flat assembler
Message board for the users of flat assembler.
![]() |
Author |
|
typedef
DLL Proxies.. They work all the time, unless if the target process checks it (the DLL)before loading(i.e by way of CRC checksums) But you can still patch it.
|
|||
![]() |
|
hihelp
Thanks for typedef reply.
I've tested DLL proxy,but it's not ok. WriteProcessMemory,CreateRemoteThread,Dll proxy,all are not allowed. Very abnormal condition, ![]() Is there any other way? |
|||
![]() |
|
Overflowz
There is another way called FWB (Firewall Bypass). Idea is something like this:
Code: 1) CreateProcess with CREATE_SUSPENDED flag. 2) GetThreadContext 3) VirtualProtect 4) UnmapViewOfFile/CreateFileMapping/MapViewOfFile 5) WriteProcessMemory 6) SetThreadContext 7) ResumeThread If you want to run both (Injected code and original application), then try to search "Reflective DLL Injection", It's the best method ever for now ![]() |
|||
![]() |
|
hihelp
Thanks for Overflowz reply.
I'll go to search about 'Reflective DLL Injection'. The example above you said I have tried, but still be blocked......... But Thanks everybody! I will continue to find way! |
|||
![]() |
|
revolution
hihelp wrote: The example above you said I have tried, but still be blocked......... |
|||
![]() |
|
hihelp
Yea,my mean is the Antivirus software intercept it.
|
|||
![]() |
|
Overflowz
hihelp
Reflective DLL Injection is more advanced technique thus, AV's detect it really hard ![]() |
|||
![]() |
|
typedef
Ok. The other way is to patch the process's entry point with a jump or find somewhere like a menu event and patch it with a jump to a LoadLibraryA API, that way the DLL can do the job.
|
|||
![]() |
|
hihelp
@Overflowz
I've seen the Reflective DLL Injection article,but very hard to read... Thank you so much! @typedef You said patch process,I've try it,^_^,Thannnks |
|||
![]() |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.
Website powered by rwasa.