InjectDll is not perfect, itself can be "worked around". A user-land hook/solution, the same. [Keep that in mind...]cornflake wrote:Thanks for working on it. Is there a simple description of the hole somewhere? I found the thread hard to follow.
It's the last slice of example code here.
Turn it into a more elegant enumeration, try each handle just erm handed to us... and do nasty (censored).
ASLR helps tremendously versus shellcode, but doesn't put a stop to anything.
We can best guess and/or bruteforce or, since we have been provided a HANDLE, ask Windows nicely for loaded module base addresses [I presume we can, because we have a process handle with memory write access granted of all things!].
Rooted and kitted. The worst of it, you'll never, never know it's happened!
Windows' user process security model sucks allowing such things by default.