• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Call to WinExec()

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
clonmac
Just Arrived
Just Arrived


Joined: 09 Mar 2009
Posts: 0


Offline

PostPosted: Sat Apr 25, 2009 5:46 pm    Post subject: Call to WinExec() Reply with quote

I've been doing a lot of reading lately on security, hacking, and vulnerability detection and have been picking up quite a lot. One of the topics I've been learning in the last few days is code injection into software.

Here is what I am trying to do. I've already done it with other functions, but I want to try and expand on it and do it with different types of functions. Mostly what I am playing around with is functions located in the kernel32 and user32 libraries.

So I've been playing around with specific executables and for this example lets say I am using winmine.exe (Minesweeper).

What I've already done is changed the code of it to display a message box when the application is first opened and have it say a message. I've injected the code into the program and used the MessageBoxA function to do so and then jmp'd back to the original code to carry on as normal.

So now I have moved from that theory on to using the WinExec() function. I have placed a jmp and the origin and moved to my code that I have placed in free space. This jmp's to the following asm code:

PUSH 1
PUSH XXXXXXXX (where X is the pointer to the location of program)
CALL DWORD PTR DS:[YYYYYYYY] (where Y is the location of WinExec)
--Overwritten Code from Origin--
JMP ZZZZZZZZ (where Z jumps back to right after my JMP after the origin)


So I run the program and it immediately crashes. I debug it and it is crashing at the return of WinExec with an Access Violation error.

Does anyone know what might be happening and why this is crashing like this? I thought I was calling everything correctly with the right parameters. Am I missing something (clearly)?

If someone could tell me how to make a proper call to the WinExec() function properly in asm, that'd be helpful. Or maybe I should use CreateProcess?

Thanks.
Back to top
View user's profile Send private message Visit poster's website
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Sat Apr 25, 2009 11:58 pm    Post subject: Reply with quote

Its been 15 years since I got involved in any ASM but I will chuck in my 2 pence.

When are testing with MessageBoxA you are passing parameters for text in the message box, are you passing the parameters for WinExec correctly?

I wouldn't recommend changing WinExec for CreateProcess. WinExec is a very simple API call, CreateProcess is a complex, as far as DDL calls go, to do in C++.

Have your tried building a test program in C++ and injecting your code into that?

Matt_s
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Sun Apr 26, 2009 1:23 am    Post subject: Reply with quote

Hmm I'm not seeing anything wrong with your code. You say the access violation comes right after the return of WinExec, does WinExec execute successfully then? Does it launch the child program, and what value does it return on eax?

You are sure that the cmdline parameter (the XXXXXXXX) is at a valid and accessible address, right? Try issuing a MessageBox and using that address as the text string.

In any case, WinExec is long deprecated and only kept for compatibility with 16-bit programs. You should be using CreateProcess. There's nothing to it, all you have to do is give it a few more parameters. Check out the function's reference, and the included example.
Back to top
View user's profile Send private message
clonmac
Just Arrived
Just Arrived


Joined: 09 Mar 2009
Posts: 0


Offline

PostPosted: Mon Apr 27, 2009 6:17 pm    Post subject: Reply with quote

I've been working on this more and I still don't understand why WinExec() isn't working.

The function definitely doesn't execute properly. Notepad.exe (the argument for WinExec) never executes when I run the program, so that tells me that WinExec() is not finishing and the program is crashing before that. The parameter that I am passing to WinExec() is at an accessible address space. I am not sure how to debug it further to find out why WinExec is not executing properly. I don't know if it is in the way I am calling it or if something else is wrong.

So I then tried using CreateProcess. I compiled the example program and ran that at command prompt. I passed 'notepad.exe' as the parameter and it launched notepad.exe. So then I opened that program in Ollydbg and checked the asm code for how they called CreateProcess. Here is the asm code for how it is called in the compile example program:

MOV EDI,EDI
PUSH EBP
MOV EBP,ESP
PUSH 0
PUSH DWORD PTR SS:[EBP+2C]
PUSH DWORD PTR SS:[EBP+28]
PUSH DWORD PTR SS:[EBP+24]
PUSH DWORD PTR SS:[EBP+20]
PUSH DWORD PTR SS:[EBP+1C]
PUSH DWORD PTR SS:[EBP+18]
PUSH DWORD PTR SS:[EBP+14]
PUSH DWORD PTR SS:[EBP+10]
PUSH DWORD PTR SS:[EBP+0C]
PUSH DWORD PTR SS:[EBP+8]
PUSH 0
CALL CreateProcessInternalA
POP EBP
RETN 28

So what I did was snip that code and place it in winmine.exe to test it. I then created a string at a memory address for "notepad.exe". I replaced the last parameter in the above code (PUSH DWORD PTR SS:[EBP+8]) with PUSH XXXXXXXX where X is the location of the string "notepad.exe". I then went on as usual with the typical code injection as I did with the MessageBoxA injection that worked.

That crashed as well. It crashed somewhere within the CreateProcessInternalA function with an Access violation. It must be in the way I am calling these functions in asm and it seems as if I am passing the parameters incorrectly.
Back to top
View user's profile Send private message Visit poster's website
clonmac
Just Arrived
Just Arrived


Joined: 09 Mar 2009
Posts: 0


Offline

PostPosted: Mon Apr 27, 2009 10:44 pm    Post subject: Reply with quote

I was able to get the program working so that it pulls up Notepad when the program is run. It looks like it was an issue with the way the arguments were organized. I ended up using WinExec. I still don't understand why the example in my first post didn't work, but I ended up using the following code:

PUSH 3
PUSH XXXXXXXX (Where X is the location of "Notepad.exe")
CALL WinExec
--overwritten code--
JMP (back to remaining code after origin)


It is almost exactly the same as the first example except for in the way I called WinExec. I am almost positive I tried this method before and I don't know why it worked this time.

I tried using CreateProcess, but I wasn't having any luck there. Most likely because of some of the issues I was having with the arguments. I'll try playing around with it more to see if I can get CreateProcess to work. I looked at the Debug and put a breakpoint at the CreateProcess call and it looks like all the arguments were set up properly, so IDK.

Thanks for the help guys.
Back to top
View user's profile Send private message Visit poster's website
BluePass
Just Arrived
Just Arrived


Joined: 23 Mar 2008
Posts: 0


Offline

PostPosted: Wed Apr 29, 2009 11:57 pm    Post subject: Reply with quote

I've been able to do this without any issues. I've used:

Code:
PUSH 1
PUSH <address_of_string>
CALL WinExec


One reason why you may be crashing it is because you do not null-terminate "Notepad.exe". Make sure there is a null byte at the end. If you look towards the end of the disassembled code in OllyDbg, you will see the null-padding of the code. I've placed my string there.

If you run me step-by-step through what you're doing, I may be able to help you. This has worked with no issue on my end.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register