Exe as DLLAuthor: David Zimmer Date: 10.25.10 - 5:28pm quick update to my Using_an_exe_as_a_dll article today. Was analyzing some code that was dumped from a memory injection. No api were used in the target section, and no relocations in that section either. It wouldnt load with loadlibrary (at first anyway) so i went an even simplier route. Create a VirtualAlloced section at teh desired address, Load the file into the mem buffer, and call directly into it like you would when testing shellcode. Worked like a charm. Originally i was calling into a point that did need some fixups, still good you just have to manually do them yourself. You could add in a couple api in this manner if you really had to too just makes your loader a bit more to debug. (kinda speaks to how shitty of task you are doing when you do stuff like this huh? :) int LoadFileAtAddress(char* filename, unsigned int address, unsigned int padding){ DWORD l; OFSTRUCT o; HANDLE h = (HANDLE)OpenFile(filename, &o , OF_READ); if(h == INVALID_HANDLE_VALUE ){ printf("Could not open file %s\n", filename); return 0; } int bufsz = GetFileSize(h,NULL); if( bufsz == INVALID_FILE_SIZE){ printf("Could not get filesize\n"); CloseHandle(h); return 0; } printf("Allocation Base: %x Size: %x Padding: %x End: %x\n", address,bufsz, padding, address+bufsz+padding); bufsz += padding; printf("Trying to clear way for alloc...\n"); int x = address; while(x < address+bufsz+padding){ UnmapViewOfFile( (void*)x ); FreeLibrary( (HMODULE)x ); x += 0x1000; } void* mem = VirtualAlloc((void*)address,bufsz, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); if((int)mem!=address){ printf("Could not obtain desired base address..."); CloseHandle(h); return 0; } ReadFile(h, mem, bufsz ,&l,0); CloseHandle(h); return (int)mem; } Comments: (0) |
About Me More Blogs Main Site
|
||||||||||||||||||||||||||