By ro0ted | February 9, 2015 - 12:05 | Posted in /b/ | 14 Comments
#ro0ted #OpNewblood What the blackhats don’t want you to know: Dll Injecting the easy way

Let’s do some DLL Injecting. Basically we want a message box to appear when the program executes; similar to a splash screen.  – https://twitter.com/ro0ted/

 

 

 

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as Malwr.com

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way +

 


 

 

 

Tools Used:

RadASM

Ollydbg 1.0 +

http://www.woodmann.com/collaborative/tools/index.php/IIDKing

 

 


 

 

 

If you run Ollydbg on a program and you click the memory tab you will notice each .DLL loads in the memory. Example:

dll

 

Let’s go back to the CPU window and do an Intermodular Call search.

dll

You will see when you click All intermodular calls you will see functions of all the .dlls made.

 

dll

Open up RadASM:

radasm

Let’s tweak the RadASM. You need MASM for this so download the Language pack from RadASM’s website: http://www.oby.ro/rad_asm/RadASM2000/Assembly.zip

After that extract it to RadASM’s directory.

3

After that go RadASM Click Options>Programming Options.

3

Then click …

3

Double Click Assembly Folder:

3

Click the masm.ini Config file.

4

Click New Project.

4

Click Next. None> Then Make sure Def is clicked uncheck bak. Leave all the options in make the same then click finish.

 

35

Add Message.API. Now lets put some code down.

5

5

Now open the MsgBox.asm file by double-clicking it in the project tree. Right now, there is nothing there, so you will get a blank screen. Now, let’s add the DLL code in:

The code is here: https://share.cyberguerrilla.info/?f85d8263bd217f93#kAbKw73lIVuKnOyXxVuPArQz66sD/E4CZtn+fjO+Uic=

We’ll go over this code piece by piece. First we declare some housekeeping stuff, telling the compiler which CPU we’re running on and what kind of calling conventions to use:

.386
.model flat,stdcall
option casemap:none

Next, we define any files that this DLL needs, namely some Windows files that contain the code for the MessageBox and other behind-the-scene functions:

include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib

Now we declare some strings that we will use, namely the title of the opening nag and the message of the opening nag:

.data
AppName1         db “Cyber Guerrilla”,0
LoadMsg         db “Do you support AnonNexus?”,0

Finally, we define the code for the DllEntry function. First is the actual definition:

.code
DllEntry proc hInstance:HINSTANCE, reason:DWORD, reserved1:DWORD

Next we have an IF statement for when we load the DLL. anything we put under the “reason==DLL_PROCESS_ATTACH” statement will be run when the application laods in the DLL In this case we just bring up a dialog box:

.if reason==DLL_PROCESS_ATTACH
invoke MessageBox,NULL,addr LoadMsg,addr AppName1,MB_OK
.endif

At the end, we return a true in the EAX register. This is a normal way for a DLL to return:

mov  eax,TRUE
ret

And finally, we end the procedure definition:

DllEntry Endp
End DllEntry

The last thing we need to do is create an actual function that could theoretically be called. I say ‘theoretically’ because in our case it will not be called. The reason we’re creating it is you need at least one callable function in the DLL in order to inject it. So we will create a dummy function. Insert it between the last two lines, (the “DLLEntry endp” and “End DllEntry” lines):

TestProc proc
    invoke MessageBox,NULL,addr LoadMsg,addr AppName1,MB_OK
    ret    
TestProc endp

This just invokes another message box, but we’ll never see it as it’s never called.

5

 

Now let’s create the DEF file. Right click in the project window tree and choose “Add New” -> “File”. Save the file as ‘MsgBox.Def’. Now let’s put in our definition:

LIBRARY MsgBox
EXPORTS TestProc

This tells the compiler that the name of our library will be “MsgBox” and the function that can be called in it is called “TestProc”. That’s it. Now this DLL will make the TestProc function available to all applications that use this DLL:

 5

It should look like this now: Double click msgbox.def

LIBRARY MsgBox
EXPORTS TestProc

In the Msgbox.Asm:

\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib

.data
AppName1 db “Cyber Guerrilla!”,0
LoadMsg db “Do you support AnonNexus?”,0

.code
DllEntry proc hInstance:HINSTANCE, reason:DWORD, reserved1:DWORD

.if reason==DLL_PROCESS_ATTACH
invoke MessageBox,NULL,addr LoadMsg,addr AppName1,MB_OK
.endif
mov eax,TRUE
ret

DllEntry Endp
End DllEntry

TestProc proc
invoke MessageBox,NULL,addr LoadMsg,addr AppName1,MB_OK
ret
TestProc endp

 

It’s time to compile our DLL. Hit F5 to assemble the project, creating the .obj file. If there are any errors, they will appear at the bottom of the screen. Otherwise it will say the build was made. Now link it by selecting “Make” -> “link”. If everything ran as expected, there will be a message saying the make was done. You will also have a DLL file in the project folder:

5

We now have a legitimate DLL file 🙂 .

Injecting Our DLL File

Now that we have our DLL, we will inject it into our target. Start up IIDKing. Click the “Pick a file” button and select the target

I will use Odin.exe

5

5

5

Now open the program Add the dll to the programs directory.

5

Many blackhats use this technique to programs they cracked. That messagebox is usually hidden and is a backdoor shell to their bots.

ro0ted

 

(Visited 1,005 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.