1. Three DLL load timing:
- Process Creation loaded in the input table DLL (static input)
- By calling LoadLibrary automatic loading (dynamic loading)
- Pre-loaded system
Dll loading target through the intervention process input table
Table 1. Static modified PE input method (Test Procedure Notepad.exe)
- Preparation: to prepare yourself a MsgDLL, everywhere a function Msg ();
#include "stdafx.h" BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { if (ul_reason_for_call == DLL_PROCESS_ATTACH) { CreateThread(NULL, 0, ThreadShow, NULL, 0, NULL); } return TRUE; } DWORD WINAPI ThreadShow(LPVOID lpParameter) { char szPath[MAX_PATH] = { 0 }; char szBuf[1024] = { 0}; // Get the path of the host process the GetModuleFileName (NULL, (LPWSTR) szPath, the MAX_PATH); sprintf (szBuf, " the DLL has been injected into the process:% S \ T [% D = PID] \ n- " , szPath, GetCurrentProcessId ( )); // show its presence in three ways // 1. the MessageBox (NULL, (LPWSTR) szBuf, " the DLL existence " , MB_OK); // 2. the printf ( " % S \ n- " , szBuf); // 3. the OutputDebugString ((LPWSTR) szBuf); return 0 ; }
Parameters meaning:
①hModule parameters: DLL instance handle points to itself;
②ul_reason_for_call parameters: Indicates the reason DLL is called, you can have the following four values:
1. DLL_PROCESS_ATTACH:
when the DLL is first >> << calling process, resulting in DllMain function is called,
Meanwhile ul_reason_for_call value DLL_PROCESS_ATTACH,
If the same process again later call this DLL, the operating system will only increase the frequency of use of DLL,
DLL_PROCESS_ATTACH DllMain function calls will not use the DLL.
2.DLL_PROCESS_DETACH:
When the DLL is unmapped from the process's address space, system calls its DllMain, ul_reason_for_call value passed is DLL_PROCESS_DETACH.
★ If the end of the process because the call TerminateProcess, the system will not be used to call the DLL's DllMain DLL_PROCESS_DETACH function. This means that the DLL is no chance to perform any clean-up work before the end of the process.
3.DLL_THREAD_ATTACH:
When a process creates a thread, view the current system all the DLL file image is mapped to the process address space,
And with the value DLL_THREAD_ATTACH calling DllMain function DLL.
Newly created thread responsible for the implementation of the DLL's DllMain function,
Only when all the DLL have finished processing the notification, the system only allows the thread starts executing its thread function.
4.DLL_THREAD_DETACH:
If a thread calls ExitThread to end the thread (the thread function returns, the system will automatically call ExitThread),
View all current system DLL file image is mapped to the process space,
And with DLL_THREAD_DETACH to call the DllMain function,
Inform all DLL to perform thread-level cleanup.
★ Note: If the end of the thread is a thread because the system calls the TerminateThread,
DLL_THREAD_DETACH value system will not be used to call all the DLL's DllMain function.
③lpReserved parameters: Reserved
- Step Two: Determine whether there is enough space to store our export function ----- "(PE format knowledge)
- ) If space is insufficient, then we need to take to expand the section or sections to add storage location;
- Notepad can not store our export function, then I am here to take the last method to expand a section
The PE format and then can see the data in the directory entry for the import table RVA 00007604
So we are here to talk about RVA turn into FOA file offset: 0x7604 -0x1000 (Virtual Address) + 0x400 (Raw Address) = 0x6a04 --- "PE knowledge, do not understand the heavy school PE
Then open notepad hexadecimal software, I used here is 010 editor:
First, we can see a structure of import table of 20 bytes is 16h, input table, each 20 bytes (a Image_Import_Directory) corresponding to the call data of a dynamic link library Dll:
Import table and is continuous until it ends at the end tag to a set of all-zero size of 0x14
Targeting 0x6a04, as shown, it is the rear end mark size 0x14
Next, we will be the last section zone expansion:
The original import table move to the new address (copy and paste to a new address):
After you've pasted, built on the original import table area new OriginalFirstThunk, name and FirstThunk structure (note that we cleared after pasting the original import table area to make room, doing our own structure)
First cleared
Then build our OriginalFirstThunk, name and structure FirstThunk
Before PE file is loaded, OriginalFirstThunk and FirstThunk are pointing IMPORT_BY_NAME
According to the structure we know:
DLLName RawOffset =0x6A14 RVA= 0x6A14 -0x400(Raw Address)+0x1000(Virtual Address) =0x7614
IMPORT_BY_NAME RawOffset =0x6A20 RVA= 0x6A20 -0x400(Raw Address)+0x1000(Virtual Address) =0x7620
Manually fill in the data byte order must pay attention to the problem:
The rigid structure is then filled and the two offset Name, fill a new import table structure
OriginalFirstThunk :RawOffset =0x6a04 RVA =0x6a04 -0x400(Raw Address)+0x1000(Virtual Address) =0x7604
FirstThunk:RawOffset =0x6a0c RVA = 0x6a0c -0x400(Raw Address)+0x1000(Virtual Address) =0x7620
DLLName RawOffset =0x6A14 RVA= 0x6A14 -0x400(Raw Address)+0x1000(Virtual Address) =0x7614
After editing, we revise PE file header information:
- Enter the directory table points to the location
- FirstThunk - "writable property
First corrects the input table directory points to the location:
RVA table to locate introduced in 010:
It had modified to point to the value of our new alternate location is the location of the last one:
Memory Offset = 0XB000 + 0X8000 = 0X13000
File offset = 0x8400 + 0x8000 = 0x10400
Due to the use of the original position of the FirstThunk import table array storage, its original position while the RVA is 0X7604, depending on the starting position and the offset of the sections, the section may determine that the text belongs to the section, and the section of the original properties are 0X60000020 write attribute is defined as follows
The DEFINE IMAGE_SCN_MEM_WRITE # 0x800000000 // section is writable
0x 60000020+0x80000000 =0xE0000020
Then the new section is the original properties plus the value of the property is 0xE0000020
So far we have completed the revision, save the modifications
Then run NotePad revised results no MessageBox pop!
This is because IMAGE_IMPORT_DESCRIPTOR defined TimeDateStamp to 0xFFFFFFFF is -1, which means changing the entry is the original pre-Bound, if the system detects pre-bundled found to be effective, then it will not go to process the input table is loaded, so we simply 0x1B0 to 0x1B8 content is cleared again to save
We can see really loaded our MsgDll.dll