Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Sharing memory between two processes (C, Windows)

Since I haven't found an answer to the question asked previously here I'm trying a different approach.

Is there any way to share memory between two processes?

The second process gets the information from an injection since it's a legacy program that it's not being supported anymore.

My idea is to inject some code there, in the struct that I am passing to the injected program pass the address (or whatever) to the share memory where the data I need to run is located. Once I get the data I will populate my own variables inside the injected thread.

Is this possible? How?

Code is appreciated.

EDIT:

I think it's not clear so I'll clarify. I do know how to inject. I am doing it already. The issue here is to pass dynamic data to the injection.

like image 324
wonderer Avatar asked Jul 29 '09 15:07

wonderer


People also ask

How can we share the memory between two processes?

The user just writes data to the process memory, and the operating systems dumps the data to the file. When two processes map the same file in memory, the memory that one process writes is seen by another process, so memory mapped files can be used as an interprocess communication mechanism.

How do I create a shared memory in Windows?

File mapping can be used to share a file or memory between two or more processes. To share a file or memory, all of the processes must use the name or the handle of the same file mapping object. To share a file, the first process creates or opens a file by using the CreateFile function.

How is IPC using shared memory done?

Two functions shmget() and shmat() are used for IPC using shared memory. shmget() function is used to create the shared memory segment, while the shmat() function is used to attach the shared segment with the process's address space.


1 Answers

Although windows supports shared memory through its file mapping API, you can't easily inject a shared memory mapping into another process directly, as MapViewOfFileEx does not take a process argument.

However, you can inject some data by allocating memory in another process using VirtualAllocEx and WriteProcessMemory. If you were to copy in a handle using DuplicateHandle, then inject a stub which calls MapViewOfFileEx, you could establish a shared memory mapping in another process. Since it sounds like you'll be injecting code anyway, this ought to work well for you.

To summarize, you'll need to:

  • Create an anonymous shared memory segment handle by calling CreateFileMapping with INVALID_HANDLE_VALUE for hFile and NULL for lpName.
  • Copy this handle into the target process with DuplicateHandle
  • Allocate some memory for code using VirtualAllocEx, with flAllocationType = MEM_COMMIT | MEM_RESERVE and flProtect = PAGE_EXECUTE_READWRITE
  • Write your stub code into this memory, using WriteProcessMemory. This stub will likely need to be written in assembler. Pass the HANDLE from DuplicateHandle by writing it in here somewhere.
  • Execute your stub using CreateRemoteThread. The stub must then use the HANDLE it obtained to call MapViewOfFileEx. The processes will then have a common shared memory segment.

You may find it a bit easier if your stub loads an external library - that is, have it simply call LoadLibrary (finding the address of LoadLibrary is left as an exercise to the reader) and do your work from the library's dllmain entry point. In this case using named shared memory is likely to be simpler than futzing around with DuplicateHandle. See the MSDN article on CreateFileMapping for more details, but, essentially, pass INVALID_HANDLE_VALUE for hFile and a name for lpName.

Edit: Since your problem is passing data and not actual code injection, here are a few options.

  1. Use variable-sized shared memory. Your stub gets the size and either the name of or a handle to the shared memory. This is appropriate if you need only exchange data once. Note that the size of a shared memory segment cannot be easily changed after creation.
  2. Use a named pipe. Your stub gets the name of or a handle to the pipe. You can then use an appropriate protocol to exchange variable-sized blocks - for example, write a size_t for length, followed by the actual message. Or use PIPE_TYPE_MESSAGE and PIPE_READMODE_MESSAGE, and watch for ERROR_MORE_DATA to determine where messages end. This is appropriate if you need to exchange data multiple times.

Edit 2: Here's a sketch of how you might implement handle or pointer storage for your stub:

.db B8            ;; mov eax, imm32 .dl handle_value  ;; fill this in (located at the start of the image + one byte) ;; handle value is now in eax, do with it as you will ;; more code follows... 

You could also just use a fixed name, which is probably simpler.

like image 197
bdonlan Avatar answered Sep 28 '22 01:09

bdonlan