STATIC DLL INJECTION

INTRODUCTION

DEFINING DLL

according to microsoft "A DLL is a library that contains code and data that can be used by more than one program at the same time. For example, in Windows operating systems, the Comdlg32 DLL performs common dialog box related functions. Therefore, each program can use the functionality that is contained in this DLL to implement an Open dialog box. This helps promote code reuse and efficient memory usage.

By using a DLL, a program can be modularized into separate components. For example, an accounting program may be sold by module. Each module can be loaded into the main program at run time if that module is installed. Because the modules are separate, the load time of the program is faster, and a module is only loaded when that functionality is requested.

Additionally, updates are easier to apply to each module without affecting other parts of the program. For example, you may have a payroll program, and the tax rates change each year. When these changes are isolated to a DLL, you can apply an update without needing to build or install the whole program again.

The following list describes some of the files that are implemented as DLLs in Windows operating systems:

ActiveX Controls (.ocx) files

An example of an ActiveX control is a calendar control that lets you select a date from a calendar.

Control Panel (.cpl) files

An example of a .cpl file is an item that is located in Control Panel. Each item is a specialized DLL.

Device driver (.drv) files

An example of a device driver is a printer driver that controls the printing to a printer." 

let us make this some more clearer than microsoft defination " A dynamic link library (DLL) is a collection of small programs, any of which can be called when needed by a larger program that is running in the computer. The small program that lets the larger program communicate with a specific device such as a printer or scanner is often packaged as a DLL program (usually referred to as a DLL file). DLL files that support specific device operation are known as device driver."

DEFINING DLL INJECTION

Code and DLL injection refer to a method for attackers to manipulate programs and processes to execute another program.  DLL injection provides a manner for attributing the malicious .dll to running processes.  Processes are tasks that are being handled by the operating system.  

There are two kinds of injection: 

Static injection - Static injection occurs prior to program execution.

Dynamic injection- Dynamic injection occurs when processes are loaded into memory.

HOW TO DO A STATIC DLL INJECTION

A file is altered, by 'injecting' a jump at the beginning of the filespace.  This jump directs to arbitrary code written by an attacker into available space of the filespace of a program.

TOOLS WE USE

Sysinternal’s Process Explorer(PE)

OllyDbg

NOW INJECTION

We will now explore static code injection.  For this purpose, we will manipulate the Windows game Mineswipper so that before it runs it displays a message saying “hi HL geeks”

 

First, go to C:\WINDOWS\system32 and make a copy of winmine.exe into a file with a different name (for security purpose)

In order to manipulate winmine.exe, we will use OllyDbg, “a 32-bit assembler level analysing debugger for Microsoft Windows.  Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.”

The first time you run OllyDbg you might get a message asking you whether you want to update on the library (.dll) files.  Just say no

Click Open, and open winmine.exe.  What you will get in OllyDbg is assembly code of winmine.exe 

On the right part of the screen you will see the Register values.  The EIP register is a pointer to the next command that will execute.  In this case it should store the Module Entry Point

The memory space of winmine.exe contains a lot of useful information, but it also contains areas with no useful information whatsoever.  These areas are full of noop operations (\x00's).  These areas could be modified to add code without corrupting winmine.exe.

 In OllyDbg, on the left upper window (right below the menu), scroll down until you find a big group of noops put together where you have enough space to add your code.  The place you find is called a 'cave',

Now in the 'cave' we found we will add a Message Box call.

The function call is:

MsgBoxA(0,”hi HL geeks”,”hi HL geeks”,0)

So this is the ASM code for doing that: 

Push 0

Push “hi HL geeks”

Push “hi HL geeks”

Push 0

Call User32.MessageBoxA

In Machine Code we go to an even lower level...we must allocate space for the “hi HL geeks” string and then push the address of this allocated memory by doing a

Push

We will now add the code.  Highlight a bunch (about 20) of NOOPs from the cave.  Right click and select Binary->Edit.  Now on the Ascii field simply type in “hi HL geeks”  

You will now get some garbage on OllyDbg.  Do not worry.  Olly needs to reanalyze this code.  Press CTRL + A to analyze the code.  After this, you should see “hi HL geeks” in some address.

Now below the address where you added your string, double click on one of the “DB 00” fields.  You will get an Assemble at

window.

Type in:

 push 0

 and press Assembler.  A new Assemble at will appear.  Now type in:

 push MYADDRESS

where MYADDRESS is the address where your string is located. In the next address you should type: 

push MYADDRESS

again (because you are pushing the same string 2 times, once for the header of the box once for the message in the box).  On the next address we type in:

push 0

again.  Finally we have to call the actual function call, so on the next address type:

call user32.MessageBoxA

Now press the '*' key in your numpad, this will take you to the top of the window (the origin).  Select the first 6 instructions, highlight them and then press CTRL + C (for backup).  Paste this code into notepad.

Now we will overwrite some code.  Double click on the Origin instruction and type in:

JMP CODEADDRESS

where CODEADDRESS is the address where your code starts

You will notice that more than one line got edited.  The edited lines will be in red.  Compare the first few lines with your copy in Notepad and delete the lines that are duplicated from Notepad.  The lines that are not duplicated we will need to add again somewhere.

It is important to keep this address because what the program will do is read the EIP register.  This points to the line where we added the JMP.  The JMP will redirect the PC to the new code.  The new code will execute, and then we want to jump back to the address you just wrote down so that normal execution continues as if nothing had happened.  However, before we return to normal execution, we have to add the code that we overwrote.  So we add this at the end of our code before we jump back to the beginning of the code.

Go to back to the origin.  Highlight the origin instruction, and right click with your mouse.  Then press Follow.  This will take you to the address to which the origin jumps.  If you have done everything correctly so far, this should take you to the beginning of your code (The first push 0).

Now we need to add the code that was overwritten (which we copied in notepad,).  Add the remaining instructions from notepad at the end (immediately after the Call MessageBox command).

Note:  If it says something like 'PUSH winmine.1234567' in notepad, just type in 'push 1234567'). 

Now at the last line of the new code insert the command 

JMP SECONDADDRESS

where SECONDADDRESS is the address of the second line, or the line after the origin 

Now right click and go to Copy to executable -> All Modifications.

On the window that appears select:

Copy All

A new window will appear.  Click yes to save modifications.  Save as a different name. 

Now press Run (the play button at the top of Olly).  The Message Box should have appeared and then Winmine.

It is all how it works ,if u people also intrested in dynamic dll injection then plz comment in this post

credits-ECE,MICROSOFT