Injecting DLL into process on load
If you ever had the need to inject DLL into a process right before it starts executing, you should have experienced many headaches in the process.
You should have tried injecting the DLL by creating the process CREATE_SUSPENDED, and have failed miserably. There are a few reasons to this. When a process is CREATE_SUSPENDED, many process state and environment structures arent initialized yet. The process main thread is supposed to initialize them and by introducing your thread at this early stage, there are many things that can go wrong. You, or the Windows API youve called might be reading structures that doesnt exist yet. You might run into a deadlock as your thread and process main thread each trying to fight for the loader lock. But the end result is same, you cant successfully inject your DLL into the process.
There are quite a few others have came up with the solution, but I guess my workaround is much easier.
1. Create your target process CREATE_SUSPENDED.
2. Patch the process entry point with 0xEBFE (JMP $-2, infinite jump to itself). Dont forget to save the original bytes of course.
3. Resume the main thread.
4. Poll the main thread EIP and see if it reached the EP already. If not, wait for a while and poll again.
5. Inject your DLL.
6. Suspend the main thread, restore the original EP bytes, resume.
Here is a snippet from my unreleased injector.
void Inject_Loader( const DllPayload& Payload, const std::string& Path )
{
STARTUPINFOA StartupInfo = {0};
PROCESS_INFORMATION ProcessInformation;
// initialize the structures
StartupInfo.cb = sizeof(StartupInfo);
// attempt to load the specified target
if ( CreateProcessA(
Path.c_str(),
NULL,
NULL,
NULL,
FALSE,
CREATE_SUSPENDED,
NULL,
NULL,
&StartupInfo,
&ProcessInformation
) )
{
Handle hProcess( ProcessInformation.hProcess );
// wait for the process to done
try
{
// locate the entry point
OptionalHeader optionalheader = PortableExecutable::FromFile( Path.c_str() ).NtHeaders.OptionalHeader;
LPVOID entry = (LPVOID)(optionalheader.ImageBase + optionalheader.AddressOfEntryPoint);
// patch the entry point with infinite loop
PageProtect protect( hProcess, entry, 2, PAGE_EXECUTE_READWRITE );
std::string oep = VMemory::Read( hProcess, entry, 2 );
VMemory::Write( hProcess, entry, "\xEB\xFE" ); // JMP $-2
// resume the main thread
ResumeThread( ProcessInformation.hThread );
// wait until the thread stuck at entry point
CONTEXT context;
for ( unsigned int i = 0; i < 50 && context.Eip != (DWORD)entry; ++i )
{
// patience.
Sleep(100);
// read the thread context
context.ContextFlags = CONTEXT_CONTROL;
GetThreadContext( ProcessInformation.hThread, &context );
}
if ( context.Eip != (DWORD)entry )
{
// wait timed out
throw "entry point blockade timed out";
}
// inject DLL payload into remote process
Inject_CreateRemoteThread( Payload, hProcess );
// pause and restore original entry point
SuspendThread( ProcessInformation.hThread );
VMemory::Write( hProcess, entry, oep );
// you are ready to go
ResumeThread( ProcessInformation.hThread );
}
catch ( ... )
{
// terminate the newly spawned process
TerminateProcess( hProcess, -1 );
// rethrow the exception to top-level handler
throw;
}
}
else
{
// are you sure this is a valid target ?
throw "unable to load the specified executable";
}
}
I wasnt the first one to figure this out, but Matt had gone AWOL for so long I had to suspect California actually passed a law banning all WEPs. :/
[VB6] Invoke arbitary native API without Declare keyword
Many would have thought this is not possible. However, Karcrack had written a nice hack to (ab)use undocumented MSVBVM60.Zombie_AddRef to indirectly invoke his dynamically generated call stub. While his technique is pretty l33t, he overlooked one important fact: you need to mark the stub executable with VirtualProtect. While it will work fine and happy on most PC, when DEP is enabled the process will throw an access violation.
Ironically, I first came across this technique when I was reversing a malware sample.
mZombieInvoke – Native VB6 Invoke 
http://cobein.com/wp/?p=567
Still Alive Doing Reversing
I am honestly surprised after 2 years of inactivity, this blog is still getting random hits and comments. Wipe the dust off this forgotten blog, I am not here to say goodbye. :3
Lurking deep within the jungle of IRC pipes, been lying low and reek of inactivity. Look around for a bit, I am probably the only survivor from the past scene. That makes me feel a bit lonely and demotivated I guess. Fortunately, Moose is still around, although now a pure HoN-tard and nerdy as usual. :/
Also, gotten a twitter for the lulz. I have no idea what to do with it anyway.
Moved all stuff to Google Code
After some hassle I finally got my own SVN repository at Google Code. Slowly I will be migrating all my stuff there and say goodbye to free filehosting. Hopefully Google Code won’t fail me.
Also, I decided to rewrite most of my MASM source here in C++, since most of you guys aren’t assembly freak like me 
and probably C++ is much easier to code than assembly too. (Side note: C/C++ pointer is very much different from assembly and that, have seriously confused me at times. :/)
My SVN repository is available here. Feel free to look around and leave comments here.
http://code.google.com/p/opcode0x90/
MySql 5.0 Unsigned Integer Underflow
This is tested on MySql 5.0.60-r1 (gentoo portage).
mysql> system uname -a Linux meepo 2.6.24-hardened-r3 #11 Mon Jul 28 07:31:20 MYT 2008 i686 AMD Sempron(tm) 2200+ AuthenticAMD GNU/Linux mysql> SELECT VERSION(); +------------+ | VERSION() | +------------+ | 5.0.60-log | +------------+ 1 row in set (0.00 sec) mysql> system uname -a Linux gentoo 2.6.24-hardened-r3 #11 Mon Jul 28 07:31:20 MYT 2008 i686 AMD Sempron(tm) 2200+ AuthenticAMD GNU/Linux mysql> SELECT CAST( -1 AS UNSIGNED ); +------------------------+ | CAST( -1 AS UNSIGNED ) | +------------------------+ | 18446744073709551615 | +------------------------+ 1 row in set (0.00 sec) mysql> SELECT CAST( 0 AS UNSIGNED ) - 1; +---------------------------+ | CAST( 0 AS UNSIGNED ) - 1 | +---------------------------+ | 18446744073709551615 | +---------------------------+ 1 row in set (0.00 sec) mysql>
It is expected that any negative unsigned value to be “casted” to 0.
I have filed a bug report at bugs.mysql.com
http://bugs.mysql.com/bug.php?id=38512
Edit:
Its now fixed and closed. They introduced a strict mode instead of rounding the value to 0. You should upgrade your MySql now.
Speeding up Portage and Kernel Compiling
Ever get annoyed by Gentoo’s forever-lasting compiling? Here is few tricks I found that really helps when surfing through gentoo-wiki.com.
To speed up Portage compiling, the trick here is to mount a ramdisk at Portage temp compile directory. Everything in that directory will be placed onto RAM instead of going to disk, therefore greatly improves speed.
This is the time needed to compile xorg-server.
Before:
real 9m18.899s
user 9m49.958s
sys 4m18.195s
After:
real 6m48.731s
user 5m9.471s
sys 4m6.079s
Impressive eh? 
Its a 33% speed up. Since everything is placed in RAM, when compiling very large package (namely openoffice) you might get this message.
IOError: [Errno 28] No space left on device
It means we have ran out of space for ramdisk. Unmount the ramdisk and proceed with emerge.
gentoo ~ # umount /var/tmp/portage/ gentoo ~ # emerge something Calculating dependencies - ... gentoo ~ # mount /var/tmp/portage/
Next, we can speed up kernel compiling by using ccache. Since most of the time kernel is compiled with minor changes, ccache would speed up the process dramatically by “re-using” files that are already compiled. Its quite troublesome to make CC=”ccache gcc” -j3 everytime you want to compile the kernel, we can write up a script that simplifies the process.
File: /sbin/compile-kernel cd /usr/src/linux mount /boot make clean make CC="ccache gcc" -j3 && \ # -jN for parallel compiling (follow N = number of core + 1) make modules_install && \ make install && \ # this will install kernel to default /boot/vmlinuz symlink module-rebuild rebuild && \ # / You might want to comment out these two lines if update-modules # \ you dont have module-rebuild installed. make clean umount /boot cd $OLDPWD
As root, chmod u+x /sbin/compile-kernel to make it executable. Edit the script if necessary. To (re)compile kernel, just issue compile-kernel to do so.
Enjoy the blazing fast compiling.
Further reading:
Using ccache
Installing Gentoo on Dell Inspiron 1420
Note: This post is depreciated as the things had changed quite a lot since then. You can find the updated info from gentoo-wiki.com here.
Experiencing freeze with ollydbg?
At ollydbg’s Debugging Options, uncheck Registers -> Decode SSE Registers. This should fix the hang up when debugging multi-threaded apps. Sometimes the hang up is caused by the plugins, check if any causing it and remove it accordingly.
Patch for AppLocale
Finally back in action. My PC has broke down quite a while ago, spitting random BSOD and eventually met its uneventful death. Amen. Now I am starting a new year with a brand new laptop. 
Yay! Okay lets get back to business.
I am a person who frequently use non-English application while running on the default system locale. The result ? Garbage characters in UI as the Microsoft puts it. This is where AppLocale come in, it allows you to run an application in a specific locale without messing around with the default system locale. Unfortunately, for no good reason Microsoft left an annoying message that kept reminds you about “AppLocale is just a temporary solution” whenever you launch AppLocale via shortcut.
So I made a patch to remove the nag. All you have to do is drop the patched AppLoc.exe into C:\Windows\AppPatch\AppLoc.exe and replace it.
Enjoy !
AppLoc.exe Patch
http://opcode0x90.googlecode.com/files/AppLoc.rar
Some Correction
After switching to Code::Blocks, I then realize it is a bug of MinGW and not of Dev-C++’s. The same bugfix too applies to Code::Blocks only with a few difference in the user interface.
For Code::Blocks the directories can be found under Settings -> Compiler. (version 1.0 RC2) Just replace\Dev-Cpp\ with \CodeBlocks\.
After that just follow this link if you still having problem with Code::Blocks:
http://wiki.codeblocks.org/index.php?title=Installing_MinGW_with_Vista
Hope I have clear things up.
Here is a snip that tell us why “ld: XXXXXX.o: No such file: No such file or directory” happens
