snoopy Posted August 4, 2011 Share Posted August 4, 2011 Hey guys,I was wondering if anyone has experience with using a loader to create a process and install an exception handler.The thing I want to figure out if possible is to let the loader be the exception handler.I know SEH is per thread used so that would mean I would have to inject a DLL for example and install the exception handler.I was wondering if it is possible to use a Loader program which uses:CreateProcess API and install an exception handler to it. So when exception in program occurs it goes to handler from the loader.Best regards. Link to comment
Nacho_dj Posted August 4, 2011 Share Posted August 4, 2011 I would read this document:Cracking with Loaders Theory General Approach and a Framework v12 Link to download it:http://www.accessroot.com/arteam/site/download.php?view.81Best regardsNacho_dj 1 Link to comment
Jeremy__ Posted August 4, 2011 Share Posted August 4, 2011 (edited) You could use VirtualAllocEx to allocate memory in the remote process, assign proper protection via VirtualProtectEx. Use WriteProcessMemory to assign the allocated data to some shell code which will call load LoadLIbraryA accordingly and return. You would execute the injected shell code via CreateRemoteThread API. In the DLL that you injected, the EP should install a VEH to which all exceptions should pass over given it remains the top level in the VEH chain.Shell code examplePUSH 6F72 ; "Say your library was called 'SupBro' You'd push it to the stackPUSH 42707553 ; Here tooPUSH ESP ; Push a pointer to the string you jsut formed on the stack.Call LoadLIbraryARETN 8 ;remove formed string from stack.Whats the address of LoadLibraryA? The kerne32.dll module is always loaded and it is always loaded at the same base address. Thus The procedure address of LoadLibraryA in our process is the same as it would be in the remote process. ACTUALLY, To be super technical, some VMs don't load kernel32.dll at a constant base, but this is more an error in the VM themselvesAnother, easier, method is to just write the string, describing the library you want to load, in the remote address space and calling CreateRemoteThread to create a thread with an EP at LoadLibraryA. You can pass a single argument over via one of the parameters in CreateRemoteThread.I know SEH is per thread used so that would mean I would have to inject a DLL for example and install the exception handler.A single thread can have numerous exception handlers installed in its SEH chain. Though, VEH takes a high priority than SEH and so if you install a VEH it will supercede all SEH in the SEH chain.Essentially, you're injecting a DLL which installs a VEH. Edited August 4, 2011 by Jeremy__ Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now