Jump to content

Recommended Posts

Posted

1st Way of injecting is to use a PE editor such as Stud_PE: ( http://www.cgsoftlabs.ro/zip/Stud_PE.zip3 )

 

Open the exe in STUD_PE Exe Injector. Go to functions.

Click “Add new import”

Select “Open DLL”

Select the DLL you are going to use

Click “Select import function”

Select “DllMain@12″

Click “Add to List”

Click OK.

 

 

2nd way of injecting is to use a patcher app. Thanks to tontor for the source code. Assemble the source in MASM:

 

;Static DLL Injection for MASM by Aphex

;http://www.iamaphex.cjb.net

;unremote@knology.net

;This uses code by Yodah and Freddy K

;What this does: It forces a PE to load a DLL everytime it is ran by

;patching the actual file. No other loaders or memory injectors are needed.

 

;How it does this: It opens the PE file, adds a section to the end of the file,

;alters the entry point to execute this section first. Then the new code loads

;a dll and jumps back to the original entry point where it runs as normal. 

 

;NOTE: you must add this linker option “/SECTION:.text,RWX”

;ml.exe /coff patch.asm /link /SECTION:.text,RWX /SUBSYSTEM:WINDOWS /OPT:NOREF

.386

.model flat, stdcall

option casemap:none

include \masm32\include\windows.inc

include \masm32\include\kernel32.inc

include \masm32\include\user32.inc

includelib \masm32\lib\kernel32.lib

includelib \masm32\lib\user32.lib

 

SEH_STRUCT struct

OrgEsp dword 0

OrgEbp dword 0

SaveEip dword 0

SEH_STRUCT ends

 

.data

;——-> Path to EXE to be patched with DLL <——-

szTarget byte ‘L2Server.exe’, 0

 

.data?

dwFile dword ?

dwSize dword ?

dwBytes dword ?

dwImage dword ?

dwBuffer dword ?

dwHeader dword ?

dwLength dword ?

dwSections dword ?

 

.data

errmsg  db  ’failed to open l2server.exe’,0

sucmsg  db  ’patching l2server.exe succeeded’,0

titlemsg db  ’beepbeepboop’,0

 

.code

EntryPoint:

jmp PatchEnd

PatchBegin:

jmp SkipData

szName byte ‘.PATCH’, 2 dup (0)

szLoadLibrary byte ‘LoadLibraryA’, 0

;——-> Path to DLL to be patched into EXE <——-

szDll byte ‘patch.dll’, 0

SEH SEH_STRUCT <>

_LoadLibrary dword 0

dwKernelBase dword 0

dwEntryPoint dword 0

_DllOff dword 0

SkipData:

assume fs:NOTHING

pushad

call Root

Root:

pop ebp

sub ebp, offset Root

push dword ptr [esp + 20h]

call Base

or eax, eax

jz Return

mov [ebp + dwKernelBase], eax

lea eax, [ebp + offset szLoadLibrary]

push eax

push [ebp + dwKernelBase]

call Address

or eax, eax

jz Return

mov [ebp + _LoadLibrary], eax

lea eax, [ebp + offset szDll]

push eax

call [ebp + _LoadLibrary]

mov [ebp + offset _DllOff], eax

Return:

mov eax, [ebp + dwEntryPoint]

mov [esp + 1ch], eax

popad

jmp eax

Base:

mov edi, [esp + 4]

lea eax, [ebp + offset SehHandler]

push eax

push dword ptr fs:[0]

lea eax, [ebp + offset SEH]

assume eax:ptr SEH_STRUCT

mov [eax].OrgEsp, esp

mov [eax].OrgEbp, ebp

lea ebx, [ebp + offset Continue]

mov [eax].SaveEip, ebx

mov fs:[0], esp

assume eax:NOTHING

and edi, 0FFFF0000h

.while TRUE

.if word ptr [edi] == IMAGE_DOS_SIGNATURE

mov esi, edi

add esi, [esi + 03Ch]

.if dword ptr [esi] == IMAGE_NT_SIGNATURE

.break

.endif

.endif

Continue:

sub edi, 010000h

.if edi < 070000000h

mov edi, 0BFF70000h

.break

.endif

.endw

xchg eax, edi

pop dword ptr fs:[0]

add esp, 4

ret 4

Address:

lea eax, [ebp + offset SehHandler]

push eax

push dword ptr fs:[0]

lea eax, [ebp + offset SEH]

assume eax:ptr SEH_STRUCT

mov [eax].OrgEsp, esp

mov [eax].OrgEbp, ebp

lea ebx, [ebp + offset Continue]

mov [eax].SaveEip, ebx

mov fs:[0], esp

assume eax:NOTHING

mov esi, [esp + 0ch]

.if word ptr [esi] != IMAGE_DOS_SIGNATURE

jmp Halt

.endif

add esi, [esi + 03Ch]

.if dword ptr [esi] != IMAGE_NT_SIGNATURE

jmp Halt

.endif

mov edi, [esp + 10h]

mov ecx, 150

xor al, al

repnz scasb

mov ecx, edi

sub ecx, [esp + 10h]

mov edx, [esi + 078h]

add edx, [esp + 0ch]

assume edx:ptr IMAGE_EXPORT_DIRECTORY

mov ebx, [edx].AddressOfNames

add ebx, [esp + 0ch]

xor eax, eax

.repeat

mov edi, [ebx]

add edi, [esp + 0ch]

mov esi, [esp + 10h]

push ecx

repz cmpsb

.if zero?

add esp, 4

.break

.endif

pop ecx

add ebx, 4

inc eax

.until eax == [edx].NumberOfNames

.if eax == [edx].NumberOfNames

jmp Halt

.endif

mov esi, [edx].AddressOfNameOrdinals

add esi, [esp + 0ch]

push edx

mov ebx, 2

xor edx, edx

mul ebx

pop edx

add eax, esi

xor ecx, ecx

mov word ptr cx, [eax]

mov edi, [edx].AddressOfFunctions

xor edx, edx

mov ebx, 4

mov eax, ecx

mul ebx

add eax, [esp + 0ch]

add eax, edi

mov eax, [eax]

add eax, [esp + 0ch]

jmp Exit

assume edx:nothing

Halt:

xor eax, eax

Exit:

pop dword ptr fs:[0]

add esp, 4

ret 8

SehHandler proc c pExcept:dword, pFrame:dword, pContext:dword, pDispatch:dword

mov eax, pContext

assume eax:ptr CONTEXT

push SEH.SaveEip

pop [eax].regEip

push SEH.OrgEsp

pop [eax].regEsp

push SEH.OrgEbp

pop [eax].regEbp

mov eax, ExceptionContinueExecution

ret

SehHandler endp

PatchEnd:

mov eax, offset PatchEnd

sub eax, offset PatchBegin

mov dwLength, eax

invoke CreateFile, offset szTarget, GENERIC_READ or GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0

.if eax == INVALID_HANDLE_VALUE

invoke MessageBox, NULL,addr errmsg,addr titlemsg,MB_OK

invoke ExitProcess, 0

.endif

mov dwFile, eax

invoke GetFileSize, dwFile, 0

mov dwSize, eax

add eax, 2000h

invoke GlobalAlloc, GMEM_FIXED or GMEM_ZEROINIT, eax

mov dwBuffer, eax

invoke ReadFile, dwFile, dwBuffer, dwSize, offset dwBytes, 0

mov esi, dwBuffer

add esi, 03ch

mov eax, dword ptr [esi]

mov dwHeader, eax

sub eax, 03ch

add esi, eax

assume esi:ptr IMAGE_NT_HEADERS

mov ax, [esi].FileHeader.NumberOfSections

mov dwSections, eax

inc [esi].FileHeader.NumberOfSections

mov eax, [esi].OptionalHeader.AddressOfEntryPoint

add eax, [esi].OptionalHeader.ImageBase

mov dwEntryPoint, eax

mov eax, [esi].OptionalHeader.SizeOfImage

mov dwImage, eax

add [esi].OptionalHeader.SizeOfImage, 1000h

mov [esi].OptionalHeader.AddressOfEntryPoint, eax

assume esi:NOTHING

mov esi, dwBuffer

add esi, dwHeader

add esi, 0f8h

assume esi:ptr IMAGE_SECTION_HEADER

mov eax, 0E0000060h

mov [esi].Characteristics, eax

mov eax, 28h

mov ecx, dwSections

imul ecx

add esi, eax

mov eax, dword ptr [szName]

mov dword ptr [esi].Name1, eax

mov eax, dword ptr[szName+4]

mov dword ptr [esi].Name1+4, eax

mov eax, 1000h

mov [esi].Misc.VirtualSize, eax

mov eax, dwImage

mov [esi].VirtualAddress, eax

mov eax, dwLength

mov [esi].SizeOfRawData, eax

mov eax, dwSize

mov [esi].PointerToRawData, eax

mov eax, 0E0000020h

mov [esi].Characteristics, eax

assume esi:NOTHING

mov edi, dwBuffer

add edi, dwSize

lea eax, PatchBegin

xchg esi, eax

mov ecx, dwLength

rep movsb

invoke SetFilePointer, dwFile, 0, 0, FILE_BEGIN

mov eax, dwSize

add eax, dwLength

invoke  WriteFile, dwFile, dwBuffer, eax, offset dwBytes, 0

invoke CloseHandle, dwFile

invoke GlobalFree, dwBuffer

invoke MessageBox, NULL,addr sucmsg,addr titlemsg,MB_OK

invoke ExitProcess, 0

end EntryPoint

 

That's all folks ;)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...