Vanilla Process Injection
This section will document the standard process Injection notes
Process Injection
In order to perform vanilla process Injection we require three following Win32 api calls
VirtualAllocEx
WriteProcessMemory
CreateRemoteThread
VirtualAllocEx
This Win32 API call is used for allocating space in the memory space of the remote process or current process (depends upon the parsed process)
[syntax]
[Argument Explanation]
hProcess: The handle of the remote process or current process to be passed as IntPtr
lpAddress: The desired address in the memory space as we want this to be automatically allocated we will pass IntPtr.Zero so that API can allocate space automatically
dwSize: Size to be allocated (In Bytes) for example 0x1000 (passed for 1000 bytes)
flAllocationType: This is to specify the type of memory allocation:
MEM_COMMIT: Allocates memory charges (from the overall size of memory and the paging files on disk) for the specified reserved memory pages (0x1000)
MEM_RESERVE: Reserves a range of the process's virtual address space without allocating any actual physical storage in memory or in the paging file on disk (0x2000)
In order to pass them together in the API Call we will pass them as 0x3000
flProtect: This parameter specifies the memory protection for the region of pages to be allocated, for us we need Read, Write and Execute permissions so the constant value for it is 0x40
[Final Form]
WriteProcessMemory
This Win32 API call is used for writing the shellcode to the allocated memory space
[syntax]
[Argument Explanation]
hProcess: The handle of the remote process or current process to be passed as IntPtr
lpBaseAddress: It requires the handle to the memory space we allocated earlier
lpBuffer: The Buffer to be copied (the shellcode basically)
nSize: The length of the buffer (buf.length)
lpNumberOfBytesWritten: It requires a pointer to the memory to output how much data was copied, basically we don't need this so we will create a fake variable as IntPtr and pass it.
[Final Form]
CreateRemoteThread
This Win32 API call will create a thread which will run in the virtual address space of another process
[syntax]
[Argument Explanation]
hProcess: The handle of the remote process or current process to be passed as IntPtr
lpThreadAttributes: This is to specify a security descriptor for the new thread which will determine if child process can inherit, we don't need this hence we will pass as
IntPtr.Zero
as NULL.dwStackSize: The initial size of stack in bytes, we will pass
0
so new thread will use default sizelpStartAddress: We will pass the pointer of the memory space which we allocated and written earlier
lpParameter: This parameter is for any arguments to be passed with the function, which we currently don't have so we will pass
IntPtr.Zero
as NULLdwCreationFlags: This flag will control what happens after the thread is created, we will pass
0
so that it starts executing immediately after crationlpThreadId: Pointer to a variable that receives the thread identifier, we don't need this so we will pass
IntPtr.Zero
as NULL
[Final Form]
These are all the Win32 API calls which is needed for process injection, I will not post any code because already a lot of examples are available publicly so the best idea is to supply a link to the Exact Process Injection code available online:
Process Injection By Chvancooten
Note: These are my personal notes which might be inaccurate
Last updated