Hook remote process. [Archive] - RCE Messageboard's Regroupment

View Full Version : Hook remote process.

Kurapica

August 21st, 2009, 13:07

Is there a way to suspend a remote process from my local process when the remote process calls some API.

I must find a way to start a new process and make it break on "_CorExeMain" or "_CorDllMain" which

represent the entrypoints for any .NET PE file.

I've been doing much research on API hooking and Code Injection.

but I wanna see what you guys know about it.

thanks

BanMe

August 21st, 2009, 14:33

not unless you can maintain code inside some area of a newly created process through injection or w/ can the idea you are trying to accomplish be realized.. .Net isn't really my thing but I bet taking the same approach that I am with Sin32 in a more targeted .net apps way could accomplish this task..

Other Idea's include Creating a process suspended and writing a int3 to those locations you mentioned and registering a JIT debugger that handles the other tasks needed to be accomplished.

Kurapica

August 22nd, 2009, 09:05

Thanks for the tip...

I already tried what you suggested and it seems .NET modules have a problem with INT3

anyway breaking on startup seems useless now and I will be satisfied with DLL injection after the injectee is fully loaded.

Here is a snippet of how I coded the injection code.

Code:

        'DLL to Load into process

        Dim DllName As String = "D:\My Documents\Delphi\DLL\Project1.dll"



        'Allocate memory for the DLL name in the remote process (VirtualAllocEx). 

        Dim Ret As Int32 = VirtualAllocEx(Pinfo.hProcess, 0, DllName.Length + 1, &H1000, &H40)



        'Write the DLL name, including full path, to the allocated memory (WriteProcessMemory). 

        Dim Length As Int32

        WriteProcessMemory(Pinfo.hProcess, Ret, StringToHGlobalAnsi(DllName), DllName.Length + 1, Length)



        'Map your DLL to the remote process via CreateRemoteThread & LoadLibrary. 

        hThread = CreateRemoteThread(Pinfo.hProcess, IntPtr.Zero, 0, GetProcAddress(LoadLibrary("kernel32.dll", "LoadLibraryA", Ret, 0, 0)

All I have to do is finish the DLL now.