Exe as DLL


Author: David Zimmer
Date: 10.25.10 - 5:28pm



quick update to my Using_an_exe_as_a_dll article today.

Was analyzing some code that was dumped from a memory injection. No api were used in the target section, and no relocations in that section either. It wouldnt load with loadlibrary (at first anyway) so i went an even simplier route.

Create a VirtualAlloced section at teh desired address, Load the file into the mem buffer, and call directly into it like you would when testing shellcode.

Worked like a charm. Originally i was calling into a point that did need some fixups, still good you just have to manually do them yourself. You could add in a couple api in this manner if you really had to too just makes your loader a bit more to debug. (kinda speaks to how shitty of task you are doing when you do stuff like this huh? :)

int LoadFileAtAddress(char* filename, unsigned int address, unsigned int padding){

	DWORD l;
	OFSTRUCT o;

	HANDLE h =  (HANDLE)OpenFile(filename, &o , OF_READ);
	
	if(h == INVALID_HANDLE_VALUE ){
		printf("Could not open file %s\n", filename);
		return 0;
	}

	int bufsz = GetFileSize(h,NULL);
	
	if( bufsz == INVALID_FILE_SIZE){
		printf("Could not get filesize\n");
		CloseHandle(h);
		return 0;
	}

	printf("Allocation Base: %x  Size: %x  Padding: %x  End: %x\n", address,bufsz, padding, address+bufsz+padding);
	bufsz += padding;

	printf("Trying to clear way for alloc...\n");
	int x = address;
	while(x < address+bufsz+padding){
		UnmapViewOfFile( (void*)x );
		FreeLibrary( (HMODULE)x );
		x += 0x1000;
	}

	void* mem = VirtualAlloc((void*)address,bufsz, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);

	if((int)mem!=address){
		printf("Could not obtain desired base address...");
		CloseHandle(h);
		return 0;
	}

	ReadFile(h, mem, bufsz ,&l,0);
	CloseHandle(h);
	return (int)mem;
}





Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
 



Twitter
RSS

About Me
More Blogs
Main Site
Posts:
IDA python over IPC
dns wildcard blocking
64bit IDA Plugins
Twitter Feed
anterior lines
misc news/updates
KANAL Mod
Decoders again
CDO.Message Breakpoints
SysAnalyzer Updates
SysAnalyzer and Site Updates
crazy decoder
ida js w/dbg
flash patching #2
JS Graphing
packet reassembly
Delphi IDA Plugin
scdbg IDA integration
API Hash Database
Winmerge plugin
IDACompare Updates
Guest Post @ hexblog
TCP Stream Reassembly
SysAnalyzer Updates
Apilogger Video
Shellcode2Exe trainer
scdbg updates
IDA Javascript w/IDE
Rop Analysis II
scdbg vrs ROP
flash patching
x64 Hooks
micro hook
jmp api+5 *2
SysAnalyzer Updates
InjDll runtime config
C# Asm/Dsm Library
Shellcode Hook Detection
Updates II
findDll
Java Hacking
Windows 8
Win7 x64
Graphing ideas
.Net Hacking
Old iDefense Releases
BootLoaders
hll shellcode
ActionScript Tips
-patch fu
scdbg ordinal lookup
scdbg -api mode
Peb Module Lists
scdbg vrs Process Injection
GetProcAddress Scanner
scdbg fopen mode
scdbg findsc mode
scdbg MemMonitor
demo shellcodes
scdbg download
api hashs redux
Api hash gen
Retro XSS Chat Codes
Exe as DLL
Olly Plugins
Debugging Explorer
Attach to hidden process
JS Refactoring
Asm and Shellcode in CSharp
Fancy Return Address
PDF Stream Dumper
Malcode Call API by Hash
WinDbg Cheat Sheet
GPG Automation