Jump to content
Tuts 4 You

Loader and Exception Handling


snoopy

Recommended Posts

Posted

Hey guys,

I was wondering if anyone has experience with using a loader to create a process and install an exception handler.

The thing I want to figure out if possible is to let the loader be the exception handler.

I know SEH is per thread used so that would mean I would have to inject a DLL for example and install the exception handler.

I was wondering if it is possible to use a Loader program which uses:

CreateProcess API and install an exception handler to it. So when exception in program occurs it goes to handler from the loader.

Best regards.

Posted

I would read this document:

Cracking with Loaders Theory General Approach and a Framework v12

Link to download it:

http://www.accessroot.com/arteam/site/download.php?view.81

Best regards

Nacho_dj

  • Like 1
Posted (edited)

You could use VirtualAllocEx to allocate memory in the remote process, assign proper protection via VirtualProtectEx. Use WriteProcessMemory to assign the allocated data to some shell code which will call load LoadLIbraryA accordingly and return. You would execute the injected shell code via CreateRemoteThread API. In the DLL that you injected, the EP should install a VEH to which all exceptions should pass over given it remains the top level in the VEH chain.

Shell code example


PUSH 6F72 ; "Say your library was called 'SupBro' You'd push it to the stack
PUSH 42707553 ; Here too
PUSH ESP ; Push a pointer to the string you jsut formed on the stack.
Call LoadLIbraryA
RETN 8 ;remove formed string from stack.

Whats the address of LoadLibraryA? The kerne32.dll module is always loaded and it is always loaded at the same base address. Thus The procedure address of LoadLibraryA in our process is the same as it would be in the remote process. ACTUALLY, To be super technical, some VMs don't load kernel32.dll at a constant base, but this is more an error in the VM themselves

Another, easier, method is to just write the string, describing the library you want to load, in the remote address space and calling CreateRemoteThread to create a thread with an EP at LoadLibraryA. You can pass a single argument over via one of the parameters in CreateRemoteThread.

I know SEH is per thread used so that would mean I would have to inject a DLL for example and install the exception handler.

A single thread can have numerous exception handlers installed in its SEH chain. Though, VEH takes a high priority than SEH and so if you install a VEH it will supercede all SEH in the SEH chain.

Essentially, you're injecting a DLL which installs a VEH.

Edited by Jeremy__

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...