flat assembler
Message board for the users of flat assembler.

Index > Windows > DETOUR, HOOK, DLL imports change and any code INTERCEPTION!

Goto page Previous  1, 2, 3  Next
Author
Thread Post new topic Reply to topic
r22



Joined: 27 Dec 2004
Posts: 805
r22
I've had a little experience with patching kernel dll's in XP (64bit).
http://board.flatassembler.net/topic.php?t=4467
Maybe it'll be helpful to you. The thread is in the "blog" format :\

The kernel DLL and EXE have a CRC in the file that needs to be accurate. There's a windows API that will give you the current checksum and the correct checksum (the API's name alludes me at the moment).
Post 04 Nov 2008, 00:42
View user's profile Send private message AIM Address Yahoo Messenger Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
I've seen your "system dll patching"... it's a good job. Probably i need to spend more time in this one, before making my kernel hooker.
Post 04 Nov 2008, 09:38
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
Hey you all, LISTEN TO ME:
In theese days I tried, another time, the debugging tools for windows xp
(microsoft) because you tell me it's a kernel debugger... yes, it's a kernel
debugger ONLY IF YOU CONNECT IT TO ANOTHER PC USING THE SERIAL PORT (COM1)!

I don't wanna buy another pc for testing its kernel working method!!!
Then: stop thinking the things microsoft writes about its products are good or true!
I told you the debugging tools for Ms isn't ( or aren't ?) a good kernel debugger
and also a good normal debugger! I.D.A. is better, more more better than it.

In any case, thanks, because this forums is here to help us learning more together
about our favourite hobby:

PROGRAMMING!

Yes, for me programming is:

Make every keyboard buttons,
i push into my assembler,
as an alive stuff,
that execute all the instructions i wrote into it,
like an exstension of my will...
...in digital format!
Post 05 Nov 2008, 09:05
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
The link I gave you use a VIRTUAL PC, not a real one.
Post 05 Nov 2008, 13:40
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
Pirata Derek,

Google for LiveKD. It's excellent tool from Mark Russinovich to use kd on the same machine.
Post 05 Nov 2008, 18:25
View user's profile Send private message Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
OK, i think K.D. is better to debug in the same machine
Post 07 Nov 2008, 08:33
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
Why does Kernel Debugger crash sometimes when i do a STEP on the INT 0x2E ? Question

I don't modify any registers values.
When i do the STEP, the PC immediatly RESTART! Evil or Very Mad

Is it a BUG or not?

Also is the same if i use the "Sysenter Debugger" (Trial Version)


Last edited by Pirata Derek on 07 Nov 2008, 15:33; edited 1 time in total
Post 07 Nov 2008, 15:29
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17665
Location: In your JS exploiting you and your system
revolution
Pirata Derek wrote:
Why does Kernel Debugger crash sometimes when i do a STEP on the INT 0x2E ?

I don't modify any registers values.
When i do the STEP, the PC immediatly RESTART!

Is it a BUG or not?

Also is the same if i use the "Sysenter Debugger" (Trial Version)
I think you need a better debugger.
Post 07 Nov 2008, 15:31
View user's profile Send private message Visit poster's website Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
It's strange because 2 different K-Dbg do the same crash!
Sysenter crash more times than the other, in the INT 0x2E

Bah!!!
Post 07 Nov 2008, 15:35
View user's profile Send private message Send e-mail Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
Pirata Derek,

Do you have "Automatic restart" in system properties' "Startup and Recovery" enabled? Disable and get BSoD, then meditate on that… If it's not enough, get full core dump and analyse it.
Post 07 Nov 2008, 16:18
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Does LiveKD StepInto/StepOver kernel-mode code? Unless I am missing something it only allows you to do live execution of debugging commands (those that allows you to read the page table, read ETHREADS, etc), but by no means it allows you to trace kernel mode code.
Post 07 Nov 2008, 18:02
View user's profile Send private message Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
Baldr,

Is the same thing without automatic restart turned off.
The only difference is that now, PC stay "Stoned" after INT 0x2E or sometimes it restarts....

I don't understand what it does! Sad

Probably, my computer is exhausted for all my test i do on it !!


Last edited by Pirata Derek on 10 Nov 2008, 11:40; edited 2 times in total
Post 10 Nov 2008, 10:13
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
LocoDelAssembly,

SPANISH:
El "STEP INTO" en el codigo del kernel lo hago con SYSENTER (debugger por los kerneles), y es Sysenter que me das màs de los problemas que escribì arriba.
Para mi es mejor de K-Dbg del Windows, es màs pratico... pero es TRIAL! Mad

ENGLISH:
I do the "STEP INTO" into the kernel code with SYSENTER Debugger (Kernel mode), and SYSENTER make me the most part of the problems
i wrote before...
I use it because it's more pratic than K-Dbg for windows... but it's trial! Mad
Post 10 Nov 2008, 10:24
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
In this month, i've created a little program called "Permanent DLL Injector"
that insert into any target program its DLL, and everytime the target program starts,
it doesn't call the original library.... but the dropped DLL! Twisted Evil

The DLL dropped by the injector can do everything before return from the caller.
(example, i can hook all the exported function of the original dll!)

This method lets you to control the target program activity by hooking
its imports without modify directly the original library.

THE TARGET PROGRAM REMAINS HOOKED UNTIL YOU REMODIFY ITS IMPORTS LIBRARY
(For tests use a copy of any original programs)


Last edited by Pirata Derek on 11 Nov 2008, 11:11; edited 3 times in total
Post 11 Nov 2008, 10:45
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
This is the DLL injector, with its source and a test area,
with a TEST program created by me, where you can test the functionality
of the program.... Cool

You can modify the source to change the target program.
(also you have to modify the FAKE DLL Source into the include directory)

If there's a bug, please send me a notify...

Now, i'm going to make a UNIVERSAL DLL that:

- Do what it wants when it is called Smile
- Analyze the called function of the caller program
(library and function name)
- Load the correct library
- Find the virtual address of the original function
- calls the original function
- modify the returns value (optional)


Description:
Download
Filename: Permanent DLL injector.rar
Filesize: 87.44 KB
Downloaded: 120 Time(s)

Post 11 Nov 2008, 10:47
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
The direct injection on a system DLL like NTdll.dll or kernel32.dll works after system start...
on booting it doesn't work...

Probably because they have a fixed loading area offset when system start.

Can someone find a way to inject them however?

I've a source of a sample program that inject a FAKE DLL (K32Hook!.dll)
on the Kernel32.dll that RE-CALL every API the Kernel32.dll
do to the NTDLL.dll...

You should have a Virtual PC to do these tests....
Post 13 Nov 2008, 08:34
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
I'm making another K32Hooker because i think the precedent has a bug... Evil or Very Mad Twisted Evil Evil or Very Mad Twisted Evil ....

( Sometimes the Hooker Injection Module doesn't want to inject! )


Last edited by Pirata Derek on 14 Nov 2008, 13:08; edited 2 times in total
Post 13 Nov 2008, 13:30
View user's profile Send private message Send e-mail Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
I've created a little tool for network managing that operates in a
remote PC and execute all that i want... like a botnet...
(create, copy, erase, rename files or directory, ect...)
It works in the 27 network port.

You drive this program with a file called REMOTE CONTROLLER,
you connect it in the remote PC on the 27 port, send its instructions
and it executes all. (Digit HELP to get the commands list)
If you want to do a test, run the program and open the controller,
connect it in: 127.0.0.1 at 27 port and send to it some commands.

It can connect at least 65535 differents users and executes their commands.
Also it has a internal PRIVILEGE system for the users, and i'm
implementating a little CHAT function into...

This program IS NOT A VIRUS, infact you can close it with the QUIT
command or using the TASK-MANAGER and killing it.
(See the source code if you want)

I can't find a little BUG: Mad
In all the SHOW-???? commands the MessageBox is inactive!
It doesn't work normally! Why?

Who can help me?


Description: The SOURCE CODE of my little tool, with its controller
Download
Filename: Project.zip
Filesize: 149.47 KB
Downloaded: 122 Time(s)



Last edited by Pirata Derek on 24 Nov 2008, 11:29; edited 6 times in total
Post 24 Nov 2008, 11:02
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17665
Location: In your JS exploiting you and your system
revolution
Yes, remote control can be very important in many situations, as long as the installation and runtime capabilities are known to the user of the machine. Virus would use tricks and fool users into running code and then typically hide and protect themselves to prevent removal.
Post 24 Nov 2008, 11:08
View user's profile Send private message Visit poster's website Reply with quote
Pirata Derek



Joined: 31 Oct 2008
Posts: 259
Location: Italy
Pirata Derek
For example if send the command from the controller to the program:

SHOW-MEX this is a test message+test capition

it executes the command and shows the Message Box with the text below,
but the message box is inactive and i can't press the OK button!

The same thing with the others SHOW function...
Maybe a USER32.dll incorrect handle use into the Dialog Box Param?

Question
Post 24 Nov 2008, 12:28
View user's profile Send private message Send e-mail Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.