Great as usual :), I created similar injector but in C#, the important thing here is that you need to create two versions of injector; a x64 one to inject x64 processes, and a x86 one to inject x86 processes.
@@zodiacon Yes, i know that. I ask if i can inject 32bit DLL into 32bit process with 64bit injector, using this technique. Actualy i tried and it not gives any error but DLL is not injected. Maybe i miss something. Upd: oh, because kernel32 has not same address in 32bit and 64bit process memory space
Hey Pavel big fan! I have some of your books and also your pentester academy windows series. Glad to see you on TH-cam. If you make a Patreon I'd be interested in donating! Thanks again, you're a master at this !
Thanks for your nice explanation. Does this technic work even if "Address space layout randomization" is enabled? Does the address of "LoadLibraryA" the same in virtual address space of all processes?
and what happened if nothing happened i mean the code compiled without error when I'm try to inject nothing do no error print nothing all anti virus is off!! any idea ? ?? ?
Make sure you inject a 64 bit DLL into a 64-bit process or 32-bit DLL into a 32-bit process. Other than that, you can use Process Monitor to see if the DLL is loaded, if the thread is created, etc.
Hey Pavel, great video to show some basics, thats often underrated. If you wouldn't mind, could you help me out with a little problem that I am facing right now? I want to get a better understanding of the entire usermode concept in windows, I also bought the wininternals books and partially read them. So my problem is, that I want to perform accurate handle enumeration. There is a usermode process that is creating a lot of short lived handles to scan memory regions of my process, but I cant find these handles by using NtQuerySystemInformation using the SystemHandleInformation class. On the other hand, I know that the other process is also doing a usermode handle enumeration to detect any opened handles to the process. So my question is, are there other ways to enumerate handles of a process in usermode? NtQuerySystemInformation gives us a list of all system handles, and each scan takes multiple seconds to traverse through, which could be a reason why short lived handles are not found... I really don't want to inject into the other process though and hook stuff, the goal was to perform a good handle enumeration externally. I hope you can give me a hint maybe :) But for now - Спасибо за всё, Я огромный Фан!
NtQuerySystemInformation is the way to go. There is no better way from user mode. Short-lived handles are just that - enumeration has nothing to do with that. It captures what exists at enumeration time. With a kernel driver, you could intercept opening handles to processes, for example.
@@zodiacon Alright, so I guess that detecting short lived handles from usermode is a thing of time luck then. Would multithreaded scanning increase the probability of detecting these handles?
Hi Pavel, Thanks for tutorials...But all your tutorial is injected to already running process.. How about Create new process and inject in to it? My current problem is create new progress (Ex Notepad) and inject to it..but sometime it work...sometime it dont...I dont know why...just assume dll injected when nodepad process not full loaded
Usually injecting into a new process is much easier, because you have an all powerful handle to it (no need to call OpenProcess which may fail). If you create the process suspended and try to inject to it, it is likely to fail, because the process only has NtDll loaded into it.
Depends on what you mean by "convert". You can remove the DLL bit from the PE header, but the entry point will DllMain, and it's not what is expected from an EXE, so likely to crash.
Great as usual :), I created similar injector but in C#, the important thing here is that you need to create two versions of injector; a x64 one to inject x64 processes, and a x86 one to inject x86 processes.
Dude you explained some things I didnt know and ot really helped thanks. Most youtubers ignore some important details and itsannoying
I learned a lot from this! Thank you, you're a legend :)
aint he just?
Does this technique work if the injector app is 64bit but target process and dll are 32bit?
Or do i need to use a proxy 32bit process?
It can't work with different DLL/process "bitness". You need a 32-bit version of the DLL to be injected into a 32-bit process.
@@zodiacon Yes, i know that. I ask if i can inject 32bit DLL into 32bit process with 64bit injector, using this technique. Actualy i tried and it not gives any error but DLL is not injected. Maybe i miss something.
Upd: oh, because kernel32 has not same address in 32bit and 64bit process memory space
Correct. You need another way to find the address of the 32-bit LoadLibrary.
@@zodiacon For now im using EnumProcessModulesEx to get k32 address on target process and add LoadLibrary offset to it.
Could you please create a tutorial for a mini driver to inject this dll into any user-mode process when it starts 🙏
There are such examples on Github... for now, I'll stick with simpler things :)
Hey Pavel big fan! I have some of your books and also your pentester academy windows series. Glad to see you on TH-cam. If you make a Patreon I'd be interested in donating! Thanks again, you're a master at this !
Happy to receive support! patreon.com/zodiacon
i bet u want a make a cs go cheatoos xd
Thanks a lot, Great help to me.
Greate Work !
Thanks for your nice explanation.
Does this technic work even if "Address space layout randomization" is enabled? Does the address of "LoadLibraryA" the same in virtual address space of all processes?
@@nazmdar yes
and what happened if nothing happened i mean the code compiled without error when I'm try to inject nothing do no error print nothing all anti virus is off!! any idea ? ?? ?
Make sure you inject a 64 bit DLL into a 64-bit process or 32-bit DLL into a 32-bit process.
Other than that, you can use Process Monitor to see if the DLL is loaded, if the thread is created, etc.
@@zodiacon yhea thanks i solve it . i try with other injector and the injector tell you are dumb u want to inject 32 bit into a 64 bit :D
Hi, thanks for such a great explanation. I have a question:
When I run notepad, the corresponding message box will always appear?
No, you need to inject with the correct process ID.
thanks for sharing ,good man .
Hey Pavel, great video to show some basics, thats often underrated.
If you wouldn't mind, could you help me out with a little problem that I am facing right now?
I want to get a better understanding of the entire usermode concept in windows, I also bought the wininternals books and partially read them.
So my problem is, that I want to perform accurate handle enumeration.
There is a usermode process that is creating a lot of short lived handles to scan memory regions of my process, but I cant find these handles by using NtQuerySystemInformation using the SystemHandleInformation class.
On the other hand, I know that the other process is also doing a usermode handle enumeration to detect any opened handles to the process.
So my question is, are there other ways to enumerate handles of a process in usermode? NtQuerySystemInformation gives us a list of all system handles, and each scan takes multiple seconds to traverse through, which could be a reason why short lived handles are not found...
I really don't want to inject into the other process though and hook stuff, the goal was to perform a good handle enumeration externally.
I hope you can give me a hint maybe :)
But for now - Спасибо за всё,
Я огромный Фан!
NtQuerySystemInformation is the way to go. There is no better way from user mode. Short-lived handles are just that - enumeration has nothing to do with that. It captures what exists at enumeration time. With a kernel driver, you could intercept opening handles to processes, for example.
@@zodiacon Alright, so I guess that detecting short lived handles from usermode is a thing of time luck then. Would multithreaded scanning increase the probability of detecting these handles?
Not really, there is internal locking happening anyway.
Hi Pavel, Thanks for tutorials...But all your tutorial is injected to already running process.. How about Create new process and inject in to it?
My current problem is create new progress (Ex Notepad) and inject to it..but sometime it work...sometime it dont...I dont know why...just assume dll injected when nodepad process not full loaded
Usually injecting into a new process is much easier, because you have an all powerful handle to it (no need to call OpenProcess which may fail). If you create the process suspended and try to inject to it, it is likely to fail, because the process only has NtDll loaded into it.
@@zodiacon so what is solution ?
There is no "one, single" solution... do some research, try things out...
Hey bro if I subscribe to patreon, can you compile an injector for me?
No... that's not the purpose of this channel.
I'm sure you can find plenty elsewhere.
The source code is provided at github.com/zodiacon/youtubecode
You explaining very fast and most of code i did not know what you did
I understand, sorry about that. Perhaps you can view it in slower motion.
hi, is it possible to convert a dll to .exe trainer?
Depends on what you mean by "convert". You can remove the DLL bit from the PE header, but the entry point will DllMain, and it's not what is expected from an EXE, so likely to crash.