Creating a Loader to modify a DLL file

i see... but this dosen't explain "how to do it" as i see he meanded how to implement a process patch as it's done for normal exe files... you know loader,most of them in most cases, bypass crc checks when patching in mem. i have never see a loader for a packed .dll .. but i know if the exe loads(loadlibraryexa or loadlibrarya ?) a dll in start up maybe some code could be injected in the exe to patch the dll after been loaded.. this is an idea . i'm really interested for this topic since i got a case which the exe calls aprotected .dll .. and the dll controls evertyhing (OEP,Trial.......) the exe do an integrity check for the dll .. i wonder how could be patched and if it's possible to do someking of loader/injected code for a protected/packed .dll

Regards

CRK is on the right way. The idea here is to just patch the program in memory. No hard patching like using Hiew and so. Getting the imagebase for an unloaded DLL is easy in this case you just need to disassemble it for example with IDA. But remember one thing: Lets say i have 2 DLLs and both want to use the same Imagebase for example 10001000 here then one will be put at a different location e.g. 3DFB0000 or whatever. So of course the first goal is getting the imagebase of the LOADED Dll file. Afterwards i want to patch the DLL in memory.

Neitsa: well you said i couldnt bypass CRC checks with that. In my case i could bypass the CRC checks with this because they are performed on the Files itself. The CRC check is not performed on the loaded Program in memory. So in most cases you could bypass a CRC check by using a Loader.

Additionally lets imagine i know the bytes i want to change lets for say easyness i want to change the bytes at location 10004324 74 0B to 10004324 EB 0B where the imagebase of the DLL is 10001000 in this case and the DLL is unloaded in this case.

Some Codesnippets or a small example of how to obtain the real virtual address of the DLL when loaded to memory and patch it afterwards in memory would be really nice.

Thanks in advance

Hello,

Quote:

In my case i could bypass the CRC checks with this because they are performed on the Files itself

Damn, if I'm programming a CRC check I would do it both on file and memory ! So ok, if it's done only on file, you're right, please forgive me.

As you're creating yourself the process, retrieving the DLL base is easy with this API: EnumProcessModules.

Then you can extract some information with those API's:

-GetModuleBaseName
-GetModuleFileName
-GetModuleInformation

There's also another by getting the PEB of the process, and reading some fields from it. In fact interesting fields for your case are located in the PEB_LDR_DATA struct which is a currently holding information about Loaded modules. This is a far complex way to retrieve the same informations.

A problem comes when the DLL isn't loaded in the program and will be loaded later with a 'LoadLibrary'.

Well, one possibility :
-Hooking the LoadLibrary function from the program and then performing the above trick.

Maybe threre are some other ways when the DLL is not loaded when launching the program but I can't see them...

I'll try to code something, try also on your side.

Regards, Neitsa.

[Crudd[RET]]

Heres an asm example of retrieving imagebase without using any apis (in case you dont wanna worry about importing new functions):
hxxp://spiff.tripnet.se/~iczelion/files/kernel.zip
The GetKernalBase proc is the one you want, and it shows the implementation at main. If you need some help with the example, let me know. Its pretty simple though.
Crudd [RET]

i found that abel loader generator v2.30 and DAZAPATCHER work great when you need to patch a protected .dll file. Used both of them with arma apps and hasn't failed me now

[xobor]

you can do something like

Code:

	if(!CreateProcess(name,...))
	{
                 printf("err createprocess");
	    return 0;
	}

DebugLoop:

	WaitForDebugEvent(&DebugEvent, INFINITE);
	if(DebugEvent.dwDebugEventCode==LOAD_DLL_DEBUG_EVENT)
	{
	   //DebugEvent.u.LoadDll.lpBaseOfDll - is base of dll
             }
.
.
.

maybe it helps

i found that abel loader generator v2.30 and DAZAPATCHER work great when you need to patch a protected .dll file.

how? if loaders run an exe target .. how you patch those dll in mem. with a loader...