.

[Article]-Intercepted: Windows Hacking via DLL Redirection

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Jul 02, 2009 11:08 am

[Article]-Intercepted: Windows Hacking via DLL Redirection

Permanent link: [Article]-Intercepted: Windows Hacking via DLL Redirection


Image


In Windows, all applications must communicate with the kernel through API functions; as such, these functions are critical to even the simplest Windows application. Thus, the ability to intercept, monitor, and modify a program's API calls, commonly called API hooking, effectively gives one full control over that process. This can be useful for a multitude of reasons including debugging, reverse engineering, and hacking (in all interpretations of the word).

While there are several methods which can be used to achieve our goal, this tutorial will examine only DLL redirection. This approach was chosen for several reasons:


  • It is relatively simple to implement.
  • It allows us to view and modify parameters passed to an API function, change return values of that function, and run any other code we desire.
  • While most other methods require code to be injected into the target process or run from an external application, DLL redirection requires only write access to the target application's working directory.
  • We can intercept any API call without modifying the target (either on disk or in memory) or any system files.



Let us know what you think or if you have questions for Craig.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

braxivamov

Newbie
Newbie

Posts: 3

Joined: Thu Jul 02, 2009 3:45 am

Post Fri Jul 03, 2009 3:11 am

Re: [Article]-Intercepted: Windows Hacking via DLL Redirection

Hello,
first of all thanks for this article it helped me much in my project.
It's working for all the applications i want except one : Openoffice (3.1).
I can redirect ol32.dll without any problem but when i try with gdi32.dll it crashes during the launching, and it crashes at start with user32.dll. I made several tests without any success even if i just redirect all originals functions it crashes the same way.
Do you have any clue of why it doesn t work.
Regards
Last edited by braxivamov on Fri Jul 03, 2009 3:13 am, edited 1 time in total.
<<

braxivamov

Newbie
Newbie

Posts: 3

Joined: Thu Jul 02, 2009 3:45 am

Post Thu Aug 06, 2009 2:25 am

Re: [Article]-Intercepted: Windows Hacking via DLL Redirection

Hi again

Well got no clues for the previous question.

I have another question : how the hell to use the loadFrom in the manifest file, to allow us to not have to copy the both dlls in each application folder ?

Regards
<<

heffnercj

EH-Net Columnist
EH-Net Columnist

Posts: 69

Joined: Thu Mar 15, 2007 2:45 pm

Post Thu Aug 06, 2009 2:50 pm

Re: [Article]-Intercepted: Windows Hacking via DLL Redirection

braxivamov:

I can't say for sure what the problem might be with OpenOffice; I assume that you are building your redirector DLL against the same original DLLs on the target system? Have you tried running it in a debugger and seeing where it is crashing? Knowing what function in the DLL is causing problems can help a lot. In the case of user32.dll, it is probably crashing near the entry point, so you could single-step through the code and find the culprit in short order. For gdi32.dll, you'll probably want to go into your debugger (OllyDbg for instance) and set a breakpoint on all calls to gdi32 to see where the problem is.

I didn't know about the loadFrom attribute in the manifest files, and I couldn't dig up much on it. According to Microsoft's Schema (http://msdn.microsoft.com/en-us/library/aa375635(VS.85).aspx), it looks like it would just be another attribute to the file tag in the manifest though, so it would look something like:

<file
    name="user32.dll"
    loadFrom="c:\"
/>


I'll try it out when I get a chance - if you try it first, let us know if/how it works!
<<

braxivamov

Newbie
Newbie

Posts: 3

Joined: Thu Jul 02, 2009 3:45 am

Post Fri Aug 07, 2009 2:56 am

Re: [Article]-Intercepted: Windows Hacking via DLL Redirection

Hi,
thanks for the answer.

For the dll its been some time that i ve try it, i forgot which function causes the crash but i ll tell you soon.

For the manifest i already go to msdn and others sites the good typo should be like this : <file name="gdi32.dll" loadFrom="C:\\AnyFolder\\gdi32.dll" />

But when do this i got a launching error like " _crt_debugger_hook cannot be found in msvcr80.dll" ... (It is for the case of an Office Application )" But it works for other applications like IExplore and others.
It seems that the application which already have a manifest file with this line :

<assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.3053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b">

If i suppress this line Office tells me that he "cant load msvcr80.dll" ...
But for the f sake i dont modify the way he access to msvcr80 i just add a new path to load gdi32 ...

If you have any clue it would be great

Regards
Last edited by braxivamov on Fri Aug 07, 2009 2:58 am, edited 1 time in total.

Return to Heffner

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software