Executing remote sub/thread with BlackMagic

[Burningmace]

I've had a good look around and I can't seem to find any samples of how to execute a subroutine inside a process at runtime. I'm a decent C# programmer and I know my way around OllyDbg/IDA but I've not got as far as creating remote threads in this way.

I'm just testing for the moment (WoW related stuff comes later) using Notepad. I used IDA Pro to find the address of the subroutine that makes a new document (File -> New).

Here's what I got:

Code:

.text:0100800F
.text:0100800F ; =============== S U B R O U T I N E =======================================
.text:0100800F
.text:0100800F ; Attributes: bp-based frame
.text:0100800F
.text:0100800F ; __stdcall New(x)
.text:0100800F _New@4          proc near               ; CODE XREF: NPCommand(x,x,x)+2C52p
.text:0100800F                                         ; sub_10058A7+E9p ...
.text:0100800F
.text:0100800F arg_0           = dword ptr  8
.text:0100800F
.text:0100800F                 mov     edi, edi
.text:01008011                 push    ebp
.text:01008012                 mov     ebp, esp
.text:01008014                 push    ebx
.text:01008015                 xor     ebx, ebx
.text:01008017                 cmp     [ebp+arg_0], ebx
.text:0100801A                 jz      short loc_100802A
.text:0100801C                 push    ebx
.text:0100801D                 call    _CheckSave@4    ; CheckSave(x)
.text:01008022                 test    eax, eax
.text:01008024                 jz      loc_10080DA
.text:0100802A
.text:0100802A loc_100802A:                            ; CODE XREF: New(x)+Bj
.text:0100802A                 push    esi
.text:0100802B                 mov     esi, ds:__imp__SendMessageW@16 ; SendMessageW(x,x,x,x)
.text:01008031                 push    edi
.text:01008032                 push    offset szOtherStuff ; lParam
.text:01008037                 push    ebx             ; wParam
.text:01008038                 push    0Ch             ; Msg
.text:0100803A                 push    _hwndEdit       ; hWnd
.text:01008040                 call    esi ; SendMessageW(x,x,x,x) ; SendMessageW(x,x,x,x)
.text:01008042                 push    _szUntitled     ; pszSrc
.text:01008048                 mov     edi, offset _szFileName
.text:0100804D                 push    104h            ; cchDest
.text:01008052                 push    edi             ; pszDest
.text:01008053                 mov     _fUntitled, 1
.text:0100805D                 call    _StringCchCopyW@12 ; StringCchCopyW(x,x,x)
.text:01008062                 push    edi             ; lpString1
.text:01008063                 call    _SetTitle@4     ; SetTitle(x)
.text:01008068                 push    ebx             ; lParam
.text:01008069                 push    ebx             ; wParam
.text:0100806A                 push    0B1h            ; Msg
.text:0100806F                 push    _hwndEdit       ; hWnd
.text:01008075                 call    esi ; SendMessageW(x,x,x,x) ; SendMessageW(x,x,x,x)
.text:01008077                 push    ebx             ; lParam
.text:01008078                 push    ebx             ; wParam
.text:01008079                 push    0B7h            ; Msg
.text:0100807E                 push    _hwndEdit       ; hWnd
.text:01008084                 call    esi ; SendMessageW(x,x,x,x) ; SendMessageW(x,x,x,x)
.text:01008086                 push    2               ; uFlags
.text:01008088                 push    2               ; uBytes
.text:0100808A                 push    _hEdit          ; hMem
.text:01008090                 call    ds:__imp__LocalReAlloc@12 ; LocalReAlloc(x,x,x)
.text:01008096                 cmp     eax, ebx
.text:01008098                 jz      short loc_100809F
.text:0100809A                 mov     _hEdit, eax
.text:0100809F
.text:0100809F loc_100809F:                            ; CODE XREF: New(x)+89j
.text:0100809F                 push    _hEdit          ; hMem
.text:010080A5                 call    ds:__imp__LocalLock@4 ; LocalLock(x)
.text:010080AB                 xor     ecx, ecx
.text:010080AD                 mov     [eax], cx
.text:010080B0                 push    _hEdit          ; hMem
.text:010080B6                 call    ds:__imp__LocalUnlock@4 ; LocalUnlock(x)
.text:010080BC                 push    ebx             ; lParam
.text:010080BD                 push    _hEdit          ; wParam
.text:010080C3                 push    0BCh            ; Msg
.text:010080C8                 push    _hwndEdit       ; hWnd
.text:010080CE                 call    esi ; SendMessageW(x,x,x,x) ; SendMessageW(x,x,x,x)
.text:010080D0                 xor     eax, eax
.text:010080D2                 pop     edi
.text:010080D3                 mov     _szSearch, ax
.text:010080D9                 pop     esi
.text:010080DA
.text:010080DA loc_10080DA:                            ; CODE XREF: New(x)+15j
.text:010080DA                 pop     ebx
.text:010080DB                 pop     ebp
.text:010080DC                 retn    4
.text:010080DC _New@4          endp

Hex-Ray says the following:

Code:

int __stdcall New(int a1)
{
  int result; // eax@2
  HLOCAL v2; // eax@3

  if ( !a1 || (result = CheckSave(0)) != 0 )
  {
    SendMessageW(hwndEdit, 12u, 0, (LPARAM)&szOtherStuff);
    fUntitled = 1;
    StringCchCopyW(&szFileName, 0x104u, szUntitled);
    SetTitle(&szFileName);
    SendMessageW(hwndEdit, 0xB1u, 0, 0);
    SendMessageW(hwndEdit, 0xB7u, 0, 0);
    v2 = LocalReAlloc(hEdit, 2u, 2u);
    if ( v2 )
      hEdit = v2;
    *(_WORD *)LocalLock(hEdit) = 0;
    LocalUnlock(hEdit);
    SendMessageW(hwndEdit, 0xBCu, (WPARAM)hEdit, 0);
    result = 0;
    szSearch = 0;
  }
  return result;
}

From this code, I assume that passing a parameter of 0 will automatically create a new document without asking if I want to save the old one.

What I have a problem with is getting this to launch through C# with BlackMagic. I've tried both Execute(0x0100800F, 0); and CreateRemoteThread(0x0100800F, 0); and both just crash the Notepad process. I've also tried something similar with VLC Media Player with the same results. Where am I going wrong?

[flo8464]

Passing 0 to that function will make the function do nothing, take a look at the first if.

[Burningmace]

Shouldn't "if(!a1)" return true if a1 is 0?

Either way, it shouldn't crash it. I noticed after reloading Notpad in IDA that all the addresses are different. I re-launched several times and found that the New procedure is always 0x6C0A away from the entry point. I've tried modifiying my code to use something along the lines of "notepadProcess.MainModue.EntryPoint + 0x6C0A" for the address to be passed to CreateRemoteThrad and Execute, but neither work still - the process still crashes. I checked GetLastWin32Error and it returns 0.

[MaiN]

Passing 0 to that function will make the function do nothing, take a look at the first if.

No.

Shouldn't "if(!a1)" return true if a1 is 0?

Yes.

[Burningmace]

Thought I was right with that one. I updated my last post so just in case you missed it, please take a look. Any ideas?

[MaiN]

How are you calling it? Need more info. Show some code.

[Burningmace]

Here's my current code.

Code:

            Process p = Process.Start("C:\\Windows\\notepad.exe");
            IntPtr entry = p.MainModule.EntryPointAddress;
            System.Threading.Thread.Sleep(5000);
            BlackMagic np = new BlackMagic(p.Id);
            // also tried np.CreateRemoteThread with same params
            uint result = np.Execute((uint)entry.ToInt32() + 0x6C0A, 0);
            return;

[MaiN]

Aha. You have to call it yourself using ASM.
np.Asm.Clear();
np.Asm.AddLine("add ASM code here");
np.Asm.InjectAndExecute();

Check how other functions call it.

[flo8464]

Oh lol, I failed hard on that

@MaiN: CreateRemoteThread should work fine on a __stdcall function taking axactly 1 argument.

[Burningmace]

I'm still having problems. I was using the following:

Code:

np.Asm.Clear();
np.Asm.AddLine("push 0h");
np.Asm.AddLine("call _New@4");

But that threw an exception. I figured it's probably because it doesn't know the _New@4 label, so I changed it to "call 0x" + addr.ToString("X"); but now it just crashes Notepad again.

By the way, InjectAndExecute() takes a parameter called dwAddress. I assume I have to call AllocateMemory() to create some space?

Here's my full code:

Code:

            Process p = Process.Start("C:\\Windows\\notepad.exe");
            System.Threading.Thread.Sleep(5000);
            BlackMagic vlc = new BlackMagic(p.Id);
            uint entry = (uint)p.MainModule.EntryPointAddress.ToInt32() + 0x6C0A;
            vlc.Asm.Clear();
            vlc.Asm.AddLine("push 0h");
            vlc.Asm.AddLine("call 0x" + entry.ToString("X"));
            int sz = vlc.Asm.GetMemorySize();
            uint mptr = vlc.AllocateMemory(sz);
            vlc.Asm.InjectAndExecute(mptr);
            return;

[Burningmace]

Sorry for the double post but I got it working. Not sure why but the method address no longer seems to change and it just works if I use CreateRemoteThread(0x75800F, 0);

Thanks for the help guys

Just in case anybody reading this wants to know how to do it using CreateRemoteThread, here's the code...

Code:

            Process p = Process.Start("C:\\Windows\\notepad.exe");
            System.Threading.Thread.Sleep(5000);
            BlackMagic vlc = new BlackMagic(p.Id);
            uint entry = 0x75800F; // 0x6C0A;
            vlc.CreateRemoteThread(entry, 0);

And the same thing with Asm:

Code:

            Process p = Process.Start("C:\\Windows\\notepad.exe");
            System.Threading.Thread.Sleep(5000);
            BlackMagic vlc = new BlackMagic(p.Id);
            vlc.Asm.Clear();
            vlc.Asm.AddLine("push 0h");
            vlc.Asm.AddLine("call 0x75800F");
            vlc.Asm.AddLine("retn 0"); // important - crashes without this!
            int sz = vlc.Asm.GetMemorySize();
            uint mptr = vlc.AllocateMemory(sz);
            vlc.Asm.InjectAndExecute(mptr);

[MaiN]

vlc.Asm.Clear();
vlc.Asm.AddLine("push 0");
vlc.Asm.AddLine("call {0}", entry);
vlc.Asm.AddLine("retn");

And you're not freeing that memory.

[Burningmace]

Ah, thank you. I've included the FreeMemory() call and it's all working perfectly. Thanks a lot

[Burningmace]

Ok, now I'm officially confused. After trying this exact same code again, it no longer works and Notpad crashes. IDA also now says that New() is at 0x00A7800F, but even using that address doesn't work. Ideas?

Update: Ignore me, I'm an idiot. All I needed to do is calculate the offset of the procedure from the base address and call it based on that... I think.