Injection exe into an existing process

Hey again. I have an executable which opens via the MS-DOS shell and just needs to be run. However, to make this program hidden, I need to start a new shell and change to the .exe's directory and open it then adding a /h to the command line. I would like to inject this executable into a process, explorer.exe specifically and have it start up when windows starts and to have it trust the program and not ask to unblock. Yet that is most likely a AV security measure and would depend on the AV to make that happen. So what I want to learn…:: Editing this executable to automatically use the /h feature (source not included) and then have it inject itself into the explorer.exe process. By then I would expect to have it hidden in say a bitmap image and work properly. This executable is just a simple netcat. Just not identified as netcat. Well please respond. How can I reverse engineer to get the source code or identify which source it is first? Could Olly help?

chronicburst wrote:

By then I would expect to have it hidden in say a bitmap image and work properly.

Well, to all of my knowledge I do not believe you can store a exe in a image, video, or sound file and still have it execute. From most common ways of crypto/segano it changes specific image bits to be slightly offset based on a password. There for the exe is stored but the data is not recognized by the computer. Though you can execute php from a jpg image but thats a little different method that doesn't work with exe files.

dammit got logged out when posted:( Anyway what you are trying to do is as far as I know only achievable through dll injection through windows api. That way you load the additional dynamic library to the running process subsequently executing it. You might want to check http://www.bluenotch.com/files/Shewmaker-DLL-Injection.pdf

I'd say that you're overthinking this. Why not just make another exe which contains your first exe file, and which extracts it and adds it to autostart with the right arguments passed when you run it?

Uber0n wrote: I'd say that you're overthinking this. Why not just make another exe which contains your first exe file, and which extracts it and adds it to autostart with the right arguments passed when you run it?

Well true this would be easier, but it also results into additional process being called during startup, making it easier to spot. What you are talking about is simple trojan (bind shell to a port and throw it to startup folder), what chronicburst wants to do is conceal the process within another one, in order to hide it, which would also mean he doesn't have to worry about the startup, as the code would be ran with explorer.exe. It's actually quite sweet idea, gonna look more into it, so chronicburst if you make any progress, hit me up on msn, or send me a pm;)

Indeed. I want it to be concealed within another process, explorer.exe because it is always running. So I would want to hook it into the explorer. I would want this to be able to be setup through another file though so I can have remote users open.. say.. EXTREME CALCULATOR MAX++, and the netcat would be in there and hook into the explorer process. I would much rather have an image but it is understandable that they can execute commands. Well PHP, as I am told. Would be neat if could have a PHP execute a netcat into temporary internet files and then copy over to say /system32/ and hook into explorer. Too complicated I can see.

As far as I know it isn't possible to inject an exe into a process. But you can inject dlls. So why don't you simply write a dll which opens The exe. I think that should work.

So write an application that has the dll and the executable in it. So it has only to extract the files and inject the dll in the process you like.

NoPax wrote: As far as I know it isn't possible to inject an exe into a process. But you can inject dlls. So why don't you simply write a dll which opens The exe. I think that should work.

Dll injected into explorer process–>calls the netcat.exe–>netcat.exe executed however by default in different process… There may be way to fork it just to a different thread within the process but I haven't heard about anything like that. The only way to do exactly what OP proposes is to have a source code of that exe, compile it to dll and inject it into the explorer process, without source you are pretty much screwed

All right I thought it might work because you can make a dll to execute an file. Yeah with the sourcecode of the other app it would be very easy xD

All righty, so make my own netcat in which i can telnet into on a specific port, hide it on a remote system in a pretty hidden area, make a dll that loads the netcat and will be run hiddenly via the dll through the process the dll is attached to. im sorry im a confuser, terribly head ache, hard to focus. migraines.

MoshBat wrote: [quote]chronicburst wrote: im sorry im a confuser, terribly head ache, hard to focus. migraines. Get off the computer. You're sat in front of a rapidly flashing image. Now, flashing images aren't that good for the brain over prolonged periods of time. Really, off the computer until your head has cleared. You'll be able to think things through better.[/quote]

Only CRT monitors function in that way…