Recently there is a demand on hand: dll needs to be injected into a permanent process, the dll has the ability to self-promotion, when finding a new version is available immediately Free yourself, load the new. Here is an implementation plan:
open a listening thread, pull a new version is available from the Internet, download into a temporary directory, if you find you need to upgrade, then immediately FreeLibrary itself, and then perform the update process.
Since after the current module FreeLibrary memory area is no longer valid, so the update process uses a separate thread, and the code to be updated memory allocation process is performed in the form of written shellcode. The update process will use some system API functions, there can not be directly invoked by the function name, as this will import the access list, and DLL Free time has been lost. Therefore, by preparing in advance an argument to the thread, the thread parameters are updated to use some of the data and address:
Let's look at how to update listener thread work and how to prepare these parameters:
After creating the update thread, that she has quit and timely Free yourself (so the thread can update their own deleted):
a look at how to update the work of the following thread:
Like Free own module, after the last VirtualFree parameters and the current code share memory pages and can not come back, by building a stack parameters of the form, the end of the current thread. This function save the compiled binary instructions to the global array:
The following is a test of the effect (XP, Win7 32 & 64 were tested by):
Finally, there are several places to note is:
1, put a temporary directory before loading the new dll the deleted files to prevent recursive loop update process occurs.
2, before performing the update process is necessary to determine the version information of dll, the same process occurs in order to prevent recursion.
open a listening thread, pull a new version is available from the Internet, download into a temporary directory, if you find you need to upgrade, then immediately FreeLibrary itself, and then perform the update process.
Since after the current module FreeLibrary memory area is no longer valid, so the update process uses a separate thread, and the code to be updated memory allocation process is performed in the form of written shellcode. The update process will use some system API functions, there can not be directly invoked by the function name, as this will import the access list, and DLL Free time has been lost. Therefore, by preparing in advance an argument to the thread, the thread parameters are updated to use some of the data and address:
Let's look at how to update listener thread work and how to prepare these parameters:
After creating the update thread, that she has quit and timely Free yourself (so the thread can update their own deleted):
a look at how to update the work of the following thread:
Like Free own module, after the last VirtualFree parameters and the current code share memory pages and can not come back, by building a stack parameters of the form, the end of the current thread. This function save the compiled binary instructions to the global array:
The following is a test of the effect (XP, Win7 32 & 64 were tested by):
Finally, there are several places to note is:
1, put a temporary directory before loading the new dll the deleted files to prevent recursive loop update process occurs.
2, before performing the update process is necessary to determine the version information of dll, the same process occurs in order to prevent recursion.