InjDll runtime config

Author: David Zimmer
Date: 05.31.12 - 6:04pm

Quick post on an successful experiment i ran and a new addition to the sysanalyzer api_log.dll.

I wanted a way where I could configure the injection dll at runtime. Since the hooks are set in dll main, things like file system access are out. I could have tried shared memory section or pipes or something, but really I already have an IPC mechanism in place, namely the WM_COPYDATA messaging.

So in the dll, I find the controllers window handle by caption/class and then send messages to it. The first round of messages, is now config polling messages to see if various options are set. SendWindowMessage has a return value, if this is non-zero, then an option is being sent. ( I had to rework my subclass library to support this but thats another story!)

So now we have runtime configurations for times like "Ignore long sleeps", or "Block OpenProcess" or "Ignore ExitProcess" etc.

What about if we want to reconfigure the library after its already gone through its startup routine when we change options in the logging ui (external process)?

Turns out there is an easy solution for this as well. On initial config, one of the messages i send to the logging interface is a configHandler:[address] message telling the UI the exact offset of a THREADPROC function in the dll.

Anytime you need to reconfig the injected library, the main ui can call CreateRemoteThread with this address to trigger it to repoll the UI settings. I am not really sure if the extra thread without synchronization of the injected process could potentially cause problems, but its been stable so far in testing. Since the user has to manually trigger this to happen, and its a research tool, I am not to worried about it.

New installer on github has the updated binaries. The main sysanalyzer app also received a couple new features, one to scane for RWE injections in all processes, a memory map viewer, and a new built hexeditor/viewer component that I am really happy with. (Thanks Rang3r!)

pdfstreamdumper now also uses this hexeditor component for the hexdump pane and some internal data viewing. Should eliminate the hangs on loading large hexblobs that used to happen as it was previously all converted to a text string all at once for display.

Comments: (0)

Leave Comment:
Email: (not shown)
Message: (Required)
Math Question: 25 + 79 = ? followed by the letter: I 

About Me
More Blogs
Main Site
Yara WorkBench
vbdec dbg updates
vb6 PCode NOP
vb6 API and call backs
how pcode works Pt1
Reversing PCode Args
VB6 PCode Disassembly
VB6 PCode Debugger
UConnect Disable Cell Modem
IDA python over IPC
dns wildcard blocking
64bit IDA Plugins
anterior lines
misc news/updates
Decoders again
CDO.Message Breakpoints
SysAnalyzer Updates
SysAnalyzer and Site Updates
crazy decoder
ida js w/dbg
flash patching #2
JS Graphing
packet reassembly
Delphi IDA Plugin
scdbg IDA integration
API Hash Database
Winmerge plugin
IDACompare Updates
Guest Post @ hexblog
TCP Stream Reassembly
SysAnalyzer Updates
Apilogger Video
Shellcode2Exe trainer
scdbg updates
IDA Javascript w/IDE
Rop Analysis II
scdbg vrs ROP
flash patching
x64 Hooks
micro hook
jmp api+5 *2
SysAnalyzer Updates
InjDll runtime config
C# Asm/Dsm Library
Shellcode Hook Detection
Updates II
Java Hacking
Windows 8
Win7 x64
Graphing ideas
.Net Hacking
Old iDefense Releases
hll shellcode
ActionScript Tips
-patch fu
scdbg ordinal lookup
scdbg -api mode
Peb Module Lists
scdbg vrs Process Injection
GetProcAddress Scanner
scdbg fopen mode
scdbg findsc mode
scdbg MemMonitor
demo shellcodes
scdbg download
api hashs redux
Api hash gen
Retro XSS Chat Codes
Exe as DLL
Olly Plugins
Debugging Explorer
Attach to hidden process
JS Refactoring
Asm and Shellcode in CSharp
Fancy Return Address
PDF Stream Dumper
Malcode Call API by Hash
WinDbg Cheat Sheet
GPG Automation