We will be conducting a 2-days Training Session on Reverse Engineering and Malware Analysis in co-operation with Nullcon Team at Nullcon Delhi 2012.
3S Labs Banner
Monday, August 20, 2012
Nullcon Delhi 2012: RE and Malware Analysis Training
We will be conducting a 2-days Training Session on Reverse Engineering and Malware Analysis in co-operation with Nullcon Team at Nullcon Delhi 2012.
Wednesday, August 8, 2012
Remote DLL Loader
Sometimes it is required to somehow force a remote process to load an arbitrary DLL via LoadLibrary. The loaded DLL once executed from within the address space of the target process can then perform a wide variety of operation. This can be achieved using AppInit_DLLs registry option for applications which are linked with user32.dll.
However we want a bit more generic solution and that too without modifying anything in the system. The idea is quite simple and perhaps widely used:
However we want a bit more generic solution and that too without modifying anything in the system. The idea is quite simple and perhaps widely used:
- Find or execute the target process and obtain its handle
- Allocate memory in the target process using VirtualAllocEx
- Write a shellcode that performs LoadLibrary("C:\\Our.dll") using WriteProcessMemory
- Execute the shellcode using CreateRemoteThread
Thanks to the excellent Metasm library, building and testing the tool was a matter of less than an hour. The tool can be found here.
Note: The loader shellcode will look for exported function named Init in the DLL and will call it if found after LoadLibrary(..) This allows performing operations which otherwise should not be performed from the DllMain.
Note: The loader shellcode will look for exported function named Init in the DLL and will call it if found after LoadLibrary(..) This allows performing operations which otherwise should not be performed from the DllMain.
The usage is pretty simple:
Subscribe to:
Posts (Atom)