This article provides an insight on how to inject a dynamic library (DLL) into a 32 bit process in Windows Vista with the use of Remote Threads and taking into consideration the Address Space Layout Randomization (ASLR). The sample code used is written in assembly language (MASM32) using the WinAsm IDE. It should give you a better understanding on how dynamic libraries can be injected.

The concept of loading a library inside a process is simple. A programmer could dynamically load one by using the LoadLibrary function from Windows API for example:

#include
#include
#include

int main(int argc, char *argv[])
{
HANDLE hlib;
char *lib = "E:\\mylib.dll";
printf("Loading library: %s\n",lib);
hlib = LoadLibraryA(lib);
printf("Handle: %X\n",hlib);
system("PAUSE");
return 0;
}

Therefore we can use the CreateRemoteThread function to create a thread that executes the LoadLibraryA with the library’s path as an argument.

CreateRemoteThread

HANDLE WINAPI CreateRemoteThread(
__in HANDLE hProcess,
__in LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in SIZE_T dwStackSize,
__in LPTHREAD_START_ROUTINE lpStartAddress,
__in LPVOID lpParameter,
__in DWORD dwCreationFlags,
__out LPDWORD lpThreadId
);

hProcess

Is the handle to the remote process we intend like to inject our library.

lpStartAddress

This is the address (or offset) of the function our thread will start executing. In our case this should be equal to the offset of LoadLibraryA in the remote process address space.

lpParameter

This is the address of the parameter (library pathname) we aim to set as an argument to the LoadLibraryA function. Note that this also has to be in the address space of our remote process.

The main issues we have to take into consideration are:

* The offset of LoadLibraryA is not constant (not after Microsoft implemented Address Space Layout Randomisation or ASLR)
* Our library’s pathname string does not exist in the remote thread’s address space

Offset of LoadLibraryA

LoadLibraryA resides within kernel32.dll which is an essential library for every process that runs in our operating system. After each restart there is a probability that the address of kernel32 library would change due to ASLR. Fortunately the address of LoadLibraryA in our process is the same with the one in the remote process. Therefore we will need to use the GetProcAddress in combination with GetModuleHandle. The example code below does this thing:

#include
#include
#include

int main(int argc, char *argv[])
{
HINSTANCE kernel32;
FARPROC proc;
char *procname = “LoadLibraryA”;
char *modulename = “Kernel32″;
kernel32 = GetModuleHandle(modulename);
printf(”hModule: %X\n”,kernel32);
proc = GetProcAddress(kernel32,procname);
printf(”hProc: %X\n”,proc);
system(”PAUSE”);
return 0;
}

Getting the pathname inside the remote process’s address space

To do such a thing we would need to allocate space in the remote thread’s address space using VirtualAllocEx function and then patch our pathname to it using WriteProcessMemory function. You can lookup this two functions on MSDN using the links below:

VirtualAllocEx
WriteProcessMemory

Another “hack” you are be able to use is that you could name you library after a string inside the executable file and then copy it inside the executables folder or any other folder defined by the PATH environment variable. For the example program’s hex dump below you could use ernel32.dll (at 00402229) or nel32.dll (at 0040222A) 32.dll (at 0040222D) or even NameA (at 00402243) as your library’s filename.

004020F0 ø .......Dialog

00402100 BoxParamA.´.EndD

00402110 ialog.ü.GetDlgIt

00402120 emTextA.±Messag

00402130 eBoxA.SetDlgIt

00402140 emTextA.user32.d

00402150 ll..R.CreateRemo

00402160 teThread..›.Exit

00402170 Process.Ì.Format

00402180 MessageA..GetC

00402190 urrentProcessId.

004021A0 (GetLastError..

004021B0 4GetModuleHandl

004021C0 eA..SGetProcAdd

004021D0 ress..OpenProc

004021E0 ess.\RtlZeroMem

004021F0 ory.ÞVirtualAll

00402200 ocEx..WritePro

00402210 cessMemory..ls

00402220 trlenA..kernel32

00402230 .dll....GetOpenF

00402240 ileNameA..comdlg

00402250 32.dll..........


Download Source code and executable

Advertisements
Comments
  1. […] Dll injection in Windows Vista/2008 64bit can be made possible by using the same technique used in DLL Injection Windows Vista. The only difference is the target platform we compile our executable. In order to inject a library […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s