flat assembler
Message board for the users of flat assembler.
Index
> Windows > executing code in a DLL Goto page 1, 2 Next |
Author |
|
TheLord 19 Apr 2008, 18:26
Hi, I need to inject a dll into multiple processes in order to spy on API calls. This DLL is a fasm coded one, using Reverend LDE etc...
Now the problem : Let's just think I'm creating a simple fasm DLL to be injected, which call a simple messagebox Code: format PE GUI 4.0 DLL entry DllEntryPoint section '.code' code readable executable proc DllEntryPoint hinstDLL,fdwReason,lpvReserved mov eax,TRUE push 0 push some_str push some_str1 push 0 call [MessageBox] ret endp section '.data' some_str db "Hello",0 some_str1 db "world",0 section '.idata' import data readable writeable library user32, "user32.dll" import user32, \ MessageBox, "MessageBoxA" I use a tool in order to test the DLL, which can be found here : http://www.novell.com/coolsolutions/tools/17354.html This code does not work, the call mess up the LoadLibrary() call. So is there anyway to make a DLL produce code execution, and not just functions to be exported ? thx for any help |
|||
19 Apr 2008, 18:26 |
|
TheLord 19 Apr 2008, 20:50
that's OK I finally foudn out ...
format PE GUI 4.0 DLL at 11000000h just reading the doc, sorry ... |
|||
19 Apr 2008, 20:50 |
|
revolution 19 Apr 2008, 23:45
Maybe TheLord is wanting the return state from [MessageBox] to be returned? Although that doesn't explain why the existing "move eax,TRUE" is there.
|
|||
19 Apr 2008, 23:45 |
|
asmrox 20 Apr 2008, 01:01
dll injection is for noobs, try injecting code.
topic: Code: format pe dll section '' readable executable entry $ push ebx push esi push edi push ebp xor eax,eax push eax push eax push eax push eax call [MessageBoxW] pop ebp pop edi pop esi pop ebx xor eax,eax inc eax retn 12 section '' import readable dd 0,0,0,RVA user32_name,RVA user32_table dd 0,0,0,0,0 user32_table: MessageBoxW dd RVA _MessageBoxW dd 0 user32_name db 'user32.dll',0 _MessageBoxW db 0,0,'MessageBoxW',0 section '' fixups |
|||
20 Apr 2008, 01:01 |
|
TheLord 20 Apr 2008, 11:30
Hi, and thx for answering.
I'm not doing asm very frequently, that's why my question can appears stupid, sorry the "mov eax, TRUE" is just took from the given "DLL" fasm example, thx for the precision r22. btw, It's not about injecting a DLL for evil purpose or for a technology achievement, I dont realy care if it's noob code, I just need a working way to do it ! My app need to be unkillable for security reason. I tryed to modify my process DACL to disallow PROCESS_TERMINATE, but the SeDebugPrivilege just bypass it, and I can't decently remove this right from administrators. So the only way I found to do it is by hooking terminateProcess in all processes (from what I know, and from what I believe I'm capable of). Unfortunatly the app is vb.net coded which is quiet restricted regarding this stuff, that's why I try to code this asm DLL. my code was not working because of the lack of Code:
section '.reloc' fixups data discardable
it works correctly with this |
|||
20 Apr 2008, 11:30 |
|
Alphonso 20 Apr 2008, 13:01
TheLord wrote: My app need to be unkillable for security reason. |
|||
20 Apr 2008, 13:01 |
|
TheLord 21 Apr 2008, 07:32
No, the problem is not the service I could make it "canstop=false" . It's the process of the service, which is under the same laws as the other. As long as the user token has SeDebugPrivilege, he can kill whatever he want apart from critical processes (services.exe, winlogon, lsass etc).
I could just name my exe services (as an exemple) it would be unkillable, but it's not a very clean way ... |
|||
21 Apr 2008, 07:32 |
|
revolution 21 Apr 2008, 12:27
If this is for something like an Internet Cafe (or general public use computers) then the easiest way to just to make sure the login is user access only.
If this is for release to anyone on their own PC then there is not anything you can do the stop your process being terminated. Renaming it to "services.exe" won't help you at all, it will still be able to be killed. |
|||
21 Apr 2008, 12:27 |
|
TheLord 21 Apr 2008, 12:54
Our client need to allow users to get administrators right for a certain amount of time / nb reboot in order to let them install their own applications, or for doing stuff where admin rights are needed. This is how it works :
1. A system service launch an executable which provide a systray with context menu to pass in admin mode 2. When the user pass in admin mode, the executable put the user in the admin group and logoff the session 3. When the user log back he is admin and the executable start its chrono (time/reboot count) This is an ambulant security hole app, I know, but I'm not the boss so, while the user is admin : 1. He can create a new admin user and so have an admin account ready to go. 2. He can kill the executable so no more count, no more time, he stay admin 3. He can desactivate the service so the exe is not launched anymore etc etc etc My goal here is to provide semi rootkit technology in user mode, (just to refrain those easy privilege escalations, no need for bullet proof technic, and I dont care if it's spotted by antivirus, the app will be in exclusion list if its the case) with a DLL which will protect the service, the executable, the regkey used by the program, and the local group/user administration. Actually the app is a "watch dog" app, the executable watch for the service, the service watch for the executable. I have to do the other way in order to give my boss two projects. |
|||
21 Apr 2008, 12:54 |
|
revolution 21 Apr 2008, 13:29
Oh, I don't fancy your task there. Trying to stop an admin user doing things is very tricky.
|
|||
21 Apr 2008, 13:29 |
|
r22 22 Apr 2008, 07:21
The registry key:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs If you place the full path to your DLL as the value windows will load your DLL into every process that loads user32.dll. When Spy software was popular ("find out what blah is doing on your computer") this registry hook was used in a lot of them to inject key loggers and such. |
|||
22 Apr 2008, 07:21 |
|
AlexP 22 Apr 2008, 12:00
rww: OH MY GOSH! THat's a little too powerful of a Windows secret to give someone?! Wow... That's crazy..
|
|||
22 Apr 2008, 12:00 |
|
revolution 22 Apr 2008, 12:04
It's hardly a secret, it's been around for as long as Windows. Is is a standard way for apps to have "hot-keys" that work from anywhere.
|
|||
22 Apr 2008, 12:04 |
|
AlexP 22 Apr 2008, 12:52
"Hot-keys"? Do you mean looking for specific key codes?
|
|||
22 Apr 2008, 12:52 |
|
revolution 22 Apr 2008, 12:56
Yes, for example TrueCrypt has some options for setting "hot-keys" to perform various functions. It provides this functionality by installing a DLL into each running app to monitor for the particular key presses. Many programs do it.
|
|||
22 Apr 2008, 12:56 |
|
TheLord 22 Apr 2008, 16:19
yeah appinit_DLLS and SetWindowsHookEx, quite used by keyloggers
|
|||
22 Apr 2008, 16:19 |
|
Nickt 03 Jul 2009, 12:12
Look for
Code: include 'win32a.inc' or includeing all or including more macros and equals but ... immediately without this defines Code: format PE GUI 4.0 DLL entry DllEntryPoint ;***************** !!! ****************************** include 'win32a.inc' ;<<<<<<--------- macros and constants !!! ;***************** !!! ****************************** section '.code' code readable executable proc DllEntryPoint hinstDLL,fdwReason,lpvReserved mov eax,TRUE push 0 push some_str push some_str1 push 0 call [MessageBox] ret endp section '.data' some_str db "Hello",0 some_str1 db "world",0 section '.idata' import data readable writeable library user32, "user32.dll" import user32, \ MessageBox, "MessageBoxA" |
|||
03 Jul 2009, 12:12 |
|
sleepsleep 03 Jul 2009, 13:05
Quote:
write 2 apps, with application named starting at letter "A" then another at letter "Z" at least in xp, you can't kill 2 tasks at them same moment, so, whenever A detect Z missing, it restarts Z, if Z detects A missing, it restarts A. i saw some virus/malware using such concept. |
|||
03 Jul 2009, 13:05 |
|
Pirata Derek 03 Jul 2009, 14:02
Sometime these malware are easy to remove:
1) 1 EXECUTABLE WITH 2 MIRROR PROCESSES: try to rename the executable (maybe fail), then kill the processes with task manager (they can't restart the original EXE because has another name) 2) 2 EXECUTABLES AND 2 PROCESSES (ONE RESTART THE OTHER ONE) The same method but applicated to 2 files (kill 1 process per time) YOU HAVE TO LOCK THE EXECUTABLE (or EXECs) You can do this by opening the file and keeping its handle alive: invoke CreateFileA,ExecutableName,GENERIC_READ+GENERIC_WRITE,0,.... ect (NOTE: the last zero is the SHARE_MODE --> no sharing to other apps so they can't erase or rename it) To unlock, just CloseHandle its handle |
|||
03 Jul 2009, 14:02 |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.