Exetools  

Go Back   Exetools > General > Source Code
Reload this Page [C/ASM] Easy to use DLL hijacking examples
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #5  
Old 08-21-2017, 16:58
atom0s's Avatar
atom0s atom0s is offline
Family
  
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 431
Rept. Given: 26
Rept. Rcvd 130 Times in 67 Posts
Thanks Given: 54
Thanks Rcvd at 837 Times in 306 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
Here is another way you can make a proxy fairly easy and slim. Since you do not need to know the actual function prototype/parameters when exporting things that are just using direct jumps via inline asm, you can mix and abuse macros with inline asm to export things easy.

PHP Code:
#include <Windows.h>

HMODULE g_ModuleHandle nullptr;       // This proxies module handle.
HMODULE g_RealModuleHandle nullptr;   // The real modules handle being proxied.

/**
 * Obtains the original export from the real module.
 */
BOOL APIENTRY GetRealExport(const charnameFARPROCout)
{
    // Ensure the real module is loaded..
    if (g_RealModuleHandle == nullptr)
        return FALSE;

    // Todo: Add any type of function caching if you want here..

    // Obtain the real export function..
    *out = ::GetProcAddress(g_RealModuleHandlename);
    return (*out == nullptr);
}

/**
 * Generates an export function wrapper for the given exported function by name.
 */
#define EXPORTORIG(n)                               \
    FARPROC orig_##n = nullptr;                     \
    __declspec(nakedvoid __stdcall real_##n() {   \
        GetRealExport(#n, &orig_##n);               \
        __asm jmp orig_##n                          \
    }

EXPORTORIG(Direct3DCreate9);

/**
 * Initialize the proxy for use.
 */
BOOL APIENTRY InitializeProxy(HINSTANCE hinstDLL)
{
    // Store the modules handle..
    g_ModuleHandle hinstDLL;

    // Build the path to the original module..
    char path[MAX_PATH] = { };
    ::GetSystemDirectory(pathMAX_PATH);
    strcat_s(path"\\d3d9.dll");

    // Load the original module..
    g_RealModuleHandle = ::LoadLibrary(path);
    if (g_RealModuleHandle == nullptr)
        return FALSE;

    return TRUE;
}

/**
 * Entry point.
 */
BOOL APIENTRY DllMain(HINSTANCE hinstDLLDWORD fdwReasonLPVOID lpvReserved)
{
    switch (fdwReason)
    {
    case DLL_PROCESS_ATTACH:
        ::DisableThreadLibraryCalls(hinstDLL);
        return InitializeProxy(hinstDLL);
    }
    return TRUE;

And in the .def file:

PHP Code:
LIBRARY
EXPORTS
    Direct3DCreate9 real_Direct3DCreate9 
Beings that this is using a macro for the dirty work/heavy lifting you can easy create a template/skeleton project to auto-generate the entire proxy dll for you like this just by having it read the original exports from the target file and generating the rest.

Note, this method as-is will have issues with exports that are by ordinal and not by name. You would have to tweak the generated names a tad to work with ords instead.
Reply With Quote
The Following 5 Users Say Thank You to atom0s For This Useful Post:
copyleft (03-10-2020), Indigo (07-19-2019), retro (03-30-2024), tonyweb (08-26-2017)
 

Tags
dll, hijacking

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows Handle Hijacking TechLord General Discussion 2 05-15-2017 20:11


All times are GMT +8. The time now is 18:21.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )