OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Store Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Monday, December 15 2008 15:25.14 CST

Modified: Tuesday, December 16 2008 10:36.19 CST

Printer Friendly ...

Bypassing DLL injection method based in thread injectin or based in code injection in any thread diferent to main (in this case)

Author: Dreg

# Views: 3786

This project bypass: Dll injection method based in thread injection or based in code injection in any thread diferent to main (in this case).

The bypass method is held the LoaderLock in main() forever:
- Main()\n"
- RtlEnterCriticalSection( NtCurrentTeb()->Peb->LoaderLock );
- Code;

This works, because a thread can not load a DLL if the LoaderLock is held by other thread. The LoadLibrary in the other thread waits the unlock forever.

The trick only works if the thread injection or code injection in any thread, diferent to main, executes before the RtlEnterCriticalSection( NtCurrentTeb()->Peb->LoaderLock );

This trick only works if the process is created without a suspend method from scratch. For example, the trick is useful for the runtime Dll Injectors.

This project include dll injectors.

Note: This method may be can be dangerous and cause deadlocks in real project.

Note2: Of course, this project also bypass windows hook engines which if the LoaderLock is held not executes the
hook handler. And the code executes CreateFileW and bypass engines like easy-hook FILEMON.

Note3: Of course, this POC is for LoadLibrary and other APIs which use LoaderLock, about the COM initializations:

"Initialize COM threads by using CoInitializeEx. Under certain conditions, this function can call LoadLibraryEx." - http://www.microsoft.com/whdc/driver/kernel/DLL_bestprac.mspx

Examples with Injectors which try to inject the dll in the bypass_dllinj_wbti.exe process:

- InjectorDLL of phook (http://www.fr33project.org/projects):

C:\bypass_dllinj_wbti\Release>InjectorDll.exe" FileMonInject.dll -p 268
...
[OK]   - Procces Attached [0268].
[INFO] - Injecting DLL...
     [OK]   - Allocate memory in the extern process.
     [INFO] - Address reserved on the other process: 0x003C0000
     [INFO] - Space requested: 306
     [OK]   - Creating structure for the dll load.
     [OK]   - Writing structure for the dll load.
     [OK]   - Creating remote thread.
     [INFO] - Thread created with TID: 0x03E0
     [INFO] - Attempt: 10
     [FAIL] - Thread couldn't be suspended.
     [OK]   - Injection thread ended.
...

- EasyHook FILEMON (which inject the easy-hook DLL):

C:\bypass_dllinj_wbti\Release>FileMon.exe 1180
....

Number of assemblies processed = 3
Number of assemblies installed = 3
Number of failures = 0

There was an error while connecting to target:
System.ApplicationException: STATUS_INTERNAL_ERROR:  (Code: 0)
   en EasyHook.NativeAPI.Force(Int32 InErrorCode)
....

The project: http://www.fr33project.org/projects/bypass_dllinj_wbti.rar

Blog Comments

camus	Posted: Tuesday, December 16 2008 08:03.56 CST
But this affect any LoadLibrary call in your app. Even in proc COM initializations.. This not good at all.

Dreg

Posted: Tuesday, December 16 2008 10:24.39 CST

Of course, this POC is for LoadLibrary and other APIs which use LoaderLock, about the COM initializations:

"Initialize COM threads by using CoInitializeEx. Under certain conditions, this function can call LoadLibraryEx." [R.1]

[R.1] - http://www.microsoft.com/whdc/driver/kernel/DLL_bestprac.mspx

Included in this paper:

- The Library Loader, DLLMain, and the Loader Lock

- Interactions Between the Loader, the Loader Lock, and DLLMain

- Best Practices for Implementing DLLMain

Active in Last 5 Minutes
	hugo
	Wannabe

There are 15,871 total registered users.

Recently Created Topics
Career: Technical Pr...	Feb/04
Help needed with: ge...	Feb/04
A question regarding...	Feb/01
Compiler infector an...	Jan/29
Yahoo autoupdater vi...	Jan/27
Solidshield VM Analyse	Jan/27
Tuto about unpacking...	Jan/25
IDA Pro plugins don'...	Jan/20
Bug -- proc_peek_rec...	Jan/17
SYSTEM_INFORMATION_C...	Jan/16

Recent Forum Posts
IDA Pro plugins don'...	Cluster
RECON	hugo
A question regarding...	ronnie2...
A question regarding...	lallous
A question regarding...	detlef
RECON	hugo
Tuto about unpacking...	jumpzero
Yahoo autoupdater vi...	invisghost
Kindle for PC DRM	clarknova
Stack tracing with I...	Hanumaan

Recent Blog Entries
	mjobin	Feb/08
Malware Research Analyst Op...
	lin0xx	Feb/04
User-supplied Array Index E...
	cyphunk	Feb/03
JTAG Enumeration (tool)
	dragula	Jan/29
Reversing compiler infector...
	GynvaelColdwind	Jan/26
The tale of Syndicate Wars ...
More ...

Recent Blog Comments
	cyphunk on:	Feb/03
JTAG Enumeration (tool)
	GynvaelColdwind on:	Feb/03
JTAG Enumeration (tool)
	suirp on:	Feb/02
Administrator account VS. S...
	DelightedZuk on:	Jan/31
GDT / LDT Windows Kernel Ex...
	DelightedZuk on:	Jan/31
Administrator account VS. S...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit