Download writeprocessmemory monitor

Encoded.Question 4Which functions does the shellcode manually import?Answer 4To answer this question we need to look at the shellcode itself. One way to do this is to create breakpoints associated with relevant API calls we discovered were being used to inject into Internet Explorer, particularly ‘WriteProcessMemory’. By Opening this in OllyDbg2, we can easily pivot to the instance of WriteProcessMemory by using CTRL + G and locating the appropriate label.By creating a breakpoint here and beginning to step into the next assembly instructions, we can see that this is writing a buffer from 0x407030 where our shellcode resides for the next 423 bytes.By following this in our dump we can see at a glance approximately where the shellcode starts and finishes based on the data shown.From here we can dump this to a file to get the shellcode which will be injected into Internet Explorer.If we open this in IDA and begin converting it to code using ‘c’ we will soon get to a section which contains the decoding routine.This helps to prove the code will be injected into Internet Explorer, and once injected will perform decoding of the shellcode before execution; however, it doesn’t answer what imports this has. By running it through scdbg like we did previously we can see it shows the decoding stub assembly in addition to what the shellcode is essentially trying to do.scdbg -f Lab19-02_00407000.bin -findscFrom this we know that the shellcode is at least importing the following functions. LoadLibraryA WSAStartup WSASocket connect GetCurrentProcess TerminateProcessWe also now know that this is designed to connect back to a host at 192.168.200.2 on TCP port 13330.One way we can debug the shellcode after our decoding routine has executed, is to create a breakpoint at 0x407041 after the shellcode has decoded, and set our origin to the start of the shellcode 0x407030.Once we hit our breakpoint using F9, we can once again dump the decoded shellcode into a file.If we run scdbg over it again we can see a similar result, only this time the assembly shown is different. This will still contain the decoding routine, as

Library, plus the NULL terminator.On success pArgumentAddress will point somewhere in the target’s memory. This is not your process memory, so you can’t write directly there, just take the address for the next step.Write the argument into the target’s memoryWith pArgumentAddress pointing to the target’s memory obtained in the previous code, we’ll call WriteProcessMemory to write into the actual path and filename:if (!WriteProcessMemory(processHandle, pArgumentAddress, szfullDllName,szfullDllNameSize, NULL)){// Failure}Create a remote threadNow that we have the function’s argument in a known memory position, it’s time to work the real magic:By using CreateRemoteThread, we will execute LoadLibraryA into the target’s process (whose address we have obtained before) passing to it the full path of the library that we want to load.This will happen before your very eyes:HANDLE remoteThread = CreateRemoteThread(processHandle, NULL, 0x100000, loadLibraryExAddress, pArgumentAddress ,NULL);if everything goes well, within some nanoseconds LoadLibraryA will be executed on the target process, and DllMain will be called.Check for completionWe can’t get the return value of LoadLibraryA, so in a real world application we recommend the usage of some IPC signaling (for example, an IPC event via OpenEvent ) to control the success of the DLL initialization on the other side. The specific code needed depends greatly on what you want to check, so we won’t reproduce it here.Also, you should return from DllMain as soon as possible, creating another thread local to the process from DllMain to continue the work from there.From the injection code point of view, now it’s time to just call WaitForSingleObject to wait for the remote thread to be terminated:DWORD result = WaitForSingleObject(remoteThread, TIMEOUT_MILISECONDS);if (result != WAIT_OBJECT_0) {// Error}// Check here your IPC event or whatever other method that// you implemented to check if your injected DLL has been succeedClean up and exitTo finish, even if they were only a few bytes, we want to be polite and clean up unneeded memory and the process handle.if (processHandle) CloseHandle(processHandle);if (pArgumentAddress) VirtualFreeEx(processHandle, pArgumentAddress, 0, MEM_RELEASE);ConclusionsEven tough Windows doesn’t provide a standard method, nor a well documented procedure to perform a proper DLL injection, the indicated steps should work for the vast majority of applications.You can take it as a good base to take on the implementation of a DLL injector on your own.However, there are some applications hostile to this technique; particularly, some anti-debugger code will quickly complain because the start of the DLL can be detected very easily.Or maybe, the LoadLibraryA function that you are calling has been patched (hooked) and will refuse the loading of any DLL that is unknown to the application.There are hundreds of scenarios where one application may block your “standard” injection attempt.To circumvent this counter-measures, there are more powerful techniques such as the so-called “reflective DLL loading”, which basically avoids calling the LoadLibraryA function by implementing alternative custom loaders.This way, the injection process is more stealth and more difficult to be detected and blocked.But techniques that fall into the dark side are a horse of a different color -and may be subject to a whole new article ;)

More data is available. ERROR_CANNOT_COPY 266 (0x10A) The copy functions cannot be used. ERROR_DIRECTORY 267 (0x10B) The directory name is invalid. ERROR_EAS_DIDNT_FIT 275 (0x113) The extended attributes did not fit in the buffer. ERROR_EA_FILE_CORRUPT 276 (0x114) The extended attribute file on the mounted file system is corrupt. ERROR_EA_TABLE_FULL 277 (0x115) The extended attribute table file is full. ERROR_INVALID_EA_HANDLE 278 (0x116) The specified extended attribute handle is invalid. ERROR_EAS_NOT_SUPPORTED 282 (0x11A) The mounted file system does not support extended attributes. ERROR_NOT_OWNER 288 (0x120) Attempt to release mutex not owned by caller. ERROR_TOO_MANY_POSTS 298 (0x12A) Too many posts were made to a semaphore. ERROR_PARTIAL_COPY 299 (0x12B) Only part of a ReadProcessMemory or WriteProcessMemory request was completed. ERROR_OPLOCK_NOT_GRANTED 300 (0x12C) The oplock request is denied. ERROR_INVALID_OPLOCK_PROTOCOL 301 (0x12D) An invalid oplock acknowledgment was received by the system. ERROR_DISK_TOO_FRAGMENTED 302 (0x12E) The volume is too fragmented to complete this operation. ERROR_DELETE_PENDING 303 (0x12F) The file cannot be opened because it is in the process of being deleted. ERROR_INCOMPATIBLE_WITH_GLOBAL_SHORT_NAME_REGISTRY_SETTING 304 (0x130) Short name settings may not be changed on this volume due to the global registry setting. ERROR_SHORT_NAMES_NOT_ENABLED_ON_VOLUME 305 (0x131) Short names are not enabled on this volume. ERROR_SECURITY_STREAM_IS_INCONSISTENT 306 (0x132) The security stream for the given volume is in an inconsistent state. Please run CHKDSK on the volume. ERROR_INVALID_LOCK_RANGE 307 (0x133) A requested file lock operation cannot be processed due to an invalid byte range. ERROR_IMAGE_SUBSYSTEM_NOT_PRESENT 308 (0x134) The subsystem needed to support the image type is not present. ERROR_NOTIFICATION_GUID_ALREADY_DEFINED 309 (0x135) The specified