EH-Net

Columns => Heffner => Topic started by: don on July 02, 2009, 11:08:33 AM


Title: [Article]-Intercepted: Windows Hacking via DLL Redirection
Post by: don on July 02, 2009, 11:08:33 AM
Permanent link: [Article]-Intercepted: Windows Hacking via DLL Redirection (http://www.ethicalhacker.net/content/view/207/24/)

Quote

(http://www.ethicalhacker.net/images/stories/columns/heffner/interception/windows-security_ico.png)

In Windows, all applications must communicate with the kernel through API functions; as such, these functions are critical to even the simplest Windows application. Thus, the ability to intercept, monitor, and modify a program's API calls, commonly called API hooking, effectively gives one full control over that process. This can be useful for a multitude of reasons including debugging, reverse engineering, and hacking (in all interpretations of the word).

While there are several methods which can be used to achieve our goal, this tutorial will examine only DLL redirection. This approach was chosen for several reasons:


  • It is relatively simple to implement.
  • It allows us to view and modify parameters passed to an API function, change return values of that function, and run any other code we desire.
  • While most other methods require code to be injected into the target process or run from an external application, DLL redirection requires only write access to the target application's working directory.
  • We can intercept any API call without modifying the target (either on disk or in memory) or any system files.


Let us know what you think or if you have questions for Craig.

Don

Title: Re: [Article]-Intercepted: Windows Hacking via DLL Redirection
Post by: braxivamov on July 03, 2009, 03:11:17 AM
Hello,
first of all thanks for this article it helped me much in my project.
It's working for all the applications i want except one : Openoffice (3.1).
I can redirect ol32.dll without any problem but when i try with gdi32.dll it crashes during the launching, and it crashes at start with user32.dll. I made several tests without any success even if i just redirect all originals functions it crashes the same way.
Do you have any clue of why it doesn t work.
Regards

Title: Re: [Article]-Intercepted: Windows Hacking via DLL Redirection
Post by: braxivamov on August 06, 2009, 02:25:25 AM
Hi again

Well got no clues for the previous question.

I have another question : how the hell to use the loadFrom in the manifest file, to allow us to not have to copy the both dlls in each application folder ?

Regards

Title: Re: [Article]-Intercepted: Windows Hacking via DLL Redirection
Post by: Craig on August 06, 2009, 02:50:38 PM
braxivamov:

I can't say for sure what the problem might be with OpenOffice; I assume that you are building your redirector DLL against the same original DLLs on the target system? Have you tried running it in a debugger and seeing where it is crashing? Knowing what function in the DLL is causing problems can help a lot. In the case of user32.dll, it is probably crashing near the entry point, so you could single-step through the code and find the culprit in short order. For gdi32.dll, you'll probably want to go into your debugger (OllyDbg for instance) and set a breakpoint on all calls to gdi32 to see where the problem is.

I didn't know about the loadFrom attribute in the manifest files, and I couldn't dig up much on it. According to Microsoft's Schema (http://msdn.microsoft.com/en-us/library/aa375635(VS.85).aspx), it looks like it would just be another attribute to the file tag in the manifest though, so it would look something like:

<file
    name="user32.dll"
    loadFrom="c:\"
/>

I'll try it out when I get a chance - if you try it first, let us know if/how it works!

Title: Re: [Article]-Intercepted: Windows Hacking via DLL Redirection
Post by: braxivamov on August 07, 2009, 02:56:51 AM
Hi,
thanks for the answer.

For the dll its been some time that i ve try it, i forgot which function causes the crash but i ll tell you soon.

For the manifest i already go to msdn and others sites the good typo should be like this : <file name="gdi32.dll" loadFrom="C:\\AnyFolder\\gdi32.dll" />

But when do this i got a launching error like " _crt_debugger_hook cannot be found in msvcr80.dll" ... (It is for the case of an Office Application )" But it works for other applications like IExplore and others.
It seems that the application which already have a manifest file with this line :

<assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.3053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b">

If i suppress this line Office tells me that he "cant load msvcr80.dll" ...
But for the f sake i dont modify the way he access to msvcr80 i just add a new path to load gdi32 ...

If you have any clue it would be great

Regards


Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com