A growing repository of basic security techniques for learning purposes.
An example of using remote DLL injection and inline hooking to modify the behaviour of another process. In particular, the victim process requires password to proceed execution. After injecting the malicious DLL, any password can be entered.
- Compile and run the Victim.
- Compile the MalicousDLL.
- Compile and run the Injector.
- Enter any password you like to the Victim.
Note: this is a high-level description. The code consists with more detailed information.
-
The victim process calls lstrcmpA function (Win32API) to compare the user-entered password with a hardcoded password.
-
The injector injects the malicious DLL to the victim process, using VirtualAllocEx and CreateRemoteThread (see Further Reading section).
-
The malicious DLL performs an inline hook (see Further Reading section) to lstrcmpA function, and simply replaces any user-entered password with the hardcoded password.
- Using CreateRemoteThread for DLL Injection on Windows
- Inline Hooking for Programmers
- Userland Hooking in Windows - High-Tech Bridge
- An In-Depth Look into the Win32 Portable Executable File Format
- x86 Disassembly/Windows Executable Files
- MSDN
A simple implementation of local IAT hooking, resulting in running MessageBoxA when calling to Sleep (both are Win32API functions).
Note: this is a high-level description. The code consists with more detailed information.
- Parsing the local process' PE header, finding the import directory and the IAT.
- Iterating the imported modules and the imported functions of each module. (also printing them)
- Finding the IAT entries of MessageBoxA and Sleep Win32API functions.
- Overwriting Sleep function address in the IAT to MessageBoxA function address.
- Calling Sleep from code - and the called function is MessageBoxA.
The imported modules are:
KERNEL32.dll
Imported functions for this module:
VirtualProtect at 0x76a5a3d0
GetModuleFileNameW at 0x76a5cea0
GetModuleHandleA at 0x76a5cd90
Sleep at 0x76a5a310
...