Reflective DLL injection?

Just starting out? Need help? Post your questions and find answers here.
Post Reply
xakep
User
User
Posts: 40
Joined: Fri Mar 25, 2016 2:02 pm
Location: Europe

Reflective DLL injection?

Post by xakep »

I converted this the reflective dll injection code from c++ to pb.
Now the problem is how to convert this code:

Code: Select all

#include <iostream>
#include <Windows.h>

BOOL APIENTRY MyMain(LPVOID lpParameter) {
	DWORD dwImageBase = reinterpret_cast<DWORD>(lpParameter);

	WCHAR szOutput[MAX_PATH];
	wsprintf(szOutput, L"Module base: 0x%08x", dwImageBase);
	::MessageBox(NULL, szOutput, L"Test DLL", MB_OK);

	return TRUE;
}
As purebasic don't support such dll entrypoint i had to edit PureBasic.asm code to:

Code: Select all

_DLLEntryPoint@12:
  MOV    [_PB_Instance],eax
  CALL   PB_DllInit
  
  PUSH   dword 0
  LEA    eax,[_S2]
  PUSH   eax
  LEA    eax,[_S1]
  PUSH   eax
  PUSH   dword 0
  CALL  _MessageBoxW@16
  
  XOR    eax,eax
  MOV    eax,1
  RET    12
But i don't get same results as using original c++ dll. ( remote process crash).
So how could i set custom DllEntryPoint?

Thanks for your time.
Top
User avatar
Crusiatus Black
Enthusiast
Enthusiast
Posts: 389
Joined: Mon May 12, 2008 1:25 pm
Location: The Netherlands
Contact:
Contact Crusiatus Black

Re: Reflective DLL injection?

Post by Crusiatus Black »

- https://www.purebasic.com/documentation ... e/dll.html

Maybe you are looking for AttachProcess(hInstance)? You can define this procedure, which will be called when the (I'm assuming) DllMain function is executed
Image
Bas Groothedde,
Imagine Programming

I live in a philosophical paradoxal randome filled with enigma's!
Top
xakep
User
User
Posts: 40
Joined: Fri Mar 25, 2016 2:02 pm
Location: Europe

Re: Reflective DLL injection?

Post by xakep »

DllMain <> AttachProcess

This reflective dll injection require Main() code to be executed before AttachProcess/AttachThread.
Top
User avatar
CELTIC88
Enthusiast
Enthusiast
Posts: 154
Joined: Thu Sep 17, 2015 3:39 pm

Re: Reflective DLL injection?

Post by CELTIC88 »

hi; 8)

change with this code :

Code: Select all

    
;By celtic88 2018

_DLLEntryPoint@12:
PUSH Ebp
  SUB Esp, 4*20
  MOV Ebp, Esp
  
  CALL .KErnEl32 ; get Kernel32 base address
  MOV [Ebp], Eax
  
  PUSH .FuncLoadLibraryA ; get LoadLibraryA Proc address
  PUSH dword [Ebp]
  CALL .GEtProcAddrEss
  MOV dword [Ebp + 4], Eax
  
  PUSH .FuncGEtProcAddrEss; get GEtProcAddrEss Proc address
  PUSH dword [Ebp]
  CALL .GEtProcAddrEss
  MOV [Ebp + 8], Eax
  
  PUSH .UsEr32         ; get user32 base address
  CALL dword [Ebp + 4]
  MOV dword [Ebp + 12], Eax
  
  PUSH .MEssagEBoxA   ; get MEssagEBoxA Proc address
  PUSH dword [Ebp + 12]
  CALL dword [Ebp + 8]
  MOV dword [Ebp + 16], Eax
  
  PUSH dword 0   ; call MEssagEBoxA
  PUSH dword .CEltic88
  PUSH dword .CEltic88
  PUSH dword 0
  CALL dword [Ebp + 16]
  
  ADD Esp ,4*20
  POP Ebp
  RET 12
  
  .KErnEl32:
  PUSH Edi Ebx
  XOR Eax, Eax
  MOV    Edi, DWord [fs:Eax + 48] ;GEt PEb
  MOV     Edi, DWord [Edi+12]
  MOV     Edi, DWord [Edi+28]
  .NExtModulE:
  MOV     Edi, DWord [Edi]
  MOV     Ebx,DWord [Edi+32] 
  CMP     BytE [Ebx+24],al
  JNE     .NExtModulE
  CMP     BytE [Ebx], 75
  JE	    .Found_K32
  CMP     BytE [Ebx], 107
  JNE     .NExtModulE
  .Found_K32:
  MOV Eax, DWord [Edi+8]
  POP Ebx Edi
  RET
  
  .GEtProcAddrEss:
  PUSH  ESI Edi Edx Ebx Ebp Ecx
  
  SUB  Esp, 8
  MOV Ebp, Esp
  
  MOV Ebx,DWord [Ebp + 4 + 8 + 6*4] ;KErnEl32 basE
  
  MOV Edx, Ebx
  ADD Edx , [Ebx + 60] ;IMAGE_DOS_HEADER\E_lfanEw
  
  MOV Edx, [Edx + 120] ;IMAGE_NT_HEADERS\IMAGE_OPTIONAL_HEADER\DataDirEctory\ExportVirtualAddrEss
  ADD Edx, Ebx         ;IMAGE_EXPORT_DIRECTORY
  
  MOV Esi,Ebx
  ADD Esi, [Edx + 32] ;IMAGE_EXPORT_DIRECTORY\AddrEssOfNamEs
  
  MOV Edi,Ebx
  ADD Edi, [Edx + 36] ;IMAGE_EXPORT_DIRECTORY\AddrEssOfNamEOrdinals
  
  MOV Ecx,[Edx + 20]  ;IMAGE_filE_HEADER\NumbErOfSEctions
  
  .__GEtFuncList:
  LODSD
  ADD Eax, Ebx        ;function namE
  MOV Dword [Ebp], Eax
  MOV Eax, Ebx
  ADD Eax, [Edx + 28] ;IMAGE_EXPORT_DIRECTORY\AddrEssOfFunctions
  PUSH Ecx
  MOVSX Ecx, word [Edi]
  MOV Eax, [Eax + 4 * Ecx]
  ADD Eax,Ebx
  MOV [Ebp + 4], Eax
  POP Ecx
  
  PUSH Dword [Ebp]
  PUSH Dword [Ebp + 4 + 4 + 8 + 6*4]
  CALL .String_ComparE
  TEST Eax, Eax
  JZ .__Skip
  MOV Eax, Dword [Ebp + 4]
  JMP .Found_Proc
  .__Skip:
  ADD Edi,2
  DEC Ecx
  JNZ .__GEtFuncList
  
  .Found_Proc:
  ADD Esp, 8
  POP  Ecx Ebp Ebx Edx Edi ESI
  RET 8
  
  .String_ComparE:
  PUSH  ESI Edi Ecx
  MOV   ESI, [Esp + 4  + 12]
  MOV   Edi, [Esp + 8  + 12]
  MOV   Ecx, 1
  .Looop:
  CMP BytE [ESI + Ecx],0
  JE ._BrEak
  INC Ecx
  JMP .Looop
  ._BrEak:
  MOV   Eax, 1
  CLD
  REP	CMPSB
  JE  ._IsEqual
  XOR   Eax,Eax
  ._IsEqual:
  POP   Ecx Edi ESI
  RET 8
  
  .FuncGEtProcAddrEss:
  DB "GetProcAddress",0
  .FuncLoadLibraryA:
  DB "LoadLibraryA",0
  .UsEr32:
  DB "User32.dll",0
  .MEssagEBoxA:
  DB "MessageBoxA",0
  .CEltic88:
  DB "ByCEtic ;p",0
interested in Cybersecurity..
Top
xakep
User
User
Posts: 40
Joined: Fri Mar 25, 2016 2:02 pm
Location: Europe

Re: Reflective DLL injection?

Post by xakep »

@CELTIC88
Thanks, that works.

But this version of reflective dll injection allready map dll, fix relocs + fix imports, so the manual find of kernel-base + getprocaddress + user32.dll, etc. is not needed anymore.
Will modify your code and post it there )
Top
Post Reply

Return to “Coding Questions”