Thread: Hooking WMI (.NET Application)
View Single Post
  #4  
Old 08-03-2012, 06:28
Ember Ember is offline
Friend
  
Join Date: Feb 2009
Posts: 84
Rept. Given: 68
Rept. Rcvd 25 Times in 15 Posts
Thanks Given: 36
Thanks Rcvd at 79 Times in 33 Posts
Ember Reputation: 25
Please see attached for my copy of detours.h and detours.lib

You can write a simple loader that could start up the app with CreateProcess(), using information from the lpProcessInformation param to get the process' handle.

Note: you may need to enable SeDebugPrivilege first before doing any of this. Code borrowed from online.
Code:
BOOL EnableDebugPrivilege() 
{ 
	HANDLE           hToken; 
	LUID             sedebugnameValue; 
	TOKEN_PRIVILEGES tp; 
 
	if ( !OpenProcessToken(  
		GetCurrentProcess(), 
		TOKEN_ADJUST_PRIVILEGES | // to adjust privileges 
		TOKEN_QUERY,              // to get old privileges setting 
		&hToken  
		) ) 
		// 
		// OpenProcessToken() failed 
		// 
		return FALSE; 
	// 
	// Given a privilege's name SeDebugPrivilege, we should locate its local LUID mapping. 
	// 
	if ( !LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) ) 
	{ 
		// 
		// LookupPrivilegeValue() failed 
		// 
		CloseHandle( hToken ); 
		return FALSE; 
	} 
 
	tp.PrivilegeCount = 1; 
	tp.Privileges[0].Luid = sedebugnameValue; 
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 
 
	if ( !AdjustTokenPrivileges( hToken, FALSE, &tp, sizeof(tp), NULL, NULL ) ) 
	{ 
		// 
		// AdjustTokenPrivileges() failed 
		// 
		CloseHandle( hToken ); 
		return FALSE; 
	} 
 
	CloseHandle( hToken ); 
	return TRUE; 
}
This function is borrowed from another site. Just pass it your handle and a full path to your DLL that you want to inject. I have not tested it, but it looks like it should work fine.
Code:
BOOL bInjectLibrary(HANDLE hProcess, char* szDllToInjectPath)
{
	LPVOID lpRemoteAddress = VirtualAllocEx(hProcess, NULL, strlen(szDllToInjectPath), MEM_COMMIT, PAGE_READWRITE);

	if(!lpRemoteAddress)
		return FALSE;

	if(!WriteProcessMemory(hProcess, lpRemoteAddress, (LPVOID)szDllToInjectPath, strlen(szDllToInjectPath), NULL))
		return FALSE;

	HANDLE hThread = NULL;

	if(!(hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryA"), lpRemoteAddress, NULL, NULL)))
		return FALSE;

	WaitForSingleObject(hThread, INFINITE);

	if(!VirtualFreeEx(hProcess, lpRemoteAddress, 0, MEM_RELEASE))
		return FALSE;

	CloseHandle(hThread);

	return TRUE;
}
Remember to close your handle to the process when done.
Attached Files
File Type: zip Dets.zip (59.8 KB, 23 views)
Reply With Quote
The Following User Gave Reputation+1 to Ember For This Useful Post:
aldente (08-04-2012)