Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

C++: Injecting 32 bit targets from 64 bit process

I have written a DLL-Injector in C++ recently, for which the requirements were the following

  • The INJECTING PROCESS (let's call it the 'Injector') as well as the DLL TO BE INJECTED (Injection) exist in 64 and 32 bit variants. Depending on the target, the matching version of the injection is tried to be injected.
  • It must be possible to inject target processes that are 32 bit (WOW64) even with the Injector running in 64 bit

It came quickly to my notice, that the call of GetProcAddress("LoadLibraryA") in the Injector returns an "unusable" handle as the 32 bit target has another kernel32.dll loaded and the address of the function there is different, so injection fails (The remote thread can not be started using the returned address/handle). Furthermore, the 32 bit process has the kernel32.dll loaded at a different base address, which makes creation of the remote thread even more impossible.

To make clear what I mean, the following happens:

  • Injector has 64 bit version of kernel32.dll loaded at 0x12340000
  • Injector retrieves handle for LoadLibraryA 0x00005678 from this kernel32.dll
  • Target has 32 bit version of kernel32.dll loaded at 0xABCD0000
  • The handle for LoadLibrary of this kernel32.dll is expected to be 0x0000EFAB
  • Injector tries to start remote thread in target with function 0x12345678, but 0xABCDEFAB is expected

When injecting a 64 bit process from a 64 bit process, and 32 bit from 32 bit, there is usually no problem, as the kernel32.dll is (most likely) loaded at the same base address and the same function address can be used - that's my unterstanding so far. In this case however the conditions differ.

To overcome the problem I did the following steps:

  • 64 bit Injector retrieves address of kernel32.dll loaded by 32 bit target using EnumProcessModulesEx() (should be 0xABCD000)
  • Get filename of that kernel32.dll, parse the PE header and get the RVA of LoadLibraryA (should be 0x000EFAB)
  • At this point, we know where kernel32.dll is loaded in the 32 bit target and the address of the function from this DLL.
  • 64 bit Injector starts remote thread in 32 bit target with ImageBase + Function RVA, in this case the magical 0xABCDEFAB

This approach actually works very well, but I can't get rid of the thought that this is total overhead and there must be a more simpler solution to inject 32 bit targets from 64 bit injectors.

I have two questions, for which I am very grateful if they could be answered here:

  1. Is there a more simple way to achieve this kind of injection?
  2. Are there possible problems with the approach I've been taking that I haven't thought about?

Any answers are very much appreciated, thanks!

EDIT: Oh my gosh... I just realized, that I described the situation wrong in my initial post. The INJECTOR is 64 bit, and the TARGET is 32 bit (Initially it was the other way around, but I already corrected it). Ben Voigt's comments down below are totally true, the call to EnumProcessModulesEx would fail. A big big BIG sorry for that confusion :(

like image 423
PuerNoctis Avatar asked Jan 08 '12 09:01

PuerNoctis


1 Answers

I stumbled upon this thread looking for a solution for the same problem.

So far I'm inclined to use another simpler solution. To obtain a 32-bit kernel proc address, the 64-bit process can just execute a 32-bit program that will look up the proc addresses for us:

#include <Windows.h>

int main(int argc, const char**)
{
    if(argc > 1)
        return (int) LoadLibraryA;
    else
        return (int) GetProcAddress;
}
like image 95
zah Avatar answered Sep 28 '22 06:09

zah