Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-08-2004, 23:53
<|nAbOo|>
 
Posts: n/a
Creating a Loader to modify a DLL file

Hi,

well i have a small question concerning Loaders.

Lets imagine i have a EXE file and a DLL file which check eachother for
CRC and different things and dont like modifying. The idea now is to create
a loader which patches the files in memory at runtime. For the EXE file i can use the following APIs to modify the code in memory:

invoke CreateProcessA,offset LoadszFileName,0,0,0,0,CREATE_SUSPENDED, \
0,0,offset LoadlpStartupInfo,offset LoadlpProcessInfo

invoke WriteProcessMemory,LoadlpProcessInfo.hProcess,LoadlpBaseAddress, \
offset LoadlpBuffer,LoadcbWrite,NULL

invoke ResumeThread,LoadlpProcessInfo.hThread

Now my question: How can i modify a DLL file in memory using such tactic.
Someone ever tried things like that before ?

Thanks in Advance
naboo
Reply With Quote
  #2  
Old 09-09-2004, 00:12
Neitsa
 
Posts: n/a
Hello,

Sice a DLL is mapped in the process address space, you can patch it easily, as you would nomally do with an executable file.

Fist of all, get the Image_Base address of the DLL (PE signature + 0x34) in an hex or PE editor and do appropriate VA/RVA conversion to get the location of the bytes to patch. On the other hand you can debug the DLL to get the exact location of the bytes to patch. Just get the address and the bytes to patch in the DLL, that's all !

(If you use OllyDBG, just do an ALT+M to see the process adress space, there you can locate you DLL and dump it in the disassembler view).

Another thing (maybe I've misunderstood what you want to patch), patching at runtime won't disable the CRC check, if you don't patch the check itself, since the loader will patch just after the thread came alive in the O.S, the CRC check will be performed, and your patched bytes will be caught.

Patch the executable crc check, patch the DLL crc check as you normally do with the EXE.

Regards, Neitsa.
Reply With Quote
  #3  
Old 09-09-2004, 01:30
Crk
 
Posts: n/a
i see... but this dosen't explain "how to do it" as i see he meanded how to implement a process patch as it's done for normal exe files... you know loader,most of them in most cases, bypass crc checks when patching in mem. i have never see a loader for a packed .dll .. but i know if the exe loads(loadlibraryexa or loadlibrarya ?) a dll in start up maybe some code could be injected in the exe to patch the dll after been loaded.. this is an idea . i'm really interested for this topic since i got a case which the exe calls aprotected .dll .. and the dll controls evertyhing (OEP,Trial.......) the exe do an integrity check for the dll .. i wonder how could be patched and if it's possible to do someking of loader/injected code for a protected/packed .dll

Regards
Reply With Quote
  #4  
Old 09-09-2004, 03:34
<|nAbOo|>
 
Posts: n/a
CRK is on the right way. The idea here is to just patch the program in memory. No hard patching like using Hiew and so. Getting the imagebase for an unloaded DLL is easy in this case you just need to disassemble it for example with IDA. But remember one thing: Lets say i have 2 DLLs and both want to use the same Imagebase for example 10001000 here then one will be put at a different location e.g. 3DFB0000 or whatever. So of course the first goal is getting the imagebase of the LOADED Dll file. Afterwards i want to patch the DLL in memory.

Neitsa: well you said i couldnt bypass CRC checks with that. In my case i could bypass the CRC checks with this because they are performed on the Files itself. The CRC check is not performed on the loaded Program in memory. So in most cases you could bypass a CRC check by using a Loader.

Additionally lets imagine i know the bytes i want to change lets for say easyness i want to change the bytes at location 10004324 74 0B to 10004324 EB 0B where the imagebase of the DLL is 10001000 in this case and the DLL is unloaded in this case.

Some Codesnippets or a small example of how to obtain the real virtual address of the DLL when loaded to memory and patch it afterwards in memory would be really nice.

Thanks in advance

Last edited by <|nAbOo|>; 09-09-2004 at 03:41.
Reply With Quote
  #5  
Old 09-09-2004, 06:11
Neitsa
 
Posts: n/a
Post

Hello,

Quote:
In my case i could bypass the CRC checks with this because they are performed on the Files itself
Damn, if I'm programming a CRC check I would do it both on file and memory ! So ok, if it's done only on file, you're right, please forgive me.

As you're creating yourself the process, retrieving the DLL base is easy with this API: EnumProcessModules.

Then you can extract some information with those API's:

-GetModuleBaseName
-GetModuleFileName
-GetModuleInformation

There's also another by getting the PEB of the process, and reading some fields from it. In fact interesting fields for your case are located in the PEB_LDR_DATA struct which is a currently holding information about Loaded modules. This is a far complex way to retrieve the same informations.

A problem comes when the DLL isn't loaded in the program and will be loaded later with a 'LoadLibrary'.

Well, one possibility :
-Hooking the LoadLibrary function from the program and then performing the above trick.

Maybe threre are some other ways when the DLL is not loaded when launching the program but I can't see them...

I'll try to code something, try also on your side.

Regards, Neitsa.
Reply With Quote
  #6  
Old 09-10-2004, 09:15
Crudd[RET] Crudd[RET] is offline
Friend
 
Join Date: Aug 2004
Posts: 28
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Crudd[RET] Reputation: 0
Heres an asm example of retrieving imagebase without using any apis (in case you dont wanna worry about importing new functions):
hxxp://spiff.tripnet.se/~iczelion/files/kernel.zip
The GetKernalBase proc is the one you want, and it shows the implementation at main. If you need some help with the example, let me know. Its pretty simple though.
Crudd [RET]
Reply With Quote
  #7  
Old 09-10-2004, 11:47
xastey
 
Posts: n/a
i found that abel loader generator v2.30 and DAZAPATCHER work great when you need to patch a protected .dll file. Used both of them with arma apps and hasn't failed me now
Reply With Quote
  #8  
Old 09-10-2004, 15:06
xobor xobor is offline
Friend
 
Join Date: May 2002
Location: Slovakia
Posts: 102
Rept. Given: 6
Rept. Rcvd 4 Times in 4 Posts
Thanks Given: 1
Thanks Rcvd at 10 Times in 7 Posts
xobor Reputation: 5
you can do something like

Code:
	if(!CreateProcess(name,...))
	{
                 printf("err createprocess");
	    return 0;
	}

DebugLoop:

	WaitForDebugEvent(&DebugEvent, INFINITE);
	if(DebugEvent.dwDebugEventCode==LOAD_DLL_DEBUG_EVENT)
	{
	   //DebugEvent.u.LoadDll.lpBaseOfDll - is base of dll
             }
.
.
.
maybe it helps
Reply With Quote
  #9  
Old 09-10-2004, 21:15
Crk
 
Posts: n/a
i found that abel loader generator v2.30 and DAZAPATCHER work great when you need to patch a protected .dll file.

how? if loaders run an exe target .. how you patch those dll in mem. with a loader...
Reply With Quote
  #10  
Old 09-10-2004, 22:16
xastey
 
Posts: n/a
i just set it to load the exe and then set the patch data to the offest of the .dll
Reply With Quote
  #11  
Old 09-11-2004, 01:17
Line79
 
Posts: n/a
Hello,

I don't understand the problem here.

The dll will be loaded in the SAME context than the EXE file.
Therefore, you could patch the dll if you could control the EXE file code.

But what you can just do, is CreateProcess the EXE file, and then, instead of providing a VA inside the Target EXE (which you don't want to do, since you want to patch the dll), you just provide a VA inside the DLL to WriteProcessMemory, and since , the dll is in the same Address space (context) than the EXE file, you writeprocessmemory will work, and thus, you will be patching your protected dll without problems.

Cheers.
Reply With Quote
  #12  
Old 09-12-2004, 03:09
Peace99
 
Posts: n/a
I just use this trick

just use Process Patcher v3.60
Search memory address you want to patch and create Process Patcher v3.60
it's will patch memory on the fly.

see my attachment in powerbasic source (to enable official counter-strike 1.6 bots.)

I use this trick, convert Process Patcher v3.60 to hex and store inside the source code. see the source for detail.

this how i create loader/launcher.
Attached Files
File Type: rar cstrike.rar (64.1 KB, 77 views)
Reply With Quote
  #13  
Old 10-04-2004, 02:46
[NtSC]
 
Posts: n/a
...

You can use CreateProcess to create The Process itself..Depending on the OS the Dlls are loaded by then,or arent. For an NT based OS i would Create the Process, put an EBFE on the Entrypoint, execute it and catch it to make sure all Dlls are proper loaded. The you loop the loaded Modules with the ToolHelp Functions and compare the Dllnames with the Name of the Dll you seek. The Toolhelp Functions will also return the BaseAdress, so you can use that with a Distance Value to patch your Stuff.
Reply With Quote
  #14  
Old 10-05-2004, 14:02
vrclr27 vrclr27 is offline
Friend
 
Join Date: Jul 2004
Posts: 27
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
vrclr27 Reputation: 1
Interesting articles

There are also some interesting articles on this subject in:
help://bib.universitas-virtualis.org

Sorry, not in the library but part of the CodeBreaker Mag. at same location

Last edited by vrclr27; 10-06-2004 at 13:59. Reason: Update
Reply With Quote
  #15  
Old 03-11-2005, 14:02
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 223
Rept. Given: 75
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 37
Thanks Rcvd at 19 Times in 15 Posts
Newbie_Cracker Reputation: 26
OK guys, lets ask the question a little different.
Think we have a program and its serial-check routine, is in a DLL which is in its resource. Program runs and after a few seconds, loads the DLL and read a function from it.
Using constant address for writing to memory is not possible. Because the addresses change.

Now, how could we get some RVA in DLL to calculate the patch address?
I can get DLL ProcessID after showing some window, but couldn't get one of its fucntion address or its OEP in memory.

Last edited by Newbie_Cracker; 03-11-2005 at 16:25.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Creating a Loader for DotNet Apps? bball0002 General Discussion 2 09-24-2009 22:06
modify UPX feisu General Discussion 15 06-27-2003 04:24


All times are GMT +8. The time now is 00:28.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )