are in fact longword type THandle , a change of name only, so it can be common
begin
winexec ('notepad', 1); / / run the notebook
GetWindowThreadProcessId (FindWindow ('notepad', nil), @ h); / / get Pid exists h
h: = OpenProcess (PROCESS_ALL_ACCESS, False, h);
/ / get handle exists h,tods men, after that is the variable pid, count into the front end is a handle h (two different things just type as it)
sleep (2000); / / so 2 seconds
TerminateProcess (h, 0); / / close the laptop, h is the handle, 0 indicates normal exit
end;
up and running is to open a notebook, about a dog off 2s
do not know understand that it was not, no it does not matter, just to prove that we can get a class action if the process handle
have everything right? Remote thread of the bar that try to build a button

front or write, and then copy the thread over the establishment of
with h parameters into CreateRemoteThread
procedure TmyForm.Button5Click (Sender: TObject);
var
h: longword;
tid: longword;
str: pchar;
begin
str: = '123 ';
winexec (' notepad ', 1);
GetWindowThreadProcessId (FindWindow (' notepad ', nil), @ h);
h: = OpenProcess (PROCESS_ALL_ACCESS, False, h);
CreateRemoteThread (h, nil, 0, @ func_b, pointer (str), 0, tid);
end;

laptop out and running,tods, the dialog box came out ...
but dialog is not that we get is a error of
to see what is written on
memory '0 x00000000 'can not' writen '
Why? Remember What I said in another thread
program the remote to run a thread
the equivalent of a function in the implementation of CreateThread
Therefore, the function is not necessarily the same as the address, let alone how the inside notebook There may be func_b write our own function that does
that way of course under the wrong
this silly, how we want the function into it?
remember what we talk about it? - DLL using remote threads into
we can write the function inside the DLL, the target process using remote thread to this function to load it

executed as long as we can to make sure the other program loadlibrary ('testdll . dll '); LoadLibrary it OK to see the prototype of the

function LoadLibrary (lpLibFileName: PAnsiChar): HMODULE; stdcall;
you should find it and thread a function of the format requires almost the same
parameter is a pointer type PAnsiChar is pchar, a pointer to a string
returned HMODULE, HMODULE essence longword (change of name only)
^ _ ^, then remotely run it right this time you
might think, LoadLibrary address how to get to it?
to know, LoadLibrary is an API (which in Kernel32.dll), in fact, inside each Win32 program needs to function
Therefore, most programs will run the code before loading the DLL, the inside function is mapped to its own memory of the
way, as long as the same function inside the DLL in all processes where the address is the same
ha ha, so easy
address we generally use the GetProcAddress
function GetProcAddress (
hModule: HMODULE; / / module handle, DLL is loaded after the establishment of the module, wait tell you how to get this
lpProcName: LPCSTR
/ / function in the DLL in the name is actually derived LoadLibrary LoadLibraryA
/ / this unit we look at DelphiWindows source to know
): FARPROC; stdcall; / / returns a pointer
see those types of disorderly it, to get They, in Delphi is not mouse over function, the type of the prototype came out good

now how to get the module handle the problem
use GetModuleHandle
function GetModuleHandle (
lpModuleName: PChar) / / module name, DLL is loaded after the establishment of the module, so is the DLL file name of the
: HMODULE; stdcall; / / returns the module handle
better. Know the address of the function of these are easily the
GetProcAddress (GetModuleHandle ('KERNEL32.DLL'),dre beats, 'LoadLibraryA');

problem seems to have a get solved, right?
first Do not happy, do not forget, it also brought a parameter is the name of the DLL
parameter type is a pointer to a pointer to the string address
this is a big problem, the one you can not guarantee that others program memory, there are two string
to have you do not know his place, how this can be done?
write your own!
we write the string to the other memory
Oh, very high-handed approach, but he is a good way to
not nonsense to begin
we must first apply for a block of memory in the target process in order to the application of that argument and written into the memory
with VirtualAllocEx, take a look at its prototype
function VirtualAllocEx (
hProcess: THandle; / / handle to target process, it goes without saying that it
lpAddress: Pointer; / / allocate memory location, usually with nil, so that in the system that the most appropriate location distribution
dwSize: DWORD; / / assign the address range, which is the size of the
flAllocationType: DWORD; / / how to assign addresses generally presented with MEM_COMMIT physical memory space for the specified
flProtect: DWORD / / type of protection that section of memory, PAGE_READWRITE that read and write
): Pointer; stdcall; / / Return the memory address, ha ha, this is parameters that we want a good pointer to the
, distribution, of course, is to complete the memory write our data passed
WriteProcessMemory need to use this time to write process memory
function WriteProcessMemory (
hProcess: THandle; / / target process handle
const lpBaseAddress: Pointer;
/ / write the memory address, to fill the parameters of our pointer
lpBuffer: Pointer;
/ / address of the data, we keep the string here, let him copy
nSize: DWORD;
/ / length of data to be copied
/ / string in the Windows definition is null (that is 16 hexadecimal 0) at the end of the
/ / so the length is the length of the string +1
var lpNumberOfBytesWritten: DWORD) / / return something,beats by dr dre, no use
: BOOL; stdcall; / / return success or failure
us to write a complete code it
procedure TmyForm.Button6Click (Sender: TObject);
var
h: longword; / / release handle, the middle way, temporarily put aside PID
tmp: longword; / / to account for this specialized format, refuse collection
DllName: pchar;
Mysize: longword; / / put string length
Parameter: pointer; / / pointer to put the parameters (position within the target process)
begin
DLLName: = 'Testdll.dll';
Mysize: = strlen (Dllname) +1;
winexec ('notepad ', 1);
GetWindowThreadProcessId (FindWindow (' notepad ', nil), @ h);
h: = OpenProcess (PROCESS_ALL_ACCESS, False, h);
Parameter: = VirtualAllocEx (h, nil, Mysize, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory (h, Parameter, Pointer (DllName), MySize, tmp);
CreateRemoteThread (h, nil, 0, GetProcAddress (GetModuleHandle ('KERNEL32.DLL' ), 'LoadLibraryA'), Parameter, 0, tmp);
end;
saw two familiar dialog box that the
ha ha, so that if we succeeded to the DLL
replaced by other functions, then ...

something today to stop here almost
you might think, a simple remote thread is how to achieve it?
to each other we can just copy into the string memory
of course copy the whole function into
time I did not speak at length about the
can give you a function that is foreign with
Aphex's written by a man named
I see is not very good, nor very seriously studied
procedure Inject (ProcessHandle: longword; EntryPoint: pointer);
var
Module, NewModule: Pointer;
Size, BytesWritten, TID: longword;
begin
Module: = Pointer (GetModuleHandle (nil ));// get module handle, nil that get their own module
Size: = PImageOptionalHeader (Pointer (integer (Module) + PImageDosHeader (Module). _lfanew + SizeOf (dword) + SizeOf (TImageFileHeader))). SizeOfImage;
; VirtualFreeEx (ProcessHandle, Module, 0, MEM_RELEASE);
NewModule: = VirtualAllocEx (ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory (ProcessHandle, NewModule, Module, Size, BytesWritten);
CreateRemoteThread (ProcessHandle, nil, 0, EntryPoint, Module, 0, TID);
end;
write with no arguments when the function (compliance standard calls) such as func it
inject (target handle, @ func);
to OK the
Note that there can be only func API function, the function can not write their own call, want to direct Otherwise, the process of writing what will go in
you try to know
attention
VirtualAllocEx
VirtualFreeEx
CreateRemoteThread
in the NT, the system can be used with
9X/me ancillary units to achieve inside the 9X_Files
preview package, which has a
addition MadRemote, also can be achieved