Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-08-2004, 23:53
<|nAbOo|>
 
Posts: n/a
Creating a Loader to modify a DLL file

Hi,

well i have a small question concerning Loaders.

Lets imagine i have a EXE file and a DLL file which check eachother for
CRC and different things and dont like modifying. The idea now is to create
a loader which patches the files in memory at runtime. For the EXE file i can use the following APIs to modify the code in memory:

invoke CreateProcessA,offset LoadszFileName,0,0,0,0,CREATE_SUSPENDED, \
0,0,offset LoadlpStartupInfo,offset LoadlpProcessInfo

invoke WriteProcessMemory,LoadlpProcessInfo.hProcess,LoadlpBaseAddress, \
offset LoadlpBuffer,LoadcbWrite,NULL

invoke ResumeThread,LoadlpProcessInfo.hThread

Now my question: How can i modify a DLL file in memory using such tactic.
Someone ever tried things like that before ?

Thanks in Advance
naboo
Reply With Quote
  #2  
Old 09-09-2004, 00:12
Neitsa
 
Posts: n/a
Hello,

Sice a DLL is mapped in the process address space, you can patch it easily, as you would nomally do with an executable file.

Fist of all, get the Image_Base address of the DLL (PE signature + 0x34) in an hex or PE editor and do appropriate VA/RVA conversion to get the location of the bytes to patch. On the other hand you can debug the DLL to get the exact location of the bytes to patch. Just get the address and the bytes to patch in the DLL, that's all !

(If you use OllyDBG, just do an ALT+M to see the process adress space, there you can locate you DLL and dump it in the disassembler view).

Another thing (maybe I've misunderstood what you want to patch), patching at runtime won't disable the CRC check, if you don't patch the check itself, since the loader will patch just after the thread came alive in the O.S, the CRC check will be performed, and your patched bytes will be caught.

Patch the executable crc check, patch the DLL crc check as you normally do with the EXE.

Regards, Neitsa.
Reply With Quote
  #3  
Old 09-09-2004, 01:30
Crk
 
Posts: n/a
i see... but this dosen't explain "how to do it" as i see he meanded how to implement a process patch as it's done for normal exe files... you know loader,most of them in most cases, bypass crc checks when patching in mem. i have never see a loader for a packed .dll .. but i know if the exe loads(loadlibraryexa or loadlibrarya ?) a dll in start up maybe some code could be injected in the exe to patch the dll after been loaded.. this is an idea . i'm really interested for this topic since i got a case which the exe calls aprotected .dll .. and the dll controls evertyhing (OEP,Trial.......) the exe do an integrity check for the dll .. i wonder how could be patched and if it's possible to do someking of loader/injected code for a protected/packed .dll

Regards
Reply With Quote
  #4  
Old 09-09-2004, 03:34
<|nAbOo|>
 
Posts: n/a
CRK is on the right way. The idea here is to just patch the program in memory. No hard patching like using Hiew and so. Getting the imagebase for an unloaded DLL is easy in this case you just need to disassemble it for example with IDA. But remember one thing: Lets say i have 2 DLLs and both want to use the same Imagebase for example 10001000 here then one will be put at a different location e.g. 3DFB0000 or whatever. So of course the first goal is getting the imagebase of the LOADED Dll file. Afterwards i want to patch the DLL in memory.

Neitsa: well you said i couldnt bypass CRC checks with that. In my case i could bypass the CRC checks with this because they are performed on the Files itself. The CRC check is not performed on the loaded Program in memory. So in most cases you could bypass a CRC check by using a Loader.

Additionally lets imagine i know the bytes i want to change lets for say easyness i want to change the bytes at location 10004324 74 0B to 10004324 EB 0B where the imagebase of the DLL is 10001000 in this case and the DLL is unloaded in this case.

Some Codesnippets or a small example of how to obtain the real virtual address of the DLL when loaded to memory and patch it afterwards in memory would be really nice.

Thanks in advance

Last edited by <|nAbOo|>; 09-09-2004 at 03:41.
Reply With Quote
  #5  
Old 09-09-2004, 06:11
Neitsa
 
Posts: n/a
Post

Hello,

Quote:
In my case i could bypass the CRC checks with this because they are performed on the Files itself
Damn, if I'm programming a CRC check I would do it both on file and memory ! So ok, if it's done only on file, you're right, please forgive me.

As you're creating yourself the process, retrieving the DLL base is easy with this API: EnumProcessModules.

Then you can extract some information with those API's:

-GetModuleBaseName
-GetModuleFileName
-GetModuleInformation

There's also another by getting the PEB of the process, and reading some fields from it. In fact interesting fields for your case are located in the PEB_LDR_DATA struct which is a currently holding information about Loaded modules. This is a far complex way to retrieve the same informations.

A problem comes when the DLL isn't loaded in the program and will be loaded later with a 'LoadLibrary'.

Well, one possibility :
-Hooking the LoadLibrary function from the program and then performing the above trick.

Maybe threre are some other ways when the DLL is not loaded when launching the program but I can't see them...

I'll try to code something, try also on your side.

Regards, Neitsa.
Reply With Quote
  #6  
Old 09-10-2004, 09:15
Crudd[RET] Crudd[RET] is offline
Friend
 
Join Date: Aug 2004
Posts: 28
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
Crudd[RET] Reputation: 0
Heres an asm example of retrieving imagebase without using any apis (in case you dont wanna worry about importing new functions):
hxxp://spiff.tripnet.se/~iczelion/files/kernel.zip
The GetKernalBase proc is the one you want, and it shows the implementation at main. If you need some help with the example, let me know. Its pretty simple though.
Crudd [RET]
Reply With Quote
  #7  
Old 05-11-2005, 02:06
Sarge
 
Posts: n/a
I think I have a similar question, or maybe I am just re-phrasing the previous question:

What I want to do is to ask Windows, "where is the library <whatever.dll> loaded in memory?" (I think). My intent is to, for example, compile a prog on Win98, examine the prog with a hex editor, and see a reference call to a library function whereby the function is located at MyAddress1. Then, when I compile the same program under WinXP and view it with the hex editor, the function is located at MyAddress2. Obviously, the DLL has been re-located and the address's within the exe (after loading into memory) have been adjusted accordingly. Therefore, I think I want to ask of the specific Windows OS (XP in this case), "where did you move the DLL to", so I can manually change these address's myself.

I tried using "LoadLibrary" within my program, but that just a) loads the library within the context of my progarm, and b) gives me the address of that load....NOT the one in Windows. What am I missing?

sarge

Last edited by Sarge; 05-11-2005 at 02:10.
Reply With Quote
  #8  
Old 05-11-2005, 05:26
NeOXOeN NeOXOeN is offline
Friend
 
Join Date: Jan 2005
Posts: 273
Rept. Given: 2
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 18 Times in 18 Posts
NeOXOeN Reputation: 3
MAybe this will help you :http://www.woodmann.com/yates/lad.txt


bye NeO
Reply With Quote
  #9  
Old 05-12-2005, 20:35
nikola nikola is offline
Friend
 
Join Date: Jan 2004
Location: Your head
Posts: 115
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
nikola Reputation: 0
@Sarge, that is exactly why NTSC said hooking LoadLibrary would be usefull. Hook the procedure, check arguments. If program is trying to load "mytarget.dll" then call real LoadLibrary, and that is imagebase you need. Now, also send it to program. If its not one you need, then just send it to program. You can make new section for your code so all is executed in target context, but you have to write your code in "delta offset", meaning, relocatable in memory.

And a question from me to someone here. Maybe NTSC knows... How to gain write access to space of a loaded dll? Eg, user32 in win9x? In NT we can use VirtualProtect. In win9x there is an undocumented procedure i found in some source, that looks like was taked from yoda. It works, but i have problem when i want to write my code relocatable. Then, i need to GetProcAddress of that undocumented function. That function is VxDCall4. It has no real name so i cant get by name, and when i try to GetProcAddress by ordinal i get error
Reply With Quote
  #10  
Old 05-12-2005, 23:21
sope2001
 
Posts: n/a
Hello newbie_cracker,
Quote:
Is there any short and precise method?
Trying using y0da's Procs & ForceLibrary it might help.

Regards, Sope.
Reply With Quote
  #11  
Old 05-15-2005, 16:54
[NtSC]
 
Posts: n/a
@sarge - Just take a Module Snapshot either with Toolhelp or PSAPI Functions and you will get the BaseAddresses etc., Size whatever of the Modules belonging to the specified Address. I think that is what you focused? You cannot "guess" or take a specific LoadAddress since indeed the System "can" relocate a DLL everytime somewhere else. Look at the Code Snippet i posted its all there..


@nikola - What you focus is a global Hook under 9x. Under NT you change or better modify the DLL Context specific, under 9x if you go with the VXDCalls you do it globally. (Equal to modifications with a Sys/KMD under NT). Iam sure Yates has some good Code Examples on his Page about But i would prefer NT,since the Process specific Modifications are easier realizeable there.

Cheers
Reply With Quote
  #12  
Old 05-16-2005, 00:19
nikola nikola is offline
Friend
 
Join Date: Jan 2004
Location: Your head
Posts: 115
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
nikola Reputation: 0
@NTSC, yes, i realised that on first win98 crash But i didnt think that would be problem. I could just check PID and if its of my process i go on. I just wanted to know how to find address of that VXDCall :/ One i use when i link my loader is from lib. But i need to be able to find it on the fly.
Tnx for answer tho
Reply With Quote
  #13  
Old 05-16-2005, 01:08
JuneMouse
 
Posts: n/a
well i saw some article in codeproject.com on w9x api hooking i dont have a link
right now but you should be able to locate all articles by artemis (i think i remember right ) it was titled some thing like systemwide hooks on w9x
if you cant locate post ill try to grep my bookmarks
Reply With Quote
  #14  
Old 05-17-2005, 04:07
Sarge
 
Posts: n/a
NTSC, Nikola:
Thanks, guys, for the support....I think I need to study up on that, as that's a new one for me. If you dont' mind, I'll go the PM route to you, so I don't tie up this thread.
Thanks
sarge
Reply With Quote
  #15  
Old 05-17-2005, 16:16
[NtSC]
 
Posts: n/a
@ Nikola...

Maybe traverse Exports / or Check Dllbase & use hardcoded Address / or even "borrow" original Function Code. Well,depends on what purpose you need the Code i guess
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Loader and Patch Dll file in C# mcr4ck Source Code 0 06-19-2022 23:59
Creating a Loader for DotNet Apps? bball0002 General Discussion 2 09-24-2009 22:06
modify UPX feisu General Discussion 15 06-27-2003 04:24


All times are GMT +8. The time now is 21:22.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )