Process Injection

In order to perform vanilla process Injection we require three following Win32 api calls

• VirtualAllocEx

• WriteProcessMemory

• CreateRemoteThread

VirtualAllocEx

This Win32 API call is used for allocating space in the memory space of the remote process or current process (depends upon the parsed process)

[syntax]

[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, 
  uint dwSize, uint flAllocationType, uint flProtect);

[Argument Explanation]

• hProcess: The handle of the remote process or current process to be passed as IntPtr

• lpAddress: The desired address in the memory space as we want this to be automatically allocated we will pass IntPtr.Zero so that API can allocate space automatically

• dwSize: Size to be allocated (In Bytes) for example 0x1000 (passed for 1000 bytes)

• flAllocationType: This is to specify the type of memory allocation:

  • MEM_COMMIT: Allocates memory charges (from the overall size of memory and the paging files on disk) for the specified reserved memory pages (0x1000)

  • MEM_RESERVE: Reserves a range of the process's virtual address space without allocating any actual physical storage in memory or in the paging file on disk (0x2000)

  • In order to pass them together in the API Call we will pass them as 0x3000

• flProtect: This parameter specifies the memory protection for the region of pages to be allocated, for us we need Read, Write and Execute permissions so the constant value for it is 0x40

[Final Form]

IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40);

WriteProcessMemory

This Win32 API call is used for writing the shellcode to the allocated memory space

[syntax]

[DllImport("kernel32.dll")]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, 
    byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);

[Argument Explanation]

• hProcess: The handle of the remote process or current process to be passed as IntPtr

• lpBaseAddress: It requires the handle to the memory space we allocated earlier

• lpBuffer: The Buffer to be copied (the shellcode basically)

• nSize: The length of the buffer (buf.length)

• lpNumberOfBytesWritten: It requires a pointer to the memory to output how much data was copied, basically we don't need this so we will create a fake variable as IntPtr and pass it.

[Final Form]

IntPtr outSize;
WriteProcessMemory(hProcess, addr, buf, buf.Length, out outSize);

CreateRemoteThread

This Win32 API call will create a thread which will run in the virtual address space of another process

[syntax]

[DllImport("kernel32.dll")]
static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, 
 uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

[Argument Explanation]

• hProcess: The handle of the remote process or current process to be passed as IntPtr

• lpThreadAttributes: This is to specify a security descriptor for the new thread which will determine if child process can inherit, we don't need this hence we will pass as IntPtr.Zero as NULL.

• dwStackSize: The initial size of stack in bytes, we will pass 0 so new thread will use default size

• lpStartAddress: We will pass the pointer of the memory space which we allocated and written earlier

• lpParameter: This parameter is for any arguments to be passed with the function, which we currently don't have so we will pass IntPtr.Zero as NULL

• dwCreationFlags: This flag will control what happens after the thread is created, we will pass 0 so that it starts executing immediately after cration

• lpThreadId: Pointer to a variable that receives the thread identifier, we don't need this so we will pass IntPtr.Zero as NULL

[Final Form]

IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);

These are all the Win32 API calls which is needed for process injection, I will not post any code because already a lot of examples are available publicly so the best idea is to supply a link to the Exact Process Injection code available online:

• Process Injection By Chvancooten

Note: These are my personal notes which might be inaccurate