EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 07-27-2017, 05:40
zeffy zeffy is offline
Friend
 
Join Date: Jul 2017
Location: wuaueng.dll
Posts: 8
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 28
Thanks Rcvd at 12 Times in 5 Posts
zeffy Reputation: 2
[C/ASM] Easy to use DLL hijacking examples

Hi, I've been working on a project where I needed to inject some code into a process via a hijacked DLL. I understand this is a pretty simple thing to do, but when I looked around, there wasn't really a lot of good examples. The automatic project generators I've found also either output poor code or just don't work at all.

So instead, I wrote my own solution. It's a couple of template projects that have all the code required for being a drop in replacement for either winmm.dll or version.dll.

https://github.com/zeffy/proxydll_template

For an example using version.dll (the project that I needed this for): https://github.com/zeffy/disablesteamlinkfilter

- The original DLL and its functions are lazy-loaded upon request using an asm springboard (x86 and x64 are both supported).
- The projects are also set up in a way where you can easily create versions of both dlls for the same code base.
- Works well with Tsuda Kageyu's minhook for additional hooking.

I've found that this method isn't compatible with all processes, but usually at least one of the DLLs will work.

It's still a work in progress, but it works well for me. Any criticisms or suggestions are definitely welcome.

Last edited by zeffy; 07-27-2017 at 18:39. Reason: add example project
Reply With Quote
The Following 5 Users Say Thank You to zeffy For This Useful Post:
conan981 (07-27-2017), niculaita (07-27-2017), SinaDiR (07-27-2017), tonyweb (08-15-2017), zeuscane (07-27-2017)
  #2  
Old 08-21-2017, 09:45
CrackAttackz CrackAttackz is offline
Friend
 
Join Date: Jan 2016
Location: Canada
Posts: 4
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 10 Times in 2 Posts
CrackAttackz Reputation: 0
Looks very neat, I'll have to play around with it a bit more. Do you know how how far backward compatible it is with older versions of Windows?
Reply With Quote
  #3  
Old 08-21-2017, 10:56
zeffy zeffy is offline
Friend
 
Join Date: Jul 2017
Location: wuaueng.dll
Posts: 8
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 28
Thanks Rcvd at 12 Times in 5 Posts
zeffy Reputation: 2
Thanks for showing an interest!

The only APIs it uses are LoadLibrary, GetProcAddress, GetSystemDirectory and a couple CRT functions, so I think it should be pretty backwards compatible, though I haven't tested them on anything prior to Windows 7. Other than that, you might have to adjust the project settings to target older systems, I'm not really sure.

On a side note, I've noticed the x64 versions can be a little unreliable (have experienced non-consistent crashes using the winmm.dll proxy with a game I was reversing) that could be due to stack management issues in the assembly. But the x86 builds should be stable.
Reply With Quote
  #4  
Old 08-21-2017, 16:23
SinaDiR SinaDiR is offline
Friend
 
Join Date: Aug 2005
Location: Recycle Bin
Posts: 93
Rept. Given: 15
Rept. Rcvd 28 Times in 17 Posts
Thanks Given: 73
Thanks Rcvd at 123 Times in 30 Posts
SinaDiR Reputation: 28
Quote:
Originally Posted by CrackAttackz View Post
Looks very neat, I'll have to play around with it a bit more. Do you know how how far backward compatible it is with older versions of Windows?
Works fine on windows XP sp3
Reply With Quote
The Following User Says Thank You to SinaDiR For This Useful Post:
zeffy (08-23-2017)
  #5  
Old 08-21-2017, 16:58
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 162
Rept. Given: 21
Rept. Rcvd 93 Times in 42 Posts
Thanks Given: 28
Thanks Rcvd at 148 Times in 64 Posts
atom0s Reputation: 93
Here is another way you can make a proxy fairly easy and slim. Since you do not need to know the actual function prototype/parameters when exporting things that are just using direct jumps via inline asm, you can mix and abuse macros with inline asm to export things easy.

PHP Code:
#include <Windows.h>

HMODULE g_ModuleHandle nullptr;       // This proxies module handle.
HMODULE g_RealModuleHandle nullptr;   // The real modules handle being proxied.

/**
 * Obtains the original export from the real module.
 */
BOOL APIENTRY GetRealExport(const charnameFARPROCout)
{
    
// Ensure the real module is loaded..
    
if (g_RealModuleHandle == nullptr)
        return 
FALSE;

    
// Todo: Add any type of function caching if you want here..

    // Obtain the real export function..
    
*out = ::GetProcAddress(g_RealModuleHandlename);
    return (*
out == nullptr);
}

/**
 * Generates an export function wrapper for the given exported function by name.
 */
#define EXPORTORIG(n)                               \
    
FARPROC orig_##n = nullptr;                     \
    
__declspec(nakedvoid __stdcall real_##n() {   \
        
GetRealExport(#n, &orig_##n);               \
        
__asm jmp orig_##n                          \
    
}

EXPORTORIG(Direct3DCreate9);

/**
 * Initialize the proxy for use.
 */
BOOL APIENTRY InitializeProxy(HINSTANCE hinstDLL)
{
    
// Store the modules handle..
    
g_ModuleHandle hinstDLL;

    
// Build the path to the original module..
    
char path[MAX_PATH] = { };
    ::
GetSystemDirectory(pathMAX_PATH);
    
strcat_s(path"\\d3d9.dll");

    
// Load the original module..
    
g_RealModuleHandle = ::LoadLibrary(path);
    if (
g_RealModuleHandle == nullptr)
        return 
FALSE;

    return 
TRUE;
}

/**
 * Entry point.
 */
BOOL APIENTRY DllMain(HINSTANCE hinstDLLDWORD fdwReasonLPVOID lpvReserved)
{
    switch (
fdwReason)
    {
    case 
DLL_PROCESS_ATTACH:
        ::
DisableThreadLibraryCalls(hinstDLL);
        return 
InitializeProxy(hinstDLL);
    }
    return 
TRUE;

And in the .def file:

PHP Code:
LIBRARY
EXPORTS
    Direct3DCreate9 
real_Direct3DCreate9 
Beings that this is using a macro for the dirty work/heavy lifting you can easy create a template/skeleton project to auto-generate the entire proxy dll for you like this just by having it read the original exports from the target file and generating the rest.

Note, this method as-is will have issues with exports that are by ordinal and not by name. You would have to tweak the generated names a tad to work with ords instead.
Reply With Quote
The Following User Says Thank You to atom0s For This Useful Post:
tonyweb (08-26-2017)
  #6  
Old 08-21-2017, 17:30
zeffy zeffy is offline
Friend
 
Join Date: Jul 2017
Location: wuaueng.dll
Posts: 8
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 28
Thanks Rcvd at 12 Times in 5 Posts
zeffy Reputation: 2
Thank you for sharing your code atom0s! I've used something very similar to it before I created these template projects. The reason I opted to use complete ASM instead of inline is because it isn't supported by VC in x64 builds, only x86.

Additionally, calling your InitializeProxy (and thus LoadLibrary) from DllMain can cause the process to deadlock under certain conditions. For this reason, MSDN specifically advises people not to call LoadLibrary from DllMain. Although I've never encountered it happen in practice, that could change in the future or in edge cases. That's why I opted to delay the loading until one of its functions is actually called. Either approach works though.
Reply With Quote
  #7  
Old 08-21-2017, 17:34
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 162
Rept. Given: 21
Rept. Rcvd 93 Times in 42 Posts
Thanks Given: 28
Thanks Rcvd at 148 Times in 64 Posts
atom0s Reputation: 93
Quote:
Originally Posted by zeffy View Post
Thank you for sharing your code atom0s! I've used something very similar to it before I created these template projects. The reason I opted to use complete ASM instead of inline is because it isn't supported by VC in x64 builds, only x86.

Additionally, calling your InitializeProxy (and thus LoadLibrary) from DllMain can cause the process to deadlock under certain conditions. For this reason, MSDN specifically advises people not to call LoadLibrary from DllMain. Although I've never encountered it happen in practice, that could change in the future or in edge cases. That's why I opted to delay the loading until one of its functions is actually called. Either approach works though.
I generally do the same with late loading, generally via exporting an 'Install' function from the main hook and using a loader to invoke it. The example above was just a quick throw together to show off the macro method of making a fast proxy.
Reply With Quote
The Following User Says Thank You to atom0s For This Useful Post:
zeffy (08-21-2017)
  #8  
Old 08-23-2017, 15:46
zeffy zeffy is offline
Friend
 
Join Date: Jul 2017
Location: wuaueng.dll
Posts: 8
Rept. Given: 0
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 28
Thanks Rcvd at 12 Times in 5 Posts
zeffy Reputation: 2
Talking

Quote:
Originally Posted by atom0s View Post
I generally do the same with late loading, generally via exporting an 'Install' function from the main hook and using a loader to invoke it. The example above was just a quick throw together to show off the macro method of making a fast proxy.
That's a neat idea about exporting an 'Install' function!

I've actually been working on simplifying my project using macros similar to how you did (except in the assembly), which has made it much easier to maintain compared to before. I also fixed the "random" crashing bug that I referred to earlier (which was caused by stack corruption and some of the volatile registers getting mutilated by my proc resolver function ). If you or anyone else is interested in taking a look, here's an example of the changes I've made:
https://github.com/zeffy/proxydll_te...inmm/winmm.asm

Edit: OK I really fixed the register mutilation now... I was restoring r8 to r9 and r9 to r8 in the last commit.

Last edited by zeffy; 08-31-2017 at 10:10. Reason: really fixed now
Reply With Quote
The Following 2 Users Say Thank You to zeffy For This Useful Post:
Hypnz (08-23-2017), niculaita (08-23-2017)
Reply

Tags
dll, hijacking

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 13:18.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX