LCF-AT Posted October 7, 2019 Posted October 7, 2019 Hi guys, I have a small question and dont remember anymore the answer at the moment so maybe you could help quickly. How was it going to load a module / dll into own & other process without to execute the init / run of the dll?Normaly if I am using LoadLibrary / Ex function the dll was running the init = did run on time from EP etc.In my case I wanna load the dll then changing some code in the dll and then it should process the init / EP etc you know what I mean right? In OllyDBG its like if you would enable the option "Break on new module".If Olly stops then I can see whole dll code in memory map and can also set a BP at EP for example to stop there.Also something like this I wanna do to anyhow but dont remember anymore. Maybe anyone could help with some infos / functions etc to do this. Quick Example: Just wanna load a dll in my own or other process and patching the entrypoint of dll to my code location XY / patching XY in same dll and init go on normaly. greetz 1
atom0s Posted October 8, 2019 Posted October 8, 2019 LoadLibraryEx with flag: DONT_RESOLVE_DLL_REFERENCES, 1
CodeExplorer Posted October 8, 2019 Posted October 8, 2019 When using LoadLibrary it will call entry point of dll: here is a tools which stops before calling entry point of dll: https://forum.tuts4you.com/topic/39871-dllsaver don't know if that's what you want! 1
LCF-AT Posted October 8, 2019 Author Posted October 8, 2019 Hi guys, thanks for your answers so far. Ok I tried using the DONT_RESOLVE_DLL_REFERENCES flag with LoadLibraryEx and it works to load the dll without going to EP etc.Now I can patch something in the loaded dll.The question now is how to init the dll now to the process normaly? Example: I am using LoadLibraryEx with DONT_RESOLVE_DLL_REFERENCES which returns base of dll in eax.Now with that base I patch the dll EP address to my location to jump to if the EP get accessed.Now after this I want to load this dll normaly like using just LoadLibraryA so that the init / EP gets accessed but how is the question?You know what I mean right? Something lile DONT_RESOLVE_DLL_REFERENCES first || Patch hook EP || RESOLVE_DLL_REFERENCES etc.I am also not really sure anymore whether this way is working anyhow. So the only method I can use is to hook the ZwMapViewOfSection function before calling LoadLibraryA.In this case I get the module / dll I wanna load mapped as one section in memory and now I can hook / patch the EP.....also directly in PE Header. 0035F86C 77830450 /CALL to ZwMapViewOfSection from ntdll.7783044B 0035F870 000000B8 |SectionHandle = B8 (184.) 0035F874 FFFFFFFF |ProcessHandle = FFFFFFFF (-1.) 0035F878 0035F950 |pBaseAddress = 0035F950 <------ Base to get 0035F87C 00000000 |ZeroBits = 0x0 0035F880 00000000 |CommitSize = 0x0 0035F884 00000000 |pSectionOffset = NULL 0035F888 0035F934 |pViewSize = 0035F934 <------ Image size 0035F88C 00000001 |InheritDisposition = VIEW_SHARE 0035F890 00000000 |AllocationType 0035F894 00000004 \Win32Protect = PAGE_READWRITE 0035F950 62BF0000 <--- Base I got 0035F934 0085D000 <--- Image size of module Section: 62BF0000 | 0085D000 So this seems to work to load a dll normaly using LoadLibraryA | Hooking ZwMapViewOfSection or RtlImageNtHeaderEx | Checking return values | Modding file etc.Maybe not so pretty using this method but any other method I dont have in my mind at the moment.So I think what I wanna do is clear,just looking for the right or easiest way to do this you know.If you have any better method in mind I could try then just tell me. greetz
atom0s Posted October 8, 2019 Posted October 8, 2019 You can look up how manual mapping handles initializing the DLL that was manually mapped into memory. That will show the steps to take to manually rehandle the loading steps. The BlackBone project on GitHub has this handled pretty well which you can reference here: https://github.com/DarthTon/Blackbone/blob/0072fba51c81aec5c6f56b7a7705377fe2f785d1/src/BlackBone/ManualMap/MMap.cpp 1
fearless Posted October 9, 2019 Posted October 9, 2019 Came across this which has some code on how to perform image base relocations and resolve import address table once a dll loaded into memory: https://ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection Just have to adapt the code, as i guess the image is already in memory with the LoadLibraryEx call instead of manually loading it as in the example code shown. 2
atom0s Posted October 10, 2019 Posted October 10, 2019 10 hours ago, fearless said: Came across this which has some code on how to perform image base relocations and resolve import address table once a dll loaded into memory: https://ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection Just have to adapt the code, as i guess the image is already in memory with the LoadLibraryEx call instead of manually loading it as in the example code shown. Assuming this developer isn't part of the game hacking scene/communities, but his implementation is the same thing as manual mapping. Something else to note about his implementation, he does not handle TLS callbacks/initializations.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now