What I don't understand is that the JMP address changed to the right address but the PUSH not. Here the address in red should point to the ASCII but it is the same as it was before (the addresses changed after the exe was made). Could ASLR be the source of my problems? And if yes, how can I bypass this. all JMP/CALL addresses adjust accordingly to the offset but the address to the ASCII remains static (the PUSH 008B1F7C doesnt change). When I debug the Patched EXE every address seems to be correct but the address to the ASCII isn't. (Please excuse my bad English as I'm not a native english speaker)ĮDIT: I think I figured out WHY it is behaving like this but I don't know how to fix it. I don't really understand why the code worked in OllyDBG but not when I save it as an exe. I also checked the %errorlevel% after execution which was -1073741819 and not 0. When I run this in OllyDBG it works and it gives me the desired output but as soon as I save it to an exe (Copy to exectuable -> All modifications -> Copy All -> Save as InjectionTestPatched.exe) it won't run anymore and crashes before printing anything. This code should execute inject.exe which is the second exe I made (and this exe is located in the same folder as the target exe). JMP 008B1572 (JMP back to next instruction after entrypoint)Īnd the entrypoint looks like this: JMP 008B1F87 (JMP to codecave) PUSH 008B1F7C (Address of ASCII "inject.exe")Ĭall _security_init_cookie (This is the assembly code at the entrypoint which I overwrote with a JMP instruction to this codecave) I opened the target exe and I added the following code into the code cave at the end of the code: ASCII "inject.exe" So the final output after the injection should look something like this: "Injection worked. My main goal was to inject code into the first/target exe so that it runs the second exe first and then itself. Then I made a second exe which only prints "Injection worked". Using Visual Studio 2017 I made an exe (with c++) that only does 2 things: print "Injection didn't work!" and after that runs "pause>NUL". I'm currently trying to understand how most malwares infect other files/modify an exe. I'm kind of new to this sort of thing so I hope someone can help me.
0 Comments
Leave a Reply. |