awesome ! great and clear explanation !
unfortunately there's no thanks or rep on mobile..
I'm going to try this tomorrow !
Hi guys, I'm back with something new again
What it does
So besides the 3 previously known dll injection techniques:
1. CreateRemoteThread & WriteprocessMemory (manual mapping)
2. Windows hooks
3. CreateRemoteThread & LoadLibAddress (most injectors use this method)
I've made a new technique. It's a flavor between 1 & 3, but the CreateRemoteThread is removed. leaving only dead code injection. I'd like to call it: Trap laying
The idea behind this technique is to use pattern detection/analysis to find loops and put jump codes into loops that seem likely to be executed. The jumps all go to a stub that calls LoadLibrary() from kernel32.dll. Then removes the patches, and puts the original code back in place.
Of course you can also just provide an address from which you know it's going to get executed allot of times.
Why do it like this?
If you were going to say that this method is unreliable, risky, a race condition and hard to do , I would tell you that you're absolutely right. But some time ago I needed to inject code into system processes, and all other means of injecting code failed me.
Windows is paranoid about it's system processes, but I found out that you can write and read to and from system processes, so that's why I developed this little tool
How does it work
That's easy, again I'm going to provide you with pseudo code and an explanation:
Injector code:
Stub code:Code:where Address = Base address of target function where PatchToStub = a function to relay the code to the dll loader stub and update addresses and data inside the stub for(int i = 0; Address[i] != JUMP OPCODE, CALL OPCODE, RET OPCODE; i++); if( Address[i] == RET OPCODE){ if(Address[i-1] != PUSH OPCODE){ StartOver(); } } PatchToStub(Address[i], StubAddress, DLL name); StartOver()
So first our injector seeks for codes that are likely to be executed more times (or if you have provided an address) and patches them to the stub. The stub (when executed) then loads the dll provided by you and swaps the original code back in place.Code:where GetCurrentAddress = a function to get the address we're injected at where LoadDll = a function that looks up the address of LoadLib() api in memory, saved during injection where RemoveStubs = a function to remove all stubs that point to that location using a structure saved during injection int i = 0; GetCurrentAddress(&i); LoadDll(i); RemoveStubs(i)
So what do you guys think?
Is it useful? Keep in mind that I'm talking about system processes that cannot be injected without having special privileges.
I'm going to make this and things mentioned in my previous post about hooking into a library to support both game and real hacking (guess why I needed it in the first place...)
-SCHiM
Last edited by .::SCHiM::.; 01-29-2011 at 08:18 AM.
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
awesome ! great and clear explanation !
unfortunately there's no thanks or rep on mobile..
I'm going to try this tomorrow !
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
These aren't really "new" techniques, loaders are common, just difficult and troublesome to implement.
THE EYE OF AN ADMINISTRATOR IS UPON YOU. ANY WRONG YOU DO IM GONNA SEE, WHEN YOU'RE ON MPGH, LOOK BEHIND YOU, 'CAUSE THATS WHERE IM GONNA BE
"First they ignore you. Then they laugh at you. Then they fight you. Then you lose.” - Dave84311
HAVING VIRTUAL DETOX
tbh, I would search for standard windows functions, GetMessage() or PeekMessage for starters since that main loop is called in all windows programs one way or the other. That will put you to the main loop, but just hooking any API is usually easier as well. Depends what your doing I guess...
Interesting idea, but it looks as if your scanning method isn't particular robust either, which means it probably takes some insight to get one of your "traps" to hit on the first pass without quite literally laying "traps" everywhere. A dirty, but effective approach, but their are cleaner ways.
"Every gun that is made, every warship launched, every rocket fired signifies, in the final sense, a theft from those who hunger and are not fed, those who are cold and are not clothed. This world in arms is not spending money alone. It is spending the sweat of its laborers, the genius of its scientists, the hopes of its children. The cost of one modern heavy bomber is this: a modern brick school in more than 30 cities. It is two electric power plants, each serving a town of 60,000 population. It is two fine, fully equipped hospitals. It is some fifty miles of concrete pavement. We pay for a single fighter plane with a half million bushels of wheat. We pay for a single destroyer with new homes that could have housed more than 8,000 people. This is, I repeat, the best way of life to be found on the road the world has been taking. This is not a way of life at all, in any true sense. Under the cloud of threatening war, it is humanity hanging from a cross of iron."- Dwight D. Eisenhower
That was actually my first idea, since I thought I had the liberty to remove them without time/race pressure. To bad that when laying multiple traps race conditions do occur
But how should I go about hooking an API if I can't inject my code into the target process? I assume that one would need to use read + write process memory, which is very annoying to do in assembler...GetMessage() or PeekMessage for starters since that main loop is called in all windows programs one way or the other. That will put you to the main loop, but just hooking any API is usually easier as well. Depends what your doing I guess...
Could you point me to one of these loaders?These aren't really "new" techniques, loaders are common, just difficult and troublesome to implement.
Last edited by .::SCHiM::.; 01-30-2011 at 03:03 AM.
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
Use CreateToolhelp32Snapshot Function (Windows) to Find the ProcessID then you can call OpenProcess Function (Windows) to get the process Handle and finally GetProcAddress() to find the address on the API. Now it's a simple matter of Hooking that function by overwriting it with your own code. So just write over all those bytes then put the bytes back where you go them from once your done Loading your DLL.
"Every gun that is made, every warship launched, every rocket fired signifies, in the final sense, a theft from those who hunger and are not fed, those who are cold and are not clothed. This world in arms is not spending money alone. It is spending the sweat of its laborers, the genius of its scientists, the hopes of its children. The cost of one modern heavy bomber is this: a modern brick school in more than 30 cities. It is two electric power plants, each serving a town of 60,000 population. It is two fine, fully equipped hospitals. It is some fifty miles of concrete pavement. We pay for a single fighter plane with a half million bushels of wheat. We pay for a single destroyer with new homes that could have housed more than 8,000 people. This is, I repeat, the best way of life to be found on the road the world has been taking. This is not a way of life at all, in any true sense. Under the cloud of threatening war, it is humanity hanging from a cross of iron."- Dwight D. Eisenhower
Last edited by .::SCHiM::.; 01-30-2011 at 10:53 AM.
I'm SCHiM
Morals derive from the instinct to survive. Moral behavior is survival behavior above the individual level.
Polymorphic engine
Interprocess callback class
SIN
Infinite-precision arithmetic
Hooking dynamic linkage
(sloppy)Kernel mode Disassembler!!!
Semi debugger
My bad. you will have to call GetProcAddress inside of the target executable memory which defeats the point. Since I was talking about hooking an API though you can use SetWindowsHook function to hook a specific function then call LoadLibrary if that seems to be the right process. Then of course remove the hook after injection to evade detection. One way or the other code has to be executed inside the address space of the other process to load the library. I guess really the only easy ways I can think of are some flavor of CreateRemoteThread and SetWindowsHook.
Last edited by why06; 01-30-2011 at 04:00 PM.
"Every gun that is made, every warship launched, every rocket fired signifies, in the final sense, a theft from those who hunger and are not fed, those who are cold and are not clothed. This world in arms is not spending money alone. It is spending the sweat of its laborers, the genius of its scientists, the hopes of its children. The cost of one modern heavy bomber is this: a modern brick school in more than 30 cities. It is two electric power plants, each serving a town of 60,000 population. It is two fine, fully equipped hospitals. It is some fifty miles of concrete pavement. We pay for a single fighter plane with a half million bushels of wheat. We pay for a single destroyer with new homes that could have housed more than 8,000 people. This is, I repeat, the best way of life to be found on the road the world has been taking. This is not a way of life at all, in any true sense. Under the cloud of threatening war, it is humanity hanging from a cross of iron."- Dwight D. Eisenhower