AfxCodeHook Example - Remote Procedure Injection
Post date: Oct 17, 2010 10:59:36 PM
{
Remote Procedure Injection
by Aphex
This is a method of executing code in a remote process
without using a DLL.
}
program RemExec;
uses
Windows,
afxCodeHook;
//structure to pass data to remote procedure
type
TRemoteInfo = record
MessageBox: function(hWnd: HWND; lpText, lpCaption: PChar; uType: UINT): Integer; stdcall;
GetModuleHandle: function(lpModuleName: PChar): HMODULE; stdcall;
LoadLibrary: function(lpLibFileName: PChar): HMODULE; stdcall;
GetProcAddress: function(hModule: HMODULE; lpProcName: LPCSTR): FARPROC; stdcall;
ExitProcess: procedure(uExitCode: UINT); stdcall;
User32: pchar;
MessageBoxA: pchar;
Text: pchar;
Title: pchar;
Button: dword;
end;
//procedure that runs injected inside another process
procedure RemoteThread(RemoteInfo: pointer); stdcall;
begin
with TRemoteInfo(RemoteInfo^) do
begin
@MessageBox := GetProcAddress(GetModuleHandle(User32), MessageBoxA);
if @MessageBox = nil then @MessageBox := GetProcAddress(LoadLibrary(User32), MessageBoxA);
Button := MessageBox(0, Text, Title, MB_YESNO);
end;
end;
procedure RemoteExecute;
const
User32: pchar = 'user32';
MessageBoxA: pchar = 'MessageBoxA';
Title: pchar = 'afxCodeHook';
Text: pchar = 'hello from notepad :)';
var
RemoteInfo: TRemoteInfo;
Process: dword;
StartInfo: TStartupInfo;
ProcInfo: TProcessInformation;
begin
//create a process for testing
ZeroMemory(@StartInfo, SizeOf(TStartupInfo));
StartInfo.cb := SizeOf(TStartupInfo);
CreateProcess(nil, 'notepad.exe', nil, nil, False, 0, nil, nil, StartInfo, ProcInfo);
Process := ProcInfo.hProcess;
//copy our strings into the remote process
RemoteInfo.User32 := InjectString(Process, User32);
RemoteInfo.MessageBoxA := InjectString(Process, MessageBoxA);
RemoteInfo.Text := InjectString(Process, Text);
RemoteInfo.Title := InjectString(Process, Title);
//copy our API addresses to pass to the remote process
@RemoteInfo.GetModuleHandle := GetProcAddress(GetModuleHandle('kernel32'), 'GetModuleHandleA');
@RemoteInfo.LoadLibrary := GetProcAddress(GetModuleHandle('kernel32'), 'LoadLibraryA');
@RemoteInfo.GetProcAddress := GetProcAddress(GetModuleHandle('kernel32'), 'GetProcAddress');
@RemoteInfo.ExitProcess := GetProcAddress(GetModuleHandle('kernel32'), 'ExitProcess');
//inject our function and data into the process
InjectThread(Process, @RemoteThread, @RemoteInfo, SizeOf(TRemoteInfo), True);
//check results
if RemoteInfo.Button = 6 then
MessageBox(0, 'User clicked yes.', 'afxCodeHook', 0)
else if RemoteInfo.Button = 7 then
MessageBox(0, 'User clicked no.', 'afxCodeHook', 0);
//kill notepad
TerminateProcess(Process, 0);
end;
begin
RemoteExecute;
end.