Difference between revisions of ".dll Injection and Patching"
| Line 15: | Line 15: | ||
If you want any more details about how injection works, check out Richter's book or my source code. It's been a long time, and I've always just used that program. | If you want any more details about how injection works, check out Richter's book or my source code. It's been a long time, and I've always just used that program. | ||
== Patching == | |||
When loaded, the .dll file, in DLL_PROCESS_ATTACH, typically overwrites sections of the program's code, using WriteProcessMemory(), to point to itself. The overwritten code must also be run before the hack is (or after, but I generally do it before). Otherwise, the commands will never be run, and the program will likely misbehave. | |||
What I typically do is declare an array of characters that will hold the overwritten code as well as a jump to my custom function. This might be an assembly function to be overwritten: | |||
<< insert assembly here >> | |||
Once overwritten, the function will look something like this: | |||
<< insert assembly with extra call >> | |||
Note how the 5 bytes, ''''' insert bytes here ''''' were overwritten to add the call. Also note that, because it's a "call", the current address is pushed on the stack. As a result, the stack won't be in the same position. However, a call is used so that the function can easily be returned to. Later, we'll discuss some strategies with getting around this problem. | |||
So what we need is a buffer containing this code: | |||
<< insert overwritten assembly >> | |||
jmp HackFunction | |||
Which translates to this machine code, stored in C code: | |||
char *wrapper = " <<< insert machine code >> \xe9\x??\x??\x??\x??" | |||
Where the last four bytes are the distance between that buffer and the wrapper function. | |||
.......... to be continued ................ | |||
{{construction}} | |||
== Questions == | == Questions == | ||
Feel free to edit this section and post questions, I'll do my best to answer them. But you may need to contact me to let me know that a question exists. | Feel free to edit this section and post questions, I'll do my best to answer them. But you may need to contact me to let me know that a question exists. | ||
Revision as of 21:30, 15 March 2007
 This page is under construction. USE AT YOUR OWN RISK! |
| Assembly Language Tutorial | |
|---|---|
Please choose a tutorial page:
| |
.dll injection is the easiest and most common way to write a hack.
To perform an injection, a process is told to load an attacker-controlled .dll file into its space. When loaded, the .dll file adds jumps (or "hooks") to certain places in the target program that automatically call functions in the .dll file. This allows the .dll file to capture specific events, such as packets being received, commands being typed, or anything else.
Injection
If you want a program to do it for you without reading any further, feel free to grab the one I wrote. It works well, but can't really be automated.
If you want to learn more about injection, feel free to browse my code here or download the code here. It's my first (and only) Windowsy program, so it might be valuable some day! But seriously, be gentle, and if you think you can improve it I'd welcome the change.
Basically, a program calls CreateRemoteThread() in the foreign process, giving it some code. The code given simply calls LoadLibrary() on your selected .dll file, which loads it into the program's address space.
If you want any more details about how injection works, check out Richter's book or my source code. It's been a long time, and I've always just used that program.
Patching
When loaded, the .dll file, in DLL_PROCESS_ATTACH, typically overwrites sections of the program's code, using WriteProcessMemory(), to point to itself. The overwritten code must also be run before the hack is (or after, but I generally do it before). Otherwise, the commands will never be run, and the program will likely misbehave.
What I typically do is declare an array of characters that will hold the overwritten code as well as a jump to my custom function. This might be an assembly function to be overwritten:
<< insert assembly here >>
Once overwritten, the function will look something like this:
<< insert assembly with extra call >>
Note how the 5 bytes, insert bytes here were overwritten to add the call. Also note that, because it's a "call", the current address is pushed on the stack. As a result, the stack won't be in the same position. However, a call is used so that the function can easily be returned to. Later, we'll discuss some strategies with getting around this problem.
So what we need is a buffer containing this code:
<< insert overwritten assembly >> jmp HackFunction
Which translates to this machine code, stored in C code:
char *wrapper = " <<< insert machine code >> \xe9\x??\x??\x??\x??"
Where the last four bytes are the distance between that buffer and the wrapper function.
.......... to be continued ................
| This page is under construction. USE AT YOUR OWN RISK! |
Questions
Feel free to edit this section and post questions, I'll do my best to answer them. But you may need to contact me to let me know that a question exists.