Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Although windows supports shared memory through its <a href="http://msdn.microsoft.com/en-us/library/aa366883(VS.85).aspx" rel="noreferrer">file mapping API</a>, you can't easily inject a shared memory mapping into another process directly, as <a href="http://msdn.microsoft.com/en-us/library/aa366763(VS.85).aspx" rel="noreferrer">MapViewOfFileEx</a> does not take a process argument.</p> <p>However, you can inject some data by allocating memory in another process using <a href="http://msdn.microsoft.com/en-us/library/aa366890(VS.85).aspx" rel="noreferrer">VirtualAllocEx</a> and <a href="http://msdn.microsoft.com/en-us/library/ms681674(VS.85).aspx" rel="noreferrer">WriteProcessMemory</a>. If you were to copy in a handle using <a href="http://msdn.microsoft.com/en-us/library/ms724251(VS.85).aspx" rel="noreferrer">DuplicateHandle</a>, then inject a stub which calls <a href="http://msdn.microsoft.com/en-us/library/aa366763(VS.85).aspx" rel="noreferrer">MapViewOfFileEx</a>, you could establish a shared memory mapping in another process. Since it sounds like you'll be injecting code anyway, this ought to work well for you.</p> <p>To summarize, you'll need to:</p> <ul> <li>Create an anonymous shared memory segment handle by calling <a href="http://msdn.microsoft.com/en-us/library/aa366537(VS.85).aspx" rel="noreferrer">CreateFileMapping</a> with INVALID_HANDLE_VALUE for hFile and NULL for lpName.</li> <li>Copy this handle into the target process with <a href="http://msdn.microsoft.com/en-us/library/ms724251(VS.85).aspx" rel="noreferrer">DuplicateHandle</a></li> <li>Allocate some memory for code using <a href="http://msdn.microsoft.com/en-us/library/aa366890(VS.85).aspx" rel="noreferrer">VirtualAllocEx</a>, with flAllocationType = MEM_COMMIT | MEM_RESERVE and flProtect = PAGE_EXECUTE_READWRITE</li> <li>Write your stub code into this memory, using <a href="http://msdn.microsoft.com/en-us/library/ms681674(VS.85).aspx" rel="noreferrer">WriteProcessMemory</a>. This stub will likely need to be written in assembler. Pass the HANDLE from DuplicateHandle by writing it in here somewhere.</li> <li>Execute your stub using <a href="http://msdn.microsoft.com/en-us/library/ms682437(VS.85).aspx" rel="noreferrer">CreateRemoteThread</a>. The stub must then use the HANDLE it obtained to call <a href="http://msdn.microsoft.com/en-us/library/aa366763(VS.85).aspx" rel="noreferrer">MapViewOfFileEx</a>. The processes will then have a common shared memory segment.</li> </ul> <p>You may find it a bit easier if your stub loads an external library - that is, have it simply call LoadLibrary (finding the address of LoadLibrary is left as an exercise to the reader) and do your work from the library's dllmain entry point. In this case using named shared memory is likely to be simpler than futzing around with DuplicateHandle. See the MSDN article on <a href="http://msdn.microsoft.com/en-us/library/aa366537(VS.85).aspx" rel="noreferrer">CreateFileMapping</a> for more details, but, essentially, pass INVALID_HANDLE_VALUE for hFile and a name for lpName.</p> <p><strong>Edit</strong>: Since your problem is passing data and not actual code injection, here are a few options.</p> <ol> <li>Use variable-sized shared memory. Your stub gets the size and either the name of or a handle to the shared memory. This is appropriate if you need only exchange data once. <em>Note that the size of a shared memory segment cannot be easily changed after creation.</em></li> <li>Use a <a href="http://msdn.microsoft.com/en-us/library/aa365590(VS.85).aspx" rel="noreferrer">named pipe</a>. Your stub gets the name of or a handle to the pipe. You can then use an appropriate protocol to exchange variable-sized blocks - for example, write a size_t for length, followed by the actual message. Or use PIPE_TYPE_MESSAGE and PIPE_READMODE_MESSAGE, and watch for ERROR_MORE_DATA to determine where messages end. This is appropriate if you need to exchange data multiple times.</li> </ol> <p><strong>Edit 2</strong>: Here's a sketch of how you might implement handle or pointer storage for your stub:</p> <pre><code>.db B8 ;; mov eax, imm32 .dl handle_value ;; fill this in (located at the start of the image + one byte) ;; handle value is now in eax, do with it as you will ;; more code follows... </code></pre> <p>You could also just use a fixed name, which is probably simpler.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload