Upload File

dll & hooking - university of british columbiaudls/slides/udls-gori-dll.pdf · a dll - dynamic link...

  • Home
  • Documents
  • dll & hooking - University of British Columbiaudls/slides/udls-gori-dll.pdf · A DLL - Dynamic Link Library - is a library that contains code and data that can be used by more than
23
DLL Injection and x86 Hooking Demystified Giorgio Gori Sources: What is a DLL? https://support.microsoft.com/en-ca/kb/815065 Windows DLL Injection Basics by Brad Antoniewicz http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html x86 API Hooking Demystified by Jurriaan Bremer http://jbremer.org/x86-api-hooking-demystified/

Upload: others

Post on 19-Feb-2021

7 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • DLL Injection and 
x86 Hooking Demystified

    Giorgio Gori

    Sources:

    What is a DLL? 
https://support.microsoft.com/en-ca/kb/815065 Windows DLL Injection Basics by Brad Antoniewicz 
http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html x86 API Hooking Demystified by Jurriaan Bremer 
http://jbremer.org/x86-api-hooking-demystified/

    https://support.microsoft.com/en-ca/kb/815065http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.htmlhttp://jbremer.org/x86-api-hooking-demystified/

  • What is a DLL?

    A DLL - Dynamic Link Library - is a library that contains code and data that can be used by more than one program at the same time.

    • Uses fewer resources

    • Promotes modular architecture

    • Eases deployment and installation

  • Creating a DLLBOOLAPIENTRYDllMain(HANDLEhModule,DWORDul_reason_for_call,LPVOIDlpReserved){

    switch(ul_reason_for_call){caseDLL_PROCESS_ATTACHED://AprocessisloadingtheDLL.caseDLL_THREAD_ATTACHED://Aprocessiscreatinganewthread.caseDLL_THREAD_DETACH://Athreadexitsnormally.caseDLL_PROCESS_DETACH://AprocessunloadstheDLL.break;}

    returnTRUE;}

    extern__declspec(dllexport)voidHelloWorld(){ MessageBox(NULL,TEXT("HelloWorld"),TEXT("InaDLL"),MB_OK);}

  • Using a DLL• Load-time dynamic linking


    Provide a header (.h) and library (.lib) at compile and link time. Linker will provide information to resolve the DLL functions at load time.

    #include"MyDLL.h"

    intmain(){HelloWorld();return0;}

  • Using a DLL• Run-time dynamic linking


    Call LoadLibrary(...) and GetProcAddress(...) at run time, then call the function by address.

    intmain(){HMODULEdll=LoadLibrary("MyDLL.dll");if(dll!=NULL){FARPROCHelloWorld=GetProcAddress(dll,"HelloWorld");if(HelloWorld!=NULL)HelloWorld();

    FreeLibrary(dll);}return0;}

  • DLL Injection

    Invoke LoadLibrary from the target process

    Create a Thread, use LoadLibrary as entry point, and the dll path as argument

  • DLL Injection

    1. Attach to the target process.

    2. Allocate memory within the process.

    3. Copy DLL path into the process memory and find LoadLibrary address.

    4. Execute your DLL.

  • DLLMain Thread

    main thread

    main thread

    main thread

    main thread

    Target ProcessInjectorThreads 1..nAttach1.

    Threads 1..nAllocate Memory2.

    Threads 1..n

    C:\... .dll

    Copy DLL / Determine Addr3.

    Threads 1..n

    C:\... .dll

    Execute4.

    Threads 1..n

    OpenProcess();

    VirtualAllocEx();

    WriteProcessMemory();GetProcAddress(..., "LoadLibrary")

    CreateRemoteThread(process_handle, 
..., LoadLibraryPtr, PathPtr, ...);

  • DLL Proxying, DLL Hijacking

    • Both work by impersonating the legitimate DLL and (typically) relaying functionality to it. They can be used both to extend functionality and as a malicious attack vector.

    • Proxying: Rename the legitimate DLL, replace with your own.

    • Hijacking: Abuse Windows' DLL Search order to load your DLL before the legitimate one.

  • DLL Injection: Why?

    • Read and write process memory

    • Execute custom code, invoke existing functions

    • Patch binary code, add hooks

  • x86 HookingChange the byte code to alter the execution. Common uses include: • Debugging. • Profiling. • Extending functionality. • Execute general "on event" code.

  • function_A:
0x401000: push ebp
0x401001: mov ebp, esp
0x401003: sub esp, 0x40
0x401006: push ebx
0x401007: mov ebx, dword [esp+0x0c]
...

  • function_A:
0x401000: push ebp
0x401001: mov ebp, esp
0x401003: sub esp, 0x40
0x401006: push ebx
0x401007: mov ebx, dword [esp+0x0c]
...

    function_A:
0x401000: jmp function_B
0x401005: nop
0x401006: push ebx
0x401007: mov ebx, dword [esp+0x0c]
...

    Stolen Bytes

  • Stolen Bytes

    function_A:
0x401000: jmp function_B
0x401005: nop
0x401006: push ebx
0x401007: mov ebx, dword [esp+0x0c]

    function_B:
0x401800: push ebp
0x401800: mov ebp, esp
0x401800: sub esp, 0x40
0x401800: ... snip ...
0x401820: call function_A_gate
0x401825: ... snip ...
0x401836: retn

    function_A_gate:
0x402000: push ebp
0x402001: mov ebp, esp
0x402003: sub esp, 0x40
0x402006: jmp function_A + 6

  • • Game does not support clickable links. Players have to click, select, copy, paste in web browser.

    • We follow the call from the input handler to the 
UI creation.

    • Hook the function that
creates the UI element.

    • Open in web browser
if the name is a URL.

    Hooking example

  • Original Function

    .text (Code)

    Registers

    StackDump / Heap

    Stolen Bytes

  • Hooked Function

  • Detour Start

  • Detour End

  • Gate

    Stolen Bytes

  • DirectX EndScene HookingGame Mods Steam Overlay

    Performance Monitors FPS Counters

  • Sources:

    What is a DLL? 
https://support.microsoft.com/en-ca/kb/815065 Windows DLL Injection Basics by Brad Antoniewicz 
http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html x86 API Hooking Demystified by Jurriaan Bremer 
http://jbremer.org/x86-api-hooking-demystified/

    Other topics include: • Advanced / Stealth injection techniques • Integrity of execution during hook installation • Hook restoration / cleanup • Hooking detection (anti-cheat) and advanced hooking methods • Multiple layers of hooks • Prevent hook recursion • Hooking different calling conventions and class methods

    DLL injection and x86 hooking demystified

    https://support.microsoft.com/en-ca/kb/815065http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.htmlhttp://jbremer.org/x86-api-hooking-demystified/

FSS LLL - 京都大学8966 -23.143 fss 7219 -25.2154 fss 2519 -38.4528 dll 3095 -35.4647 dll 4793 -29.9281 dll 7188 -25.27 dll 7446 -24.9178 dll 7110 -25.3796 dll 7570 -24.7451 dll

Sampoorna Biswas - University of British Columbiaudls/slides/udls-sampoorna... · Film Appreciation Part 1: How to Read a Film Sampoorna Biswas. Terminology and elements of a film

Titrasi serimetri dll

DLL Algorithms and Resolution Proofs - Computer Science · Section 2.3 the algorithm schema DLL-Learn is introduced which is a new natural generalization of both, DLL and DLL-L-UP

DLL Basics

fileYear: *' Month : ~ Date: ;2 .....················.. ·······!···GtV~.... UdLs.0_xk7..;:.···;;;;;:;·9..=..... · .. · jd",

Ancient Math Stuff From India - UBC Computer …udls/slides/udls-meghana-v-vedic...•Four Vedas: the Rig Veda, Sama Veda, Yajur Veda and Atharva Veda. •Transmitted orally from one

Antasida, dll

Douglas Dll

BHS HALUS DLL

Section 184A...6 DLL - 2020 - 04: Foreclosure / Eviction Moratorium DLL - 2020 –05: Appraisal, VOE, Tax Transcripts DLL - 2020 - 02: Loss Mitigation options/COVID-19 DLL - 2020 -

Are poor people less intelligent than rich people?udls/slides/udls-antoine.pdfless intelligent than rich people? The point of view of two French sociologists The education system in

Software License Agreement - Subsystems · prototypes for the API functions. His32.DLL The DLL file His32.LIB Import library for the His32 DLL ter28.dll Used internally by the His32.DLL

ABSTRAK DLL

What is a Nerd?udls/slides/udls-neil-traft-nerds-part-1.pdf · A historical and journalistic examination of the cultural psychology of outcast groups in contemporary North America

Olives: what are they anyways?udls/slides/udls-yasha-olives.pdf · Try some olives you’ll love them! Stuffed Manzanilla (or Spanish Olives) Kalamata Olives Greek Olives Castelvetrano

DLL Algorithm

Babesiosis dll

UDLS - University of British Columbiaudls/slides/prashant_world_travel.pdf•The World is a book, and those who do not travel read only a page. - Saint Augustine •I travel not to

Using OpenGL in Visual C++ Opengl32.dll and glu32.dll should be in the system folder Opengl32.dll and glu32.dll should be in the system folder Opengl32.lib

Ages Rock Climbing through the - UBC Computer …udls/slides/Rock-Climbing.pdf · Rock Climbing through the Ages Michael Firmin UDLS: Feb 28, 2014

ESPORTS - University of British Columbiaudls/slides/udls-giovanni-viviani... · 2015-01-26 · Jönköping - Sweden - 2011 100.000$ Los Angeles - United States - 2012 2.000.000$ Los

Grad School - University of British Columbiaudls/slides/udls-louie-dinh-hidden-cost-grad... · If you had a machine that could give you anything you wanted there would be no need

tujuan dll

DLL Atacado

Fiction Science - University of British Columbiaudls/slides/udls-neil-newman... · 2016. 1. 11. · think we damned well ought to be androgynous. I'm merely observing, in the

KOMPENSASI DLL

fischertechnik Interfaces umFish40 - ftCommunity Interfaces umFish40.DLL umFish40.DLL - 3 umFish40.DLL Common umFish40.DLL v4.3.75.0 is based on the FtLib module v1.70a supplied by

a history of coffee From Bean to Cup - UBC Computer Scienceudls/slides/from-bean-to-cup.pdf · From Bean to Cup: a history of coffee Michael Firmin UDLS - 19 Sep 2014. What this UDLS

Formulir dll

Plan dll oconcejo

Tu]ôhÓ ¤ßY] A§dLeLÞdˇm F§Wô] R“ZL UdLs @–dßL

Logical Fallacies 101 - University of British Columbiaudls/slides/udls-elan... · 25.Gambler's Fallacy 26.Genetic Fallacy 27.Guilt By Association 28.Hasty Generalization 29.Ignoring

TRAKSI DLL

Dll injection