0% found this document useful (0 votes)
109 views16 pages

DLL Injection

This document discusses DLL injection techniques. It begins by explaining basics of DLLs, such as how they share memory across processes and own no local variables or data. It then outlines methods for DLL injection like registry, hooks, remote threads, and trojan DLLs. The main technique discussed is using CreateRemoteThread to load a DLL into another process's address space by writing the DLL path to the target process's memory and calling LoadLibraryW. An example DLL is provided that patches game code to call a hack function and display messages.

Uploaded by

Nier
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
109 views16 pages

DLL Injection

This document discusses DLL injection techniques. It begins by explaining basics of DLLs, such as how they share memory across processes and own no local variables or data. It then outlines methods for DLL injection like registry, hooks, remote threads, and trojan DLLs. The main technique discussed is using CreateRemoteThread to load a DLL into another process's address space by writing the DLL path to the target process's memory and calling LoadLibraryW. An example DLL is provided that patches game code to call a hack function and display messages.

Uploaded by

Nier
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 16

DLL injection

Outline
• DLL basics
• DLL injection
• Example DLL
DLL basics
• Conserve memory
• The pages are shared by all of the applications
• DLL owns nothing
• Local variables
• Use the thread’s stack
• Global and static data variables
• Create instances of them when process maps a DLL image file
into its address space
DLL injection methods
• Registry
• Windows Hooks
• Remote Threads
• Trojan DLL
• Else…
DLL injection (1/8)
• Goal
• Break through process boundary walls to access another
process’ address space
• Problem
• Separate address spaces
• Solution
• Get the code into another process’ address space
DLL injection (2/8)
• Idea
• Create a remote thread in another process
• CreateRemoteThread
• Load DLL in that thread
• LoadLibraryW
HANDLE CreateRemoteThread(
HANDLE hProcess,
PSECURITY_ATTRIBUTES psa,
DWORD dwStackSize,
PTHREAD_START_ROUTINE pfnStartAddr,
PVOID pvParam,
DWORD fdwCreate,
PDWORD pdwThreadId);
DLL injection (3/8)
• Use LoadLibraryW instead of thread function
• CreateRemoteThread needs a thread function
• DWORD WINAPI ThreadFunc(PVOID pvParam);
• LoadLibraryW function
• HMODULE WINAPI LoadLibraryW(LPCWSTR lpLibFileName);
• Single parameter
• Return a value
• WINAPI calling convention
• HANDLE hThread =
CreateRemoteThread(hProcessRemote, NULL, 0,
LoadLibraryW, L"C:\\MyLib.dll", 0, NULL);
DLL injection (4/8)
• HANDLE hThread =
CreateRemoteThread(hProcessRemote, NULL, 0,
LoadLibraryW, L"C:\\MyLib.dll", 0, NULL);
• The L before the string means this is an Unicode string,
which LoadLibraryW needs
• 2 problems
• LoadLibraryW actually calls to module’s import section
and then jumps to the actual function
• The string L”C:\\MyLib.dll” is in the calling process’
address space
DLL injection (5/8)
• LoadLibraryW actually calls to module’s import
section and then jumps to the actual function
• The import section may be different in different
processes
• GetProcAddress(GetModuleHandle(TEXT("Kernel32")),
"LoadLibraryW");
DLL injection (6/8)
• Assumptions
• The address of LoadLibraryW may change between two
reboots if Address Space Layout Randomization (ASLR) is
enabled
• A normal executable image file may mapped into different
addresses at each “restart”. However, LoadLibraryW is in
Kernel32.dll and it will be loaded at each “reboot”.
• LoadLibraryW is mapped to the same memory location
in every process
DLL injection (7/8)
• The string L”C:\\MyLib.dll” is in the calling process’
address space
• VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT,
PAGE_READWRITE);
• WriteProcessMemory(hProcess, pszLibFileRemote,
(PVOID) pszLibFile, cb, NULL);
• hProcess: handle of remote process
• cb: the number of bytes needed for the DLL's pathname
• pszLibFileRemote: the address of the destination
• pszLibFile: the address of the source
DLL injection (8/8)
• Walkthrough
• OpenProcess
• VirtualAllocEx
• WriteProcessMemory
• GetProcAddress
• CreateRemoteThreadEx
Example DLL (1/4)
• Target executable image file: Ragnarok Online
• Print the message when DLL had been loaded
• DllMain function called with DLL_PROCESS_ATTACH
when DLL loaded
• DisplayMessage("Loading test plugin.", 0x64FFFF);
• Print the current experience after killing a monster
• Need to patch the game
Example DLL (2/4)
• At address 0x0073BAD8
• A3 2C 51 9C 00 mov dword, ptr DS:[9C512C], eax
• The code that save the experience after killing a
monster
• Total bytes need to >= 5 because of the call opcode
• Idea
• Change 0x0073BAD8 to a call to shellcode in DLL
• Shellcode simply do the same thing at 0x0073BAD8 and
call our desired function
Example DLL (3/4)
• Summary
• The process reaches the patch
• The patch calls the wrapper
• The over-written instruction(s) run in the wrapper
• The wrapper saves the registers
• The wrapper calls the hack function
• The wrapper restores the variables
• The wrapper returns back to the ordinary code
• Program continues executing normally
Example DLL (4/4)
• Assumptions
• The patch will fail when the target executable image file
enables ASLR.

You might also like