Exe as DLLAuthor: David Zimmer Date: 10.25.10 - 5:28pm quick update to my Using_an_exe_as_a_dll article today. Was analyzing some code that was dumped from a memory injection. No api were used in the target section, and no relocations in that section either. It wouldnt load with loadlibrary (at first anyway) so i went an even simplier route. Create a VirtualAlloced section at teh desired address, Load the file into the mem buffer, and call directly into it like you would when testing shellcode. Worked like a charm. Originally i was calling into a point that did need some fixups, still good you just have to manually do them yourself. You could add in a couple api in this manner if you really had to too just makes your loader a bit more to debug. (kinda speaks to how shitty of task you are doing when you do stuff like this huh? :)
int LoadFileAtAddress(char* filename, unsigned int address, unsigned int padding){
DWORD l;
OFSTRUCT o;
HANDLE h = (HANDLE)OpenFile(filename, &o , OF_READ);
if(h == INVALID_HANDLE_VALUE ){
printf("Could not open file %s\n", filename);
return 0;
}
int bufsz = GetFileSize(h,NULL);
if( bufsz == INVALID_FILE_SIZE){
printf("Could not get filesize\n");
CloseHandle(h);
return 0;
}
printf("Allocation Base: %x Size: %x Padding: %x End: %x\n", address,bufsz, padding, address+bufsz+padding);
bufsz += padding;
printf("Trying to clear way for alloc...\n");
int x = address;
while(x < address+bufsz+padding){
UnmapViewOfFile( (void*)x );
FreeLibrary( (HMODULE)x );
x += 0x1000;
}
void* mem = VirtualAlloc((void*)address,bufsz, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if((int)mem!=address){
printf("Could not obtain desired base address...");
CloseHandle(h);
return 0;
}
ReadFile(h, mem, bufsz ,&l,0);
CloseHandle(h);
return (int)mem;
}
Comments: (0) |
About Me More Blogs Main Site
|
||||||||||||||||||||||||||||