Skip to content

Injecting DLL into process on load

If you ever had the need to inject DLL into a process right before it starts executing, you should have experienced many headaches in the process.

You should have tried injecting the DLL by creating the process CREATE_SUSPENDED, and have failed miserably. There are a few reasons to this. When a process is CREATE_SUSPENDED, many process state and environment structures arent initialized yet. The process main thread is supposed to initialize them and by introducing your thread at this early stage, there are many things that can go wrong. You, or the Windows API youve called might be reading structures that doesnt exist yet. You might run into a deadlock as your thread and process main thread each trying to fight for the loader lock. But the end result is same, you cant successfully inject your DLL into the process.

There are quite a few others have came up with the solution, but I guess my workaround is much easier.

1. Create your target process CREATE_SUSPENDED.
2. Patch the process entry point with 0xEBFE (JMP $-2, infinite jump to itself). Dont forget to save the original bytes of course.
3. Resume the main thread.
4. Poll the main thread EIP and see if it reached the EP already. If not, wait for a while and poll again.
5. Inject your DLL.
6. Suspend the main thread, restore the original EP bytes, resume.

Here is a snippet from my unreleased injector.

void Inject_Loader( const DllPayload& Payload, const std::string& Path )
{
  STARTUPINFOA StartupInfo = {0};
  PROCESS_INFORMATION ProcessInformation;

  // initialize the structures
  StartupInfo.cb = sizeof(StartupInfo);

  // attempt to load the specified target
  if ( CreateProcessA(
      Path.c_str(),
      NULL,
      NULL,
      NULL,
      FALSE,
      CREATE_SUSPENDED,
      NULL,
      NULL,
      &StartupInfo,
      &ProcessInformation
    ) )
  {
    Handle hProcess( ProcessInformation.hProcess );

    // wait for the process to done
    try
    {
      // locate the entry point
      OptionalHeader optionalheader = PortableExecutable::FromFile( Path.c_str() ).NtHeaders.OptionalHeader;
      LPVOID entry = (LPVOID)(optionalheader.ImageBase + optionalheader.AddressOfEntryPoint);

      // patch the entry point with infinite loop
      PageProtect protect( hProcess, entry, 2, PAGE_EXECUTE_READWRITE );

      std::string oep = VMemory::Read( hProcess, entry, 2 );
      VMemory::Write( hProcess, entry, "\xEB\xFE" );			// JMP $-2

      // resume the main thread
      ResumeThread( ProcessInformation.hThread );

      // wait until the thread stuck at entry point
      CONTEXT context;

      for ( unsigned int i = 0; i < 50 && context.Eip != (DWORD)entry; ++i )
      {
        // patience.
        Sleep(100);

        // read the thread context
        context.ContextFlags = CONTEXT_CONTROL;
        GetThreadContext( ProcessInformation.hThread, &context );
      }
      if ( context.Eip != (DWORD)entry )
      {
        // wait timed out
        throw "entry point blockade timed out";
      }

      // inject DLL payload into remote process
      Inject_CreateRemoteThread( Payload, hProcess );

      // pause and restore original entry point
      SuspendThread( ProcessInformation.hThread );
      VMemory::Write( hProcess, entry, oep );

      // you are ready to go
      ResumeThread( ProcessInformation.hThread );
    }
    catch ( ... )
    {
      // terminate the newly spawned process
      TerminateProcess( hProcess, -1 );

      // rethrow the exception to top-level handler
      throw;
    }
  }
  else
  {
    // are you sure this is a valid target ?
    throw "unable to load the specified executable";
  }
}

I wasnt the first one to figure this out, but Matt had gone AWOL for so long I had to suspect California actually passed a law banning all WEPs. :/

[VB6] Invoke arbitary native API without Declare keyword

Many would have thought this is not possible. However, Karcrack had written a nice hack to (ab)use undocumented MSVBVM60.Zombie_AddRef to indirectly invoke his dynamically generated call stub. While his technique is pretty l33t, he overlooked one important fact: you need to mark the stub executable with VirtualProtect. While it will work fine and happy on most PC, when DEP is enabled the process will throw an access violation.

Ironically, I first came across this technique when I was reversing a malware sample.

mZombieInvoke – Native VB6 Invoke :)
http://cobein.com/wp/?p=567

Still Alive Doing Reversing

I am honestly surprised after 2 years of inactivity, this blog is still getting random hits and comments. Wipe the dust off this forgotten blog, I am not here to say goodbye. :3

Lurking deep within the jungle of IRC pipes, been lying low and reek of inactivity. Look around for a bit, I am probably the only survivor from the past scene. That makes me feel a bit lonely and demotivated I guess. Fortunately, Moose is still around, although now a pure HoN-tard and nerdy as usual. :/

Also, gotten a twitter for the lulz. I have no idea what to do with it anyway.

https://twitter.com/opcode0x90

Moved all stuff to Google Code

After some hassle I finally got my own SVN repository at Google Code. Slowly I will be migrating all my stuff there and say goodbye to free filehosting. Hopefully Google Code won’t fail me.

Also, I decided to rewrite most of my MASM source here in C++, since most of you guys aren’t assembly freak like me :P and probably C++ is much easier to code than assembly too. (Side note: C/C++ pointer is very much different from assembly and that, have seriously confused me at times. :/)

My SVN repository is available here. Feel free to look around and leave comments here.
http://code.google.com/p/opcode0x90/

MySql 5.0 Unsigned Integer Underflow

This is tested on MySql 5.0.60-r1 (gentoo portage).

mysql> system uname -a
Linux meepo 2.6.24-hardened-r3 #11 Mon Jul 28 07:31:20 MYT 2008 i686 AMD Sempron(tm) 2200+ AuthenticAMD GNU/Linux
mysql> SELECT VERSION();
+------------+
| VERSION()  |
+------------+
| 5.0.60-log |
+------------+
1 row in set (0.00 sec)

mysql> system uname -a
Linux gentoo 2.6.24-hardened-r3 #11 Mon Jul 28 07:31:20 MYT 2008 i686 AMD Sempron(tm) 2200+ AuthenticAMD GNU/Linux
mysql> SELECT CAST( -1 AS UNSIGNED );
+------------------------+
| CAST( -1 AS UNSIGNED ) |
+------------------------+
|   18446744073709551615 |
+------------------------+
1 row in set (0.00 sec)

mysql> SELECT CAST( 0 AS UNSIGNED ) - 1;
+---------------------------+
| CAST( 0 AS UNSIGNED ) - 1 |
+---------------------------+
|      18446744073709551615 |
+---------------------------+
1 row in set (0.00 sec)

mysql>

It is expected that any negative unsigned value to be “casted” to 0.

I have filed a bug report at bugs.mysql.com
http://bugs.mysql.com/bug.php?id=38512

Edit:
Its now fixed and closed. They introduced a strict mode instead of rounding the value to 0. You should upgrade your MySql now.

Speeding up Portage and Kernel Compiling

Ever get annoyed by Gentoo’s forever-lasting compiling? Here is few tricks I found that really helps when surfing through gentoo-wiki.com.

Speedup compiling using tmpfs

To speed up Portage compiling, the trick here is to mount a ramdisk at Portage temp compile directory. Everything in that directory will be placed onto RAM instead of going to disk, therefore greatly improves speed.

This is the time needed to compile xorg-server.

Before:

real    9m18.899s
user    9m49.958s
sys    4m18.195s

After:

real    6m48.731s
user    5m9.471s
sys    4m6.079s

Impressive eh? ;) Its a 33% speed up. Since everything is placed in RAM, when compiling very large package (namely openoffice) you might get this message.

IOError: [Errno 28] No space left on device

It means we have ran out of space for ramdisk. Unmount the ramdisk and proceed with emerge.

gentoo ~ # umount /var/tmp/portage/
gentoo ~ # emerge something
Calculating dependencies -
...
gentoo ~ # mount /var/tmp/portage/

Next, we can speed up kernel compiling by using ccache. Since most of the time kernel is compiled with minor changes, ccache would speed up the process dramatically by “re-using” files that are already compiled. Its quite troublesome to make CC=”ccache gcc” -j3 everytime you want to compile the kernel, we can write up a script that simplifies the process.

File: /sbin/compile-kernel

cd /usr/src/linux

mount /boot
make clean

make CC="ccache gcc" -j3 && \  # -jN for parallel compiling (follow N = number of core + 1)
make modules_install && \
make install && \              # this will install kernel to default /boot/vmlinuz symlink
module-rebuild rebuild && \    # / You might want to comment out these two lines if
update-modules                 # \ you dont have module-rebuild installed.

make clean
umount /boot

cd $OLDPWD

As root, chmod u+x /sbin/compile-kernel to make it executable. Edit the script if necessary. To (re)compile kernel, just issue compile-kernel to do so.

Enjoy the blazing fast compiling. :)


Further reading:
Using ccache

Installing Gentoo on Dell Inspiron 1420

Note: This post is depreciated as the things had changed quite a lot since then. You can find the updated info from gentoo-wiki.com here.

Read more…

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: