search

hasherezade / libpeconv

A library to load, manipulate, dump PE files. See also: https://github.com/hasherezade/libpeconv_tpl
https://hasherezade.github.io/libpeconv
BSD 2-Clause "Simplified" License
1.07k stars 176 forks source link

Fails to inject notepad.exe into calc.exe on x64 #7

Open abdullah2993 opened 5 years ago

abdullah2993 commented 5 years ago

I haven't tried it on x86 but currently on x64 it is unable to inject notepad.exe into calc.exe other combinations works as shown

Payload Target Success
Calc.exe Calc.exe Sucess
Calc.exe notepad.exe Fails
notepad.exe Calc.exe Sucess
notepad.exe notepad.exe Sucess

I have the same problem with my implementation and i'm unable to find the reason for it

soipray commented 5 years ago

i have some problem too. x64 sometime works bad. but you can run x86 pe in x64 process.

arizvisa commented 2 years ago

I haven't tried it on x86 but currently on x64 it is unable to inject notepad.exe into calc.exe other combinations works as shown Payload Target Success Calc.exe Calc.exe Sucess Calc.exe notepad.exe Fails notepad.exe Calc.exe Sucess notepad.exe notepad.exe Sucess

I have the same problem with my implementation and i'm unable to find the reason for it

not exactly sure what your issue is _specifically_, but if you're using suspendthread/setthreadcontext/resumethread on a process with a gui thread (as-if you're trying to steal a timeslice from a thread that doesn't belong to you and has other resources attached to it). keep in mind that messages can be queued to the thread prior to it executing your actual context. there's a comment at the end of https://zerosum0x0.blogspot.com/2017/07/threadcontinue-reflective-injection.html with a link which describes what I encountered back then while writing similar toys.

one way to test is to first verify if it works on both a non-gui and non-console process, and then once that's confirmed see if delivering various types of window messages (mouse will work) influences the stability or leaves any "droppings" below your target's stack pointer. you can try setting the program counter pointing at an empty loop or a breakpoint.

(also if you're linking other libraries into the address space, keep in mind that your export directory can contain a forward if its rva points within the directory)

hasherezade commented 1 year ago

if you have problems with running a manually loaded instance of notepad it may be related to the properties of notepad itself (rather than any issue with the loader) more about it in this thread: https://github.com/hasherezade/libpeconv/issues/44