Swap Mouse Buttons
In the previous practice the injected shell code only runs once and exits then. In contrast most practical virus and malwares always stay in the memory. In this practice you will see a more practical shell code that will stay in the memory during the execution of the injected process.
- Download and read files code1.c. The function of code1.c is similar to that of code0.c. The code between labels _start and _end, if injected, will swap the behaviors of the left mouse button and the right mouse button of the injected process. To be different from the previous practice, the shell code will take effect during the execution of the injected process.
- Compile files code1.c and meminj.c.
cl code1.c meminj.c user32.lib
- Run program notepad and then run code1.exe. Click the left mouse button and the right mouse button in the editing area of notepad and see what happens.
- Read code1.c again and find out why the shell code can stay in the memory and take effect.
- Use Ollydbg to debug the notepad and code0.exe. Observe the procedure of the injection and the instructions when you click mouse buttons in notepad.