Presentation is loading. Please wait.

Presentation is loading. Please wait.

Win32 Programming Lesson 22: DLL Magic Part Deux All your base are belong to us…

Published byClaire Marsh Modified over 9 years ago

Similar presentations

Presentation on theme: "Win32 Programming Lesson 22: DLL Magic Part Deux All your base are belong to us…"— Presentation transcript:

1 Win32 Programming Lesson 22: DLL Magic Part Deux All your base are belong to us…

2 Where are we?  We’ve looked at injection techniques in general  But now it’s time to get specific

3 Remind Me…  What’s the trick we’re trying to pull off?

4 Injecting DLLs using a Remote Thread  Remember, we’re trying to get a DLL into another process’ address space  One way to do this is to create a thread in a remote process  And Windows provides an easy way to do this…

5 So…  HANDLE CreateRemoteThread( HANDLE hProcess, PSECURITY_ATTRIBUTES psa, DWORD dwStackSize, PTHREAD_START_ROUTINE pfnStartAddr, PVOID pvParam, DWORD fdwCreate, PDWORD pdwThreadId);  Look familiar…?

6 Problems?  Troy, does this solve all our problems?  Casey?  Chris?  Invisible Dan? ……

7 Bingo!  This only works if we have code in the remote thread that we want to execute to load our Trojan DLL…  Hmmm… can we fix it?  How do you load a DLL during program execution?

8 Right: LoadLibrary  But LoadLibrary doesn’t exist (someone tell me why?)  So basically, we want to execute a line of code which looks like this: HANDLE hThread = CreateRemoteThread( hProcessRemote, NULL, 0, LoadLibraryA, "C:\\MyLib.dll", 0, NULL ); BUT this is still wrong… why?

9 Right: Real address  The address of LoadLibraryA as a function won’t be the same because of relocation  But the *real* address of LoadLibraryA in KERNEL32.DLL will be the same (provided it loads in the same location)  So, how do we get that?

10 Right: GetProcAddress…  GetProcAddress(GetModuleHandle(TEXT(" Kernel32")), "LoadLibraryA");  Easy eh?  Predicated on the identical loading of Kernel32… but that’s quite common  But it still doesn’t work right… there’s still one string attached to this idea…

11 Right: The STRING “c:\\mylib.dll”  The String exists in Process A’s address space, but we need it to exist in Process B’s  Hmmm  How can we fix that?

12 Right: VirtualAllocEx  Bingo!  PVOID VirtualAllocEx( HANDLE hProcess, PVOID pvAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect );

13 But we’re still not done  Processes boundaries stop one process writing to another…  So we need a function which can read and write Process memory  And Windows gives us such a function…

14 Memory…  BOOL ReadProcessMemory( HANDLE hProcess, PVOID pvAddressRemote, PVOID pvBufferLocal, DWORD dwSize, PDWORD pdwNumBytesRead ); BOOL WriteProcessMemory( HANDLE hProcess, PVOID pvAddressRemote, PVOID pvBufferLocal, DWORD dwSize, PDWORD pdwNumBytesWritten );

15 7 Step Process  Use the VirtualAllocEx function to allocate memory in the remote process’s address space.  Use the WriteProcessMemory function to copy the DLL's pathname to the memory allocated in step 1.  Use the GetProcAddress function to get the real address (inside Kernel32.dll) of the LoadLibraryA or LoadLibraryW function.  Use the CreateRemoteThread function to create a thread in the remote process that calls the proper LoadLibrary function, passing it the address of the memory allocated in step 1.

16 Continued…  Use the VirtualFreeEx function to free the memory allocated in step 1.  Use the GetProcAddress function to get the real address (inside Kernel32.dll) of the FreeLibrary function.  Use the CreateRemoteThread function to create a thread in the remote process that calls LoadLibrary function, passing the remote DLL's HINSTANCE.

17 Lastly…  hProcess = OpenProcess( PROCESS_CREATE_THREAD | // For CreateRemoteThread PROCESS_VM_OPERATION | // For VirtualAllocEx/VirtualFreeEx PROCESS_VM_WRITE, // For WriteProcessMemory FALSE, dwProcessId );

18 Next: The Trojan DLL  Replace some DLL you want…  But you have to export all the same functions

19 Injecting a DLL via a Debugger  Tricky and processor-specific  But can work well, as Debuggers have special privileges

20 Injecting Via CreateProcess  Have your process spawn the child process suspended.  Retrieve the primary thread's starting memory address from the.exe module's file header.  Save the machine instructions at this memory address.  Force some hand-coded machine instructions at this address. The instructions should call LoadLibrary to load a DLL.  Resume the child process’s primary thread so that this code executes.  Restore the original instructions back into the starting address.  Let the process continue execution from the starting address as if nothing had happened

Download ppt "Win32 Programming Lesson 22: DLL Magic Part Deux All your base are belong to us…"

Similar presentations

Process A process is usually defined as an instance of a running program and consists of two components: A kernel object that the operating system uses.

Process A process is usually defined as an instance of a running program and consists of two components: A kernel object that the operating system uses.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Win32 Programming Lesson 8: Processes. Where are we?  We’re starting to have some foundational understanding of Windows  But really, we don’t know how.

Win32 Programming Lesson 8: Processes. Where are we?  We’re starting to have some foundational understanding of Windows  But really, we don’t know how.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
Chapter 6 Limited Direct Execution

Chapter 6 Limited Direct Execution
Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.

Itamargi at post.tau.ac.il Nirkrako at post.tau.ac.il.
ISP – 3 rd Recitation “The joy of Windows API” Processes Threads Handles Relevant functions A simple code example.

ISP – 3 rd Recitation “The joy of Windows API” Processes Threads Handles Relevant functions A simple code example.
Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.

Advanced OS Chapter 3p2 Sections 3.4 / 3.5. Interrupts These enable software to respond to signals from hardware. The set of instructions to be executed.
CSE 451 Section 4 Project 2 Design Considerations.

CSE 451 Section 4 Project 2 Design Considerations.
CPS110: Implementing threads/locks on a uni-processor Landon Cox.

CPS110: Implementing threads/locks on a uni-processor Landon Cox.
Malware Dynamic Analysis Part 3 Veronica Kovah vkovah.ost at gmail See notes for citation1

Malware Dynamic Analysis Part 3 Veronica Kovah vkovah.ost at gmail See notes for citation1
© 2004, D. J. Foreman 2-1 Concurrency, Processes and Threads.

© 2004, D. J. Foreman 2-1 Concurrency, Processes and Threads.
Win32 Programming Lesson 9: Jobs & Thread Basics.

Win32 Programming Lesson 9: Jobs & Thread Basics.
计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1)

计算机系 信息处理实验室 Lecture 7 Processes, Threads, and Jobs (1)
Win32 Programming Lesson 24: More SEH That’s right… you’ll never generate an exception, will you?

Win32 Programming Lesson 24: More SEH That’s right… you’ll never generate an exception, will you?
Software attacks Software Attacks DLL injection & API patching.

Software attacks Software Attacks DLL injection & API patching.
Win32 Programming Lesson 21: DLL Magic. Where are we?  We’ve looked at DLLs from a build/link/execute perspective, as well as some more advanced techniques.

Win32 Programming Lesson 21: DLL Magic. Where are we?  We’ve looked at DLLs from a build/link/execute perspective, as well as some more advanced techniques.
Win32 Programming Lesson 13: Thread Pooling (Wow, Java is good for something…)

Win32 Programming Lesson 13: Thread Pooling (Wow, Java is good for something…)
Win32 Programming Lesson 16: Virtual Memory. Where are we?  We’ve covered the theory of Windows memory, and poked around some  Now let’s use how to.

Win32 Programming Lesson 16: Virtual Memory. Where are we?  We’ve covered the theory of Windows memory, and poked around some  Now let’s use how to.
Win32 Programming Lesson 1: Why We’re All Here. Why We’re Here…  Okay, maybe that’s too grandiose  Windows – in particular Win32 Thirty-what?  What.

Win32 Programming Lesson 1: Why We’re All Here. Why We’re Here…  Okay, maybe that’s too grandiose  Windows – in particular Win32 Thirty-what?  What.

Similar presentations

Ads by Google