|
#1
|
|||
|
|||
[C/ASM] Easy to use DLL hijacking examples
Hi, I've been working on a project where I needed to inject some code into a process via a hijacked DLL. I understand this is a pretty simple thing to do, but when I looked around, there wasn't really a lot of good examples. The automatic project generators I've found also either output poor code or just don't work at all.
So instead, I wrote my own solution. It's a couple of template projects that have all the code required for being a drop in replacement for either winmm.dll or version.dll. https://github.com/zeffy/proxydll_template For an example using version.dll (the project that I needed this for): https://github.com/zeffy/disablesteamlinkfilter - The original DLL and its functions are lazy-loaded upon request using an asm springboard (x86 and x64 are both supported). - The projects are also set up in a way where you can easily create versions of both dlls for the same code base. - Works well with Tsuda Kageyu's minhook for additional hooking. I've found that this method isn't compatible with all processes, but usually at least one of the DLLs will work. It's still a work in progress, but it works well for me. Any criticisms or suggestions are definitely welcome. Last edited by zeffy; 07-27-2017 at 18:39. Reason: add example project |
#2
|
|||
|
|||
Looks very neat, I'll have to play around with it a bit more. Do you know how how far backward compatible it is with older versions of Windows?
|
The Following User Says Thank You to CrackAttackz For This Useful Post: | ||
Indigo (07-19-2019) |
#3
|
|||
|
|||
Works fine on windows XP sp3
__________________
UnREal RCE - Persian Crackers |
#4
|
|||
|
|||
Thanks for showing an interest!
The only APIs it uses are LoadLibrary, GetProcAddress, GetSystemDirectory and a couple CRT functions, so I think it should be pretty backwards compatible, though I haven't tested them on anything prior to Windows 7. Other than that, you might have to adjust the project settings to target older systems, I'm not really sure. On a side note, I've noticed the x64 versions can be a little unreliable (have experienced non-consistent crashes using the winmm.dll proxy with a game I was reversing) that could be due to stack management issues in the assembly. But the x86 builds should be stable. |
The Following User Says Thank You to zeffy For This Useful Post: | ||
Indigo (07-19-2019) |
#5
|
||||
|
||||
Here is another way you can make a proxy fairly easy and slim. Since you do not need to know the actual function prototype/parameters when exporting things that are just using direct jumps via inline asm, you can mix and abuse macros with inline asm to export things easy.
PHP Code:
PHP Code:
Note, this method as-is will have issues with exports that are by ordinal and not by name. You would have to tweak the generated names a tad to work with ords instead. |
#6
|
|||
|
|||
Thank you for sharing your code atom0s! I've used something very similar to it before I created these template projects. The reason I opted to use complete ASM instead of inline is because it isn't supported by VC in x64 builds, only x86.
Additionally, calling your InitializeProxy (and thus LoadLibrary) from DllMain can cause the process to deadlock under certain conditions. For this reason, MSDN specifically advises people not to call LoadLibrary from DllMain. Although I've never encountered it happen in practice, that could change in the future or in edge cases. That's why I opted to delay the loading until one of its functions is actually called. Either approach works though. |
The Following User Says Thank You to zeffy For This Useful Post: | ||
Indigo (07-19-2019) |
#7
|
||||
|
||||
Quote:
|
#8
|
|||
|
|||
Quote:
I've actually been working on simplifying my project using macros similar to how you did (except in the assembly), which has made it much easier to maintain compared to before. I also fixed the "random" crashing bug that I referred to earlier (which was caused by stack corruption and some of the volatile registers getting mutilated by my proc resolver function ). If you or anyone else is interested in taking a look, here's an example of the changes I've made: https://github.com/zeffy/proxydll_te...inmm/winmm.asm Edit: OK I really fixed the register mutilation now... I was restoring r8 to r9 and r9 to r8 in the last commit. Last edited by zeffy; 08-31-2017 at 10:10. Reason: really fixed now |
#9
|
|||
|
|||
zeffy did you try to compile 64-bit? I was succeed on compile x86 but stuck on x64, what did I miss?
__________________
UnREal RCE - Persian Crackers |
The Following User Says Thank You to SinaDiR For This Useful Post: | ||
Indigo (07-19-2019) |
#10
|
|||
|
|||
I have no permission to edit my post.
The problem was the VS could not locate 'ksamd64.inc' I solved the problem by pass the exact path of the file. Thank you
__________________
UnREal RCE - Persian Crackers |
The Following User Says Thank You to SinaDiR For This Useful Post: | ||
Indigo (07-19-2019) |
#11
|
|||
|
|||
https://github.com/zeffy/proxydll_template latest commit to date 70b8764
x64 dll hijacker made using this might cause errors on some Windows flavours & build configs due to wrong stack alignment in the "PRX_EXPORT64 macro procname:req, ordinal:req" defined in each asm file, causing a #GP fault on instructions needing 16 byte boundary (movaps), it happened some dozen chained calls from the unaligned stack place, in system area. Fix: alloc_stack 20h to alloc_stack 28h .... add rsp, 20h to add rsp, 28h in the macro function definition of the asm file |
#12
|
|||
|
|||
Quote:
Just fyi, I haven't been maintaining these templates recently, because I switched to using __pfnDliNotifyHook2 to implement DLL proxying on my personal projects, and haven't had time to create new templates for all the DLLs supported by this project. |
#13
|
|||
|
|||
@zeffy: you can up your https://github.com/zeffy/proxydll_template ?
|
#14
|
||||
|
||||
Quote:
try this HTML Code:
https://github.com/blaquee/proxydll_template |
The Following User Says Thank You to Mahmoudnia For This Useful Post: | ||
niculaita (08-27-2022) |
#15
|
|||
|
|||
Quote:
alt: hxxps://www11.zippyshare.com/v/5pjAlw1a/file.html |
The Following User Gave Reputation+1 to zeffy For This Useful Post: | ||
Fyyre (09-16-2022) |
The Following 6 Users Say Thank You to zeffy For This Useful Post: | ||
besoeso (09-18-2022), FoxB (08-27-2022), Mahmoudnia (08-28-2022), MarcElBichon (08-27-2022), niculaita (08-27-2022), tonyweb (08-27-2022) |
Tags |
dll, hijacking |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Windows Handle Hijacking | TechLord | General Discussion | 2 | 05-15-2017 20:11 |