Trao đổi với tôi

http://www.buidao.com

3/5/10

[Hooking] DLL Injection Windows Vista

This article provides an insight on how to inject a dynamic library (DLL) into a 32 bit process in Windows Vista with the use of Remote Threads and taking into consideration the Address Space Layout Randomization (ASLR). The sample code used is written in assembly language (MASM32) using the WinAsm IDE. It should give you a better understanding on how dynamic libraries can be injected.

The concept of loading a library inside a process is simple. A programmer could dynamically load one by using the LoadLibrary function from Windows API for example:



#include 
#include 
#include 

int main(int argc, char *argv[])
{
HANDLE hlib;
char *lib = "E:\\mylib.dll";
printf("Loading library: %s\n",lib);
hlib = LoadLibraryA(lib);
printf("Handle: %X\n",hlib);
system("PAUSE");
return 0;
}

Therefore we can use the CreateRemoteThread function to create a thread that executes the LoadLibraryA with the library’s path as an argument.

CreateRemoteThread

HANDLE WINAPI CreateRemoteThread(
__in   HANDLE hProcess,
__in   LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in   SIZE_T dwStackSize,
__in   LPTHREAD_START_ROUTINE lpStartAddress,
__in   LPVOID lpParameter,
__in   DWORD dwCreationFlags,
__out  LPDWORD lpThreadId
);
hProcess

Is the handle to the remote process we intend like to inject our library.

lpStartAddress

This is the address (or offset) of the function our thread will start executing. In our case this should be equal to the offset of LoadLibraryA in the remote process address space.

lpParameter

This is the address of the parameter (library pathname) we aim to set as an argument to the LoadLibraryA function. Note that this also has to be in the address space of our remote process.

The main issues we have to take into consideration are:

  • The offset of LoadLibraryA is not constant (not after Microsoft implemented Address Space Layout Randomisation or ASLR)
  • Our library’s pathname string does not exist in the remote thread’s address space

Offset of LoadLibraryA

LoadLibraryA resides within kernel32.dll which is an essential library for every process that runs in our operating system. After each restart there is a probability that the address of kernel32 library would change due to ASLR. Fortunately the address of LoadLibraryA in our process is the same with the one in the remote process. Therefore we will need to use the GetProcAddress in combination with GetModuleHandle. The example code below does this thing:

#include
#include
#include

int main(int argc, char *argv[])
{
HINSTANCE kernel32;
FARPROC proc;
char *procname = “LoadLibraryA”;
char *modulename = “Kernel32″;
kernel32 = GetModuleHandle(modulename);
printf(“hModule: %X\n”,kernel32);
proc = GetProcAddress(kernel32,procname);
printf(“hProc: %X\n”,proc);
system(“PAUSE”);
return 0;
}

Getting the pathname inside the remote process’s address space

To do such a thing we would need to allocate space in the remote thread’s address space using VirtualAllocEx function and then patch our pathname to it using WriteProcessMemory function. You can lookup this two functions on MSDN using the links below:

VirtualAllocEx

WriteProcessMemory

Another “hack” you are be able to use is that you could name you library after a string inside the executable file and then copy it inside the executables folder or any other folder defined by the PATH environment variable. For the example program’s hex dump below you could use ernel32.dll (at 00402229) or nel32.dll (at 0040222A) 32.dll (at 0040222D) or even NameA (at 00402243) as your library’s filename.

004020F0    ø ......�.Dialog
00402100    BoxParamA.´.EndD
00402110    ialog.ü.GetDlgIt
00402120    emTextA.± Messag
00402130    eBoxA.  SetDlgIt
00402140    emTextA.user32.d
00402150    ll..R.CreateRemo
00402160    teThread..›.Exit
00402170    Process.Ì.Format
00402180    MessageA..  GetC
00402190    urrentProcessId.
004021A0    ( GetLastError..
004021B0    4 GetModuleHandl
004021C0    eA..S GetProcAdd
004021D0    ress..  OpenProc
004021E0    ess.\ RtlZeroMem
004021F0    ory.Þ VirtualAll
00402200    ocEx..  WritePro
00402210    cessMemory..  ls
00402220    trlenA..kernel32
00402230    .dll....GetOpenF
00402240    ileNameA..comdlg
00402250    32.dll..........

Download Source code and executable



reflink: http://www.itsolutionskb.com/2009/01/dll-injection-windows-vista/
Được đăng bởi Lúc