API tools faq
paste
Advertisement
Guest User

Manual Code Injection

a guest
Feb 24th, 2012
269
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.42 KB | None | 0 0
raw download clone embed print report
  1. Open Notepad.exe with OllyDbg. Once it is loaded, highlight all the code up to the first “Call” Procedure you see. Right-click then copy the highlighted lines to a text editor for later. Remember that the first line is the original entry point (OEP).
  2.  
  3.  
  4. Example:
  5.  
  6. 0100739D > $ 6A 70 PUSH 70 (OEP)
  7. 0100739F . 68 98180001 PUSH notepad.01001898
  8. 010073A4 . E8 BF010000 CALL notepad.01007568
  9.  
  10.  
  11.  
  12.  
  13. Scroll down until you see the end of all the code and the beginning of your code caves (DB 00). Then select as many empty lines as you need then right-click, click on “Binary” then “Edit”. Place your function(s) in the “ASCII” box then click “OK”. Once that is done, Ctrl+A to assemble the code. Make note of the first address ( 01008748 ) that starts your function(s).
  14.  
  15.  
  16. Example:
  17.  
  18. 01008748 ASCII “cmd /c start calc.exe”
  19.  
  20.  
  21.  
  22.  
  23. Now under your function, select empty line(s) to place your API with your function address. Click “a” then place your code in and then click on “Assemble”.
  24.  
  25.  
  26. Example:
  27.  
  28. 0100877D PUSH 0
  29. 0100877E PUSH 01008748 (function address)
  30. 0100877F Call WinExec
  31.  
  32.  
  33.  
  34.  
  35. In the CPU window right-click then select “Go to” then “Origin”. That will take you back to the original entry point again. Double click on the entry point and replace it with a jump to the line of your first function then click on “Assemble” again.
  36.  
  37.  
  38. Example:
  39.  
  40. JMP 0100877D
  41.  
  42.  
  43.  
  44.  
  45. Now look at the code you copied down in your text editor and the new code you just replaced the OEP with. You will see that two lines of code have been changed.
  46.  
  47.  
  48. Example:
  49.  
  50. PUSH 70
  51. PUSH notepad.01001898
  52.  
  53.  
  54.  
  55.  
  56. Highlight the new jump entry point you made then click on “Enter”. This will take you to the function you created. Right Under your API Call (don't skip a DB 00) highlight three empty lines then click “a”. Now place all the code that had changed, back in with the first call procedure you also copied down. Make “CALL notepad.01007568” procedure a jump.
  57.  
  58.  
  59. Example:
  60.  
  61. PUSH 70
  62. PUSH 01001898
  63. JMP 010073A4
  64.  
  65.  
  66.  
  67.  
  68. Now right-click in the CPU window and select “Copy to executable” then “All modifications”. Click on “Copy all”. A new window will then pop up, close it. It will ask you if you want to save these new changes, click “Yes” and save the new executable. Run the new executable and it should run your injected code. This will run calculator.
  69.  
  70. by
  71. Huxley
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!