XProfan

- Page 2 -

Why not went, is me faith I now clear:
[quote:16fcb7769f=Frank Abbing]Hello,

The address can really no virtual address his, because tappt im dunkeln directly angesprungen go can. I can The Prozedure too directly in my code set and started.
[/quote:16fcb7769f]
in the own Process no trouble - but in the strangers? The code, whom one perform wants, is Yes in the own Prozessbereich and eachone Process verfügt over its own virtual Speicherbereich...

[quote:16fcb7769f=Frank Abbing]
I suspect sooner, that windows testing, whether the memory, the carryed out go should, to that Program heard. means of Program occupied watts.
[/quote:16fcb7769f]
i will hoping, that we not together vorbeireden:
there one processor Yes to Time too only always a Process perform can, could I me even present, that the itself the auszuführende code physical to the Time, on the it really the processor as Programmcode to that Perform available stand ought to, in RAM-Gefilden befindet, in dener it as auszuführender code quite nothing uses.
one must means whom auszuführenden code first once into Speicherbereich the anzugreifenden Prozesses bring.
and now comes the Debugger in that game - meant are here APIs to that Debuggen of Programs a DLL into Speicherbereich one strangers Prozesses injizieren can, not one Program.
to that injizieren of/ one DLL there several Opportunities - the author shining here a Possibility found to have, The only unzureichend over Privilegien and Zugriffsrechte Safe is. i'm me in the moment but quite sure, the zumindestens the anzugreifende Process over defined Sicherheitsmängel order must, The the injizieren to permit.

[quote:16fcb7769f=Frank Abbing]
there's well a Vielzahl on Opportunities, others task a address mitzuteilen.
[/quote:16fcb7769f]
Yes, among other things Subclassing.

08/28/05 ▲

so - I faith, i'm clear become, How it the made has. will be the in the next year test times...

12/30/05 ▲

the eigentliche trouble is, that eachone Process its own virtual Speicherbereich has. wants I means, the one stranger Process my View source executing, must this View source itself in memory the Prozesses find, the it perform should. but How I get View source in a strangers Process? this is really the smaller ones trouble:
each Control, with the I somehow Ihnhalte through of/ one Message Send can, bid really these Possibility - on the simplest does it with a MultiEdit (the naturally before already in the Process present his must).
Through WM_SETTEXT can itself a MultiEdit Yes Text Send, the then in the Edit visible and editierbar is - but Why only Text, Why no DLL View source? send I a DLL (naturally not from the Festplatte, separate from memory of my Prozesses out) on the MultiEdit the strangers Prozesses, is The DLL then in the Speicherbereich the femden Prozesses and can now too through WM_TIMER addressed go (bislang only Trockenschwimmen, I no MASM can, should but klappen).
Through EM_GETHANDLE can itself then the lever the Textes (the DLL) in the Edit detect - well then comes the eigentliche trouble, I need not the lever, separate The address.
Through folgendem View source want we now time something hither around the address concern - under 2000/XP naturally:
Compile Mark Separation

Windowstyle 31
Windowtitle "Multiedit"
Window 0,0-640,440
Def @GlobalSize(1) !"KERNEL32","GlobalSize"
Def @GlobalLock(1) !"KERNEL32","GlobalLock"
DEF @CopyMemory(3) !"kernel32","RtlMoveMemory"
Def @GlobalReAlloc(3) !"KERNEL32","GlobalReAlloc"
Def @SetParent(2) !"USER32","SetParent"
Declare edit&,Text$,ADDR&,Handle&,Text#
Dim Text#,256
LET EDIT&=@Createmultiedit(%HWND,"Test     ",20,130,200,200)
LET Text$="ABCD"
LET Handle&=@sendmessage(edit&,$BD,0,0)
Print "Handle des Edits: "+@str$(Edit&)
Settext Edit&,@STR$(Handle&)
Let Addr&=@val(@Input$("Adresse des Edits:","Addresse",""))
Let Addr&=@GlobalLock(Handle&)
@CopyMemory(Addr&,@ADDR(Text$),32)
@CopyMemory(text#,Addr&,32)
Print "Adresse: "+@str$(Addr&)
Print "Breichshandle: "+@str$(Handle&)
Print "Kopierter Text: "+@String$(Text#,0)
PrINT "Bereichgröße: "+@str$(@GlobalSize(Handle&))+" Bytes"
Dispose text#

While 0=0

    Waitinput

wend

there Profan something lavish with Heaps bypassing, ought to one whom View source with Profan2Cpp compilieren.
at that me sees the whole then vaguely so from:

BILD 1

in the Edit standing here the lever the Textes.
now started we [...]

, dial whom Testprozess with the MultiEdit from and let us which Heaps lists.

BILD 2

now do we time so as would the lever the Textes (by me 44630028) a address and let us the Doubleword on this address of [...]

once read.

BILD 3

BILD 4

out comes by me: X1=38184920
now do we against so, as would 38184920 and look under whom Heaps to, whether we somewhere these address find and let us whom Content the Heapblocks as String present:

BILD 5

How one sees, having we The address the Text in Edit found! These address can as Offset for function taken go, The we through WM_TIMER later in the strangers Process address want. moreover must The address the auszuführenden function ex the zero the DLL add go - the shows [...]

(hopefully) integrally well on => is done The address for WM_TIMER!

as Administrator everything no trouble - but to that Reading of Prozesspeicher need I PROCESS_VM_READ and PROCESS_VM_OPERATION - and as User with eingeschränkten Rechten have I these rights definitiv not!
...but under whom Voraussetzungen changes the address at all??? time schaun:
I starte whom Process anew => same address! The address shining means The next freiliegende address To his and won't random chosen.
I give More as 32 characters into Edit one => new address - is Yes clear, if More zusammenhängender memory used and is this on this place not available standing, must itself too The address Change.
but too everything what before into Heap written becomes (and itself changes) it can address bearing. In unserem drop lying The address in the first Heap, the Standardheap the Prozesses. look we time to, what next everything to this address standing. here time a couple Auszüge:

G : W I n n T s y s t e m 3 2 W I n M M . D L L => name of of Process geladener DLL
F:EIGENESTasks and TokenMultiedit_cppMultiedit.exe => Gestarteter Process with Parameters
E G I s T R Y u s E R s - 1 - 5 - 2 1 - 8 6 1 5 6 7 5 0 1 - 1 0 6 0 2 8 4 2 9 8 - 1 9 5 7 9 9 4 4 8 8 - 1 0 0 0 => User String-SID

too Enviroment-Variables one Prozesses have I already in Heaps found.
How one here already recognize, is the address means System dependent, so is it means you don't say so, a reasonable application To write, from one normalen Useraccount each computer without further crack without it before zig(thousand)male to that crash To bring. the might the reason his, Why Microsoft on the item, the starting point this Postings was, not splendid reacted has - The Grundaussage this Artikels was but another, namely that it insgesammt one Sicherheitsrisiko is, Messages ungefragt on others programs Send To dürfen; and the voice I now time integrally ardent To...

and who itself now asks, why I here so plenty blödsinn hingeschrieben have:
I have here even time on the side a Possibility to DLL-Injektion aufgezeigt, The naturally too with others Controls as one MultiEdit functions

BILD5.JPG

69 kB

Kurzbeschreibung:

BILD 5

Hochgeladen:

05/21/06

BILD4.JPG

71 kB

Kurzbeschreibung:

BILD 4

Hochgeladen:

05/21/06

BILD3.JPG

46 kB

Kurzbeschreibung:

BILD 3

Hochgeladen:

05/21/06

BILD2.JPG

66 kB

Kurzbeschreibung:

BILD 2

Hochgeladen:

05/21/06

BILD1.JPG

23 kB

Kurzbeschreibung:

BILD 1

Hochgeladen:

05/21/06

05/21/06 ▲

I must the, I here in the last Posting of me given have, well something revidieren.
following Überlegung:
The Text the Edits alights always in the first Heap. The Startadresse the first Heaps (here quasi the lever), might on the equal Betriebsystem (and the on unterschiedlichen Rechnern) always on the equal place lying.
I have by me under windows2000 time with WM_TIMER something experimented...
shows Parameter four on a not auslesbaren area, arise self-evident a Access violation. shows Parameter four but on auslesbare reaches The none ausführbaren View source include, happens apparently no schwerwiegender Error.
Theorethisch should it means possible his, The Startadresse (the lever) the first Heaps as starting point To take and so long at Send the Message one byte dazuzurechnen, To WM_TIMER whom View source executing.. The Startadresse the Heaps could one of a others computer relating, on the The same application runs. self with XProfan might the still in annehmbarer speed To regulate his.
i'm to Time on others things dran and could this unfortunately not yet moreover testing, I here but enough lauffähigen View source have, I will The Chatter Attack in next Time time nachbauen. it'll nothing splendid spektakuläres and be The DLL The carryed out becomes, becomes The Test-DLL the Messagebox his, The me Frank then freundlicherweise program has - I möchjte nevertheless but time inquiries, whether I so one Program here at all post must?

06/21/06 ▲

Frank
Abbing

well, The question goes well sooner on iF.
me anyway would your Test interested.

06/21/06 ▲

naturally!

06/22/06 ▲

Mmmh - to some Euphorie lose I in just a minute again the credit into Warheitsgehalt the testify the Artikels. The smallest Hürde (- The I in moment not yet überwunden have - ), would the Insert of Nullbytes into Edit without the right PROCESS_VM_WRITE To haben; there standing but yet integral More in the ways...

once Screen memory: How big are The chances, that one with this method really a actually computer creak can? look you moreover times the processes with TNT on, The on your computer in the system-Account walk - because around the goes it here. you see somewhere a such service, of a Edit or one MultiEdit own???
If you you my others item once attentive durchliest and self with TNT something herumexperimentierst, become You well very quick check, that any . Develop for such activities not To use are (be means no Böser Bube

). what me on this item interested, is the Possibility the DLL-Injektion as Administrator in a Process, the no service is - but self there see I in moment Problems,, for it yet no Solution gives...

07/04/06 ▲

[quote:91bd3aedf7=Frank Abbing]well, The question goes well sooner on iF.
me anyway would your Test interested.[/quote:91bd3aedf7]
Mmh... - View source I will for the time being To DLL-Injektionen not yet from the hand give. Zumindestens the, what TNT power might for you both but too without Problems without View source nachzuvollziehen his, direct ask on my Mailadresse beantworte I ditto gladly.

Greeting

AH

07/04/06 ▲

to that conclusion as demonstration what there really so everything possible been is, over again what To this Topic. Since I The small application, The I diesbezüglich written have, not so gladly under The people bring would like, means in shape of/ one Animation:

AMP.gif	840 kB

Kurzbeschreibung:	so hashing one windows

Hochgeladen:	10/08/06

Downloadcounter:
		Download

thatswhy is Yes to that Happiness too one altes windows ;)

Fakt is, the it over years away (too XP) possible been is, for a normalen colleagues each Firmenrechner auszuhebeln (and the XP yet rather as under windows2000).
Fakt is too, the itself on the basic principle Windows nothing changed has. whether yet somewhere in the OS further undokumentierte Messages with same capability hidden are, is ditto not sure. EM_SETWORDBREAKPROC and others Messages get of my Wissens to not yet once gefixt.
Fakt is too, the on many, (too commercial genutzten) Rechnern yet antiquated Servicepacks walk - see my Test in the Internetcaffee.

Shatter is means a story, everybody can very very in the eye keep ought to - straight if it circa newer Betriebsysteme goes. particularly brisant find I The story, the not once necessary is View source in stranger Applications over a Message einzuschleuse - The Possibility View source anzuspringen reicht always from!

- Page 3 -

I Have there even yet what forget

.

moreover comes yet, the Yes evtl. not only the started stranger Source dangerous his can - its z.B. too possible, without any rights over Messages WinXP? stranger processes auszulesen.