flat assembler
Message board for the users of flat assembler.

Index > Windows > executing code in a DLL

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord 19 Apr 2008, 18:26
Hi, I need to inject a dll into multiple processes in order to spy on API calls. This DLL is a fasm coded one, using Reverend LDE etc...

Now the problem :

Let's just think I'm creating a simple fasm DLL to be injected, which call a simple messagebox

Code:
format PE GUI 4.0 DLL
entry DllEntryPoint

section '.code' code readable executable

proc DllEntryPoint hinstDLL,fdwReason,lpvReserved

        mov  eax,TRUE
        push 0
        push some_str
        push some_str1
        push 0
        call [MessageBox]
        ret
endp      

section '.data'

some_str            db "Hello",0
some_str1          db "world",0

section '.idata' import data readable writeable
library                 user32, "user32.dll"

import user32, \
MessageBox, "MessageBoxA"       


I use a tool in order to test the DLL, which can be found here :
http://www.novell.com/coolsolutions/tools/17354.html

This code does not work, the call mess up the LoadLibrary() call. So is there anyway to make a DLL produce code execution, and not just functions to be exported ?

thx for any help
Post 19 Apr 2008, 18:26
View user's profile Send private message Reply with quote
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord 19 Apr 2008, 20:50
that's OK I finally foudn out ...

format PE GUI 4.0 DLL at 11000000h

just reading the doc, sorry ...
Post 19 Apr 2008, 20:50
View user's profile Send private message Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 19 Apr 2008, 21:31
The following should probably be in a banner at the top of every Windows forum post.

*** Calling an API will trash EAX, ECX, EDX ***
Code:
        mov  eax,TRUE  *** <<<=== Will not work
        push 0 
        push some_str 
        push some_str1 
        push 0 
        call [MessageBox]  *** <<<=== Put mov eax,TRUE after this line and before the RET
    
Post 19 Apr 2008, 21:31
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20449
Location: In your JS exploiting you and your system
revolution 19 Apr 2008, 23:45
Maybe TheLord is wanting the return state from [MessageBox] to be returned? Wink Although that doesn't explain why the existing "move eax,TRUE" is there. Sad
Post 19 Apr 2008, 23:45
View user's profile Send private message Visit poster's website Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 20 Apr 2008, 01:01
dll injection is for noobs, try injecting code.
topic:
Code:
format pe dll
section '' readable executable
entry $
push ebx
push esi
push edi
push ebp
xor eax,eax
push eax
push eax
push eax
push eax
call [MessageBoxW]
pop ebp
pop edi
pop esi
pop ebx
xor eax,eax
inc eax
retn 12
section '' import readable
dd 0,0,0,RVA user32_name,RVA user32_table
dd 0,0,0,0,0
user32_table:
MessageBoxW dd RVA _MessageBoxW
dd 0
user32_name db 'user32.dll',0
_MessageBoxW db 0,0,'MessageBoxW',0
section '' fixups    
Post 20 Apr 2008, 01:01
View user's profile Send private message Reply with quote
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord 20 Apr 2008, 11:30
Hi, and thx for answering.

I'm not doing asm very frequently, that's why my question can appears stupid, sorry Smile

the "mov eax, TRUE" is just took from the given "DLL" fasm example, thx for the precision r22.

btw, It's not about injecting a DLL for evil purpose or for a technology achievement, I dont realy care if it's noob code, I just need a working way to do it !
My app need to be unkillable for security reason. I tryed to modify my process DACL to disallow PROCESS_TERMINATE, but the SeDebugPrivilege just bypass it, and I can't decently remove this right from administrators.

So the only way I found to do it is by hooking terminateProcess in all processes (from what I know, and from what I believe I'm capable of). Unfortunatly the app is vb.net coded which is quiet restricted regarding this stuff, that's why I try to code this asm DLL.

my code was not working because of the lack of

Code:
section '.reloc' fixups data discardable   
    


it works correctly with this
Post 20 Apr 2008, 11:30
View user's profile Send private message Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 295
Alphonso 20 Apr 2008, 13:01
TheLord wrote:
My app need to be unkillable for security reason.
Would making your application run as a service work for you?
Post 20 Apr 2008, 13:01
View user's profile Send private message Reply with quote
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord 21 Apr 2008, 07:32
No, the problem is not the service I could make it "canstop=false" . It's the process of the service, which is under the same laws as the other. As long as the user token has SeDebugPrivilege, he can kill whatever he want apart from critical processes (services.exe, winlogon, lsass etc).

I could just name my exe services (as an exemple) it would be unkillable, but it's not a very clean way ...
Post 21 Apr 2008, 07:32
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20449
Location: In your JS exploiting you and your system
revolution 21 Apr 2008, 12:27
If this is for something like an Internet Cafe (or general public use computers) then the easiest way to just to make sure the login is user access only.

If this is for release to anyone on their own PC then there is not anything you can do the stop your process being terminated. Renaming it to "services.exe" won't help you at all, it will still be able to be killed.
Post 21 Apr 2008, 12:27
View user's profile Send private message Visit poster's website Reply with quote
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord 21 Apr 2008, 12:54
Our client need to allow users to get administrators right for a certain amount of time / nb reboot in order to let them install their own applications, or for doing stuff where admin rights are needed. This is how it works :

1. A system service launch an executable which provide a systray with context menu to pass in admin mode
2. When the user pass in admin mode, the executable put the user in the admin group and logoff the session
3. When the user log back he is admin and the executable start its chrono (time/reboot count)

This is an ambulant security hole app, I know, but I'm not the boss Smile

so, while the user is admin :
1. He can create a new admin user and so have an admin account ready to go.
2. He can kill the executable so no more count, no more time, he stay admin
3. He can desactivate the service so the exe is not launched anymore
etc etc etc

My goal here is to provide semi rootkit technology in user mode, (just to refrain those easy privilege escalations, no need for bullet proof technic, and I dont care if it's spotted by antivirus, the app will be in exclusion list if its the case) with a DLL which will protect the service, the executable, the regkey used by the program, and the local group/user administration.

Actually the app is a "watch dog" app, the executable watch for the service, the service watch for the executable.

I have to do the other way in order to give my boss two projects.
Post 21 Apr 2008, 12:54
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20449
Location: In your JS exploiting you and your system
revolution 21 Apr 2008, 13:29
Oh, I don't fancy your task there. Trying to stop an admin user doing things is very tricky.
Post 21 Apr 2008, 13:29
View user's profile Send private message Visit poster's website Reply with quote
r22



Joined: 27 Dec 2004
Posts: 805
r22 22 Apr 2008, 07:21
The registry key:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

If you place the full path to your DLL as the value windows will
load your DLL into every process that loads user32.dll.

When Spy software was popular ("find out what blah is doing on your computer") this registry hook was used in a lot of them to inject key loggers and such.
Post 22 Apr 2008, 07:21
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 22 Apr 2008, 12:00
rww: OH MY GOSH! THat's a little too powerful of a Windows secret to give someone?! Wow... That's crazy..
Post 22 Apr 2008, 12:00
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20449
Location: In your JS exploiting you and your system
revolution 22 Apr 2008, 12:04
It's hardly a secret, it's been around for as long as Windows. Is is a standard way for apps to have "hot-keys" that work from anywhere.
Post 22 Apr 2008, 12:04
View user's profile Send private message Visit poster's website Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 22 Apr 2008, 12:52
"Hot-keys"? Do you mean looking for specific key codes?
Post 22 Apr 2008, 12:52
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20449
Location: In your JS exploiting you and your system
revolution 22 Apr 2008, 12:56
Yes, for example TrueCrypt has some options for setting "hot-keys" to perform various functions. It provides this functionality by installing a DLL into each running app to monitor for the particular key presses. Many programs do it.
Post 22 Apr 2008, 12:56
View user's profile Send private message Visit poster's website Reply with quote
TheLord



Joined: 24 Oct 2006
Posts: 42
TheLord 22 Apr 2008, 16:19
yeah appinit_DLLS and SetWindowsHookEx, quite used by keyloggers Smile
Post 22 Apr 2008, 16:19
View user's profile Send private message Reply with quote
Nickt



Joined: 02 Jul 2009
Posts: 1
Nickt 03 Jul 2009, 12:12
Look for
Code:
include 'win32a.inc'    
.
or includeing all or including more macros and equals
but ... immediately without this defines
Code:
format PE GUI 4.0 DLL 
entry DllEntryPoint 

;***************** !!! ******************************
include 'win32a.inc' ;<<<<<<--------- macros and constants !!!
;***************** !!! ******************************
section '.code' code readable executable 

proc DllEntryPoint hinstDLL,fdwReason,lpvReserved 

        mov  eax,TRUE 
        push 0 
        push some_str 
        push some_str1 
        push 0 
        call [MessageBox] 
        ret 
endp       

section '.data' 

some_str            db "Hello",0 
some_str1          db "world",0 

section '.idata' import data readable writeable 
library                 user32, "user32.dll" 

import user32, \ 
MessageBox, "MessageBoxA"
    
Post 03 Jul 2009, 12:12
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 13053
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 0010456
sleepsleep 03 Jul 2009, 13:05
Quote:

My app need to be unkillable for security reason.

write 2 apps, with application named starting at letter "A" then another at letter "Z"

at least in xp, you can't kill 2 tasks at them same moment,
so, whenever A detect Z missing, it restarts Z, if Z detects A missing, it restarts A.

i saw some virus/malware using such concept.
Post 03 Jul 2009, 13:05
View user's profile Send private message Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek 03 Jul 2009, 14:02
Sometime these malware are easy to remove:

1) 1 EXECUTABLE WITH 2 MIRROR PROCESSES:
try to rename the executable (maybe fail), then kill the processes with task manager (they can't restart the original EXE because has another name)

2) 2 EXECUTABLES AND 2 PROCESSES (ONE RESTART THE OTHER ONE)
The same method but applicated to 2 files (kill 1 process per time)

YOU HAVE TO LOCK THE EXECUTABLE (or EXECs)
You can do this by opening the file and keeping its handle alive:

invoke CreateFileA,ExecutableName,GENERIC_READ+GENERIC_WRITE,0,.... ect

(NOTE: the last zero is the SHARE_MODE --> no sharing to other apps so they can't erase or rename it)

To unlock, just CloseHandle its handle Cool
Post 03 Jul 2009, 14:02
View user's profile Send private message Send e-mail Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.