1 / 20

Win32 Programming

Win32 Programming. Lesson 22: DLL Magic Part Deux All your base are belong to us…. Where are we?. We’ve looked at injection techniques in general But now it’s time to get specific. Remind Me…. What’s the trick we’re trying to pull off?. Injecting DLLs using a Remote Thread.

milos
Download Presentation

Win32 Programming

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Win32 Programming Lesson 22: DLL Magic Part Deux All your base are belong to us…

  2. Where are we? • We’ve looked at injection techniques in general • But now it’s time to get specific

  3. Remind Me… • What’s the trick we’re trying to pull off?

  4. Injecting DLLs using a Remote Thread • Remember, we’re trying to get a DLL into another process’ address space • One way to do this is to create a thread in a remote process • And Windows provides an easy way to do this…

  5. So… • HANDLE CreateRemoteThread(    HANDLE hProcess,     PSECURITY_ATTRIBUTES psa,     DWORD dwStackSize,    PTHREAD_START_ROUTINE pfnStartAddr,     PVOID pvParam,     DWORD fdwCreate,     PDWORD pdwThreadId); • Look familiar…?

  6. Problems? • Troy, does this solve all our problems? • Casey? • Chris? • Invisible Dan? • …

  7. Bingo! • This only works if we have code in the remote thread that we want to execute to load our Trojan DLL… • Hmmm… can we fix it? • How do you load a DLL during program execution?

  8. Right: LoadLibrary • But LoadLibrary doesn’t exist (someone tell me why?) • So basically, we want to execute a line of code which looks like this: • HANDLE hThread = CreateRemoteThread( hProcessRemote,  NULL,  0,     LoadLibraryA,  "C:\\MyLib.dll",  0,  NULL); • BUT this is still wrong… why?

  9. Right: Real address • The address of LoadLibraryA as a function won’t be the same because of relocation • But the *real* address of LoadLibraryA in KERNEL32.DLL will be the same (provided it loads in the same location) • So, how do we get that?

  10. Right: GetProcAddress… • GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA"); • Easy eh? • Predicated on the identical loading of Kernel32… but that’s quite common • But it still doesn’t work right… there’s still one string attached to this idea…

  11. Right: The STRING “c:\\mylib.dll” • The String exists in Process A’s address space, but we need it to exist in Process B’s • Hmmm • How can we fix that?

  12. Right: VirtualAllocEx • Bingo! • PVOID VirtualAllocEx(     HANDLE hProcess,     PVOID pvAddress,     SIZE_T dwSize,     DWORD flAllocationType,     DWORD flProtect);

  13. But we’re still not done • Processes boundaries stop one process writing to another… • So we need a function which can read and write Process memory • And Windows gives us such a function…

  14. Memory… • BOOL ReadProcessMemory(    HANDLE hProcess,     PVOID pvAddressRemote,    PVOID pvBufferLocal,     DWORD dwSize,     PDWORD pdwNumBytesRead); BOOL WriteProcessMemory(    HANDLE hProcess,     PVOID pvAddressRemote,    PVOID pvBufferLocal,     DWORD dwSize,     PDWORD pdwNumBytesWritten);

  15. 7 Step Process • Use the VirtualAllocEx function to allocate memory in the remote process’s address space. • Use the WriteProcessMemory function to copy the DLL's pathname to the memory allocated in step 1. • Use the GetProcAddress function to get the real address (inside Kernel32.dll) of the LoadLibraryA or LoadLibraryW function. • Use the CreateRemoteThread function to create a thread in the remote process that calls the proper LoadLibrary function, passing it the address of the memory allocated in step 1.

  16. Continued… • Use the VirtualFreeEx function to free the memory allocated in step 1. • Use the GetProcAddress function to get the real address (inside Kernel32.dll) of the FreeLibrary function. • Use the CreateRemoteThread function to create a thread in the remote process that calls LoadLibrary function, passing the remote DLL's HINSTANCE.

  17. Lastly… • hProcess = OpenProcess(    PROCESS_CREATE_THREAD |   // For CreateRemoteThread    PROCESS_VM_OPERATION  |   // For VirtualAllocEx/VirtualFreeEx    PROCESS_VM_WRITE,    // For WriteProcessMemory    FALSE,  dwProcessId);

  18. Next: The Trojan DLL • Replace some DLL you want… • But you have to export all the same functions

  19. Injecting a DLL via a Debugger • Tricky and processor-specific • But can work well, as Debuggers have special privileges

  20. Injecting Via CreateProcess • Have your process spawn the child process suspended. • Retrieve the primary thread's starting memory address from the .exe module's file header. • Save the machine instructions at this memory address. • Force some hand-coded machine instructions at this address. The instructions should call LoadLibrary to load a DLL. • Resume the child process’s primary thread so that this code executes. • Restore the original instructions back into the starting address. • Let the process continue execution from the starting address as if nothing had happened

More Related