Results 1 to 1 of 1
  1. #1
    Abstract
    Abstract is offline
    New member
    Join Date
    2011 Apr
    Location
    Germany
    Posts
    5
    Thanks Thanks Given 
    2
    Thanks Thanks Received 
    8
    Thanked in
    1 Post
    Rep Power
    0

    DLL Injection Possible

    Hi,

    first of all sorry guys for posing this without any comment on it (It was 1 AM and i wanted to share).

    The DLL gets injected to the parent process of FW and executed. Funny is (i am guessing here, but i guess it's true) FW hooks LoadLibraryA and loads all libraries that were loaded there on the ChildProcess too. If your DLL MessageBoxA(0, "Attach", "Attach", MB_OK); on Attach and MessageBoxA(0, "Detach", "Detach", MB_OK); on Detach, you will see an Attach MessageBox from the parent thread and an Attach MessageBox from the child thread. Directly after that the Parent Thread Detaches. Now we can pretty much do whatever we want to and develope it in C/C++. What else do we need . I recommend to first restore DbgUiRemoteBreakin so you can debug (Thanks to Dwar for this, alot games use this technique https://progamercity.net/fw-hacks/13...rotection.html). So you can attach a Debugger and have full access to the Games Memory. After this hooking into PackageSend and writing infos to a logfile or something like this would be nice. I wanted todo this, this weekend sorry i had no time. But at least i gave you something :

    PHP Code:
    // DLL Injection Method1.cpp : Definiert den Einstiegspunkt für die Konsolenanwendung.
    //

    #include "stdafx.h"
    #include <Windows.h>

    void createShellcode(int retint strunsigned char** shellcodeintshellcodeSize)
    {
        
    unsigned charretChar = (unsigned char*) &ret;
        
    unsigned charstrChar = (unsigned char*) &str;
        
    int api = (int) GetProcAddress(LoadLibraryA("kernel32.dll"), "LoadLibraryA");
        
    unsigned charapiChar = (unsigned char*) &api;
        
    unsigned char sc[] = {
            
    // Push ret
            
    0x68retChar[0], retChar[1], retChar[2], retChar[3],
            
    // Push all flags
            
    0x9C,
            
    // Push all register
            
    0x60,
            
    // Push 0x66666666 (later we convert it to the string of "C:\DLLInjectionTest.dll")
            
    0x68strChar[0], strChar[1], strChar[2], strChar[3],
            
    // Mov eax, 0x66666666 (later we convert it to LoadLibrary adress)
            
    0xB8apiChar[0], apiChar[1], apiChar[2], apiChar[3],
            
    // Call eax
            
    0xFF0xD0,
            
    // Pop all register
            
    0x61,
            
    // Pop all flags
            
    0x9D,
            
    // Ret
            
    0xC3
        
    };

        *
    shellcodeSize 22;
        *
    shellcode = (unsigned char*) malloc(22);
        
    memcpy(*shellcodesc22);
    }

    int _tmain(int argccharargv[])
    {
        
    // Path to the DLL, which you want to inject
        
    char dllPath[] = "C:\\DLLInjectionTest.dll";

        
    unsigned charshellcode;
        
    int shellcodeLen;

        
    LPVOID remote_dllStringPtr;
        
    LPVOID remote_shellcodePtr;

        
    CONTEXT ctx;

        
    // Create Process SUSPENDED
        
    PROCESS_INFORMATION pi;
        
    STARTUPINFOA Startup;
        
    ZeroMemory(&Startupsizeof(Startup));
        
    ZeroMemory(&pisizeof(pi));
        
    CreateProcessA("game.exe"NULLNULLNULLNULLCREATE_SUSPENDEDNULLNULL, &Startup, &pi);

        
    ResumeThread(pi.hThread);
        
    Sleep(1000);
        
    SuspendThread(pi.hThread);

        
    printf("Allocating Remote Memory For DLL Path\n");
        
    remote_dllStringPtr VirtualAllocEx(pi.hProcessNULLstrlen(dllPath)+1MEM_COMMITPAGE_READWRITE);
        
    printf("DLL Adress: %X\n"remote_dllStringPtr);

        
    printf("Get EIP\n");
        
    ctx.ContextFlags CONTEXT_CONTROL;
        
    GetThreadContext(pi.hThread, &ctx);
        
    printf("EIP: %X\n"ctx.Eip);

        
    printf("Build Shellcode\n");
        
    createShellcode(ctx.Eip, (int) remote_dllStringPtr, &shellcode, &shellcodeLen);

        
    printf ("Created Shellcode: \n");
        for(
    int i=0i<shellcodeLeni++)
            
    printf ("%X "shellcode[i]);
        
    printf("\n");

        
    printf("Allocating Remote Memory For Shellcode\n");
        
    remote_shellcodePtr VirtualAllocEx(pi.hProcessNULLshellcodeLenMEM_COMMITPAGE_EXECUTE_READWRITE);
        
    printf("Shellcode Adress: %X\n"remote_shellcodePtr);

        
    printf("Write DLL Path To Remote Process\n");
        
    WriteProcessMemory(pi.hProcessremote_dllStringPtrdllPathstrlen(dllPath)+1NULL);

        
    printf("Write Shellcode To Remote Process\n");
        
    WriteProcessMemory(pi.hProcessremote_shellcodePtrshellcodeshellcodeLenNULL);

        
    printf("Set EIP\n");
        
    ctx.Eip = (DWORD)remote_shellcodePtr;
        
    ctx.ContextFlags CONTEXT_CONTROL;
        
    SetThreadContext(pi.hThread, &ctx);
        
        
    printf("Run The Shellcode\n");
        
    ResumeThread(pi.hThread);

        
    printf("Wait Till Code Was Executed\n");
        
    Sleep(80000);

        
    printf("Free Remote Resources\n");
        
    VirtualFreeEx(pi.hProcessremote_dllStringPtrstrlen(dllPath)+1MEM_DECOMMIT);
        
    VirtualFreeEx(pi.hProcessremote_shellcodePtrshellcodeLenMEM_DECOMMIT);
        
        return 
    0;

    source: Reverse Engineering Win32 Part 5 “DLL Injection Method 1 (In my opinion the Best)” | KDSBest
    Last edited by Abstract; 2011-05-08 at 10:25 AM.

  2. The Following 8 Users Say Thank You to Abstract For This Useful Post:


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •