About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Store Users What's New


Customize Theme

Flag: Tornado! Hurricane!

Blogs >> Dreg's Blog

Created: Monday, December 15 2008 15:25.14 CST Modified: Tuesday, December 16 2008 10:36.19 CST
Printer Friendly ...
Bypassing DLL injection method based in thread injectin or based in code injection in any thread diferent to main (in this case)
Author: Dreg # Views: 3852

This project bypass: Dll injection method based in thread injection or based in code injection in any thread diferent to main (in this case).

The bypass method is held the LoaderLock in main() forever:
- Main()\n"
- RtlEnterCriticalSection( NtCurrentTeb()->Peb->LoaderLock );
- Code;

This works, because a thread can not load a DLL if the LoaderLock is held by other thread. The LoadLibrary in the other thread waits the unlock forever.

The trick only works if the thread injection or code injection in any thread, diferent to main, executes before the RtlEnterCriticalSection( NtCurrentTeb()->Peb->LoaderLock );

This trick only works if the process is created without a suspend method from scratch. For example, the trick is useful for the runtime Dll Injectors.

This project include dll injectors.

Note: This method may be can be dangerous and cause deadlocks in real project.

Note2: Of course, this project also bypass windows hook engines which if the LoaderLock is held not executes the
hook handler. And the code executes CreateFileW and bypass engines like easy-hook FILEMON.

Note3: Of course, this POC is for LoadLibrary and other APIs which use LoaderLock, about the COM initializations:

"Initialize COM threads by using CoInitializeEx. Under certain conditions, this function can call LoadLibraryEx." - http://www.microsoft.com/whdc/driver/kernel/DLL_bestprac.mspx

Examples with Injectors which try to inject the dll in the bypass_dllinj_wbti.exe process:

- InjectorDLL of phook (http://www.fr33project.org/projects):

C:\bypass_dllinj_wbti\Release>InjectorDll.exe" FileMonInject.dll -p 268
...
[OK]   - Procces Attached [0268].
[INFO] - Injecting DLL...
     [OK]   - Allocate memory in the extern process.
     [INFO] - Address reserved on the other process: 0x003C0000
     [INFO] - Space requested: 306
     [OK]   - Creating structure for the dll load.
     [OK]   - Writing structure for the dll load.
     [OK]   - Creating remote thread.
     [INFO] - Thread created with TID: 0x03E0
     [INFO] - Attempt: 10
     [FAIL] - Thread couldn't be suspended.
     [OK]   - Injection thread ended.
...

- EasyHook FILEMON (which inject the easy-hook DLL):

C:\bypass_dllinj_wbti\Release>FileMon.exe 1180
....

Number of assemblies processed = 3
Number of assemblies installed = 3
Number of failures = 0

There was an error while connecting to target:
System.ApplicationException: STATUS_INTERNAL_ERROR:  (Code: 0)
   en EasyHook.NativeAPI.Force(Int32 InErrorCode)
....

The project: http://www.fr33project.org/projects/bypass_dllinj_wbti.rar


Blog Comments
camus Posted: Tuesday, December 16 2008 08:03.56 CST
But this affect any LoadLibrary call in your app. Even in proc COM initializations.. This not good at all.

Dreg Posted: Tuesday, December 16 2008 10:24.39 CST
Of course, this POC is for LoadLibrary and other APIs which use LoaderLock, about the COM initializations:

"Initialize COM threads by using CoInitializeEx. Under certain conditions, this function can call LoadLibraryEx." [R.1]

[R.1] - http://www.microsoft.com/whdc/driver/kernel/DLL_bestprac.mspx

Included in this paper:

- The Library Loader, DLLMain, and the Loader Lock

- Interactions Between the Loader, the Loader Lock, and DLLMain

- Best Practices for Implementing DLLMain



Add New Comment
Comment:









Active in Last 5 Minutes
unlarborn
pyro

There are 16,613 total registered users.


Recently Created Topics
how to crate a PATC...
Mar/10
wsnpoem audio.dll
Mar/09
suggestions - RE tra...
Mar/09
Requesting Suggestio...
Mar/06
Force enable debug p...
Mar/05
upgrading new image ...
Mar/03
upgrading new image ...
Mar/03
upgrading new image ...
Mar/03
Can some one give me...
Mar/02
Error in generating ...
Feb/28


Recent Forum Posts
suggestions - RE tra...
enm16
wsnpoem audio.dll
zhane
suggestions - RE tra...
Silkut
how to crate a PATC...
Silkut
suggestions - RE tra...
RolfRolles
wsnpoem audio.dll
debbie
Requesting Suggestio...
secursig
Requesting Suggestio...
phn1x
how to get executabl...
RabidCi...
how to get executabl...
RabidCi...


Recent Blog Entries
RolfRolles
Mar/08
Compiler Optimizations for ...
ReWolf
Mar/04
When memory management goes...
thesprawler
Feb/20
log1949.txt -- Wondering ho...
thesprawler
Feb/20
log1949.log -- created on C...
thesprawler
Feb/17
Trying to reverse the firmw...
More ...


Recent Blog Comments
Boken on:
Mar/12
Compiler Optimizations for ...
wildinto on:
Mar/10
Compiler Optimizations for ...
Orr on:
Mar/10
Compiler Optimizations for ...
bughoho on:
Mar/09
Compiler Optimizations for ...
cliffwolf on:
Mar/08
Compiler Optimizations for ...
More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit