OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Store Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Monday, December 15 2008 15:25.14 CST

Modified: Tuesday, December 16 2008 10:36.19 CST

Printer Friendly ...

Bypassing DLL injection method based in thread injectin or based in code injection in any thread diferent to main (in this case)

Author: Dreg

# Views: 4238

This project bypass: Dll injection method based in thread injection or based in code injection in any thread diferent to main (in this case).

The bypass method is held the LoaderLock in main() forever:
- Main()\n"
- RtlEnterCriticalSection( NtCurrentTeb()->Peb->LoaderLock );
- Code;

This works, because a thread can not load a DLL if the LoaderLock is held by other thread. The LoadLibrary in the other thread waits the unlock forever.

The trick only works if the thread injection or code injection in any thread, diferent to main, executes before the RtlEnterCriticalSection( NtCurrentTeb()->Peb->LoaderLock );

This trick only works if the process is created without a suspend method from scratch. For example, the trick is useful for the runtime Dll Injectors.

This project include dll injectors.

Note: This method may be can be dangerous and cause deadlocks in real project.

Note2: Of course, this project also bypass windows hook engines which if the LoaderLock is held not executes the
hook handler. And the code executes CreateFileW and bypass engines like easy-hook FILEMON.

Note3: Of course, this POC is for LoadLibrary and other APIs which use LoaderLock, about the COM initializations:

"Initialize COM threads by using CoInitializeEx. Under certain conditions, this function can call LoadLibraryEx." - http://www.microsoft.com/whdc/driver/kernel/DLL_bestprac.mspx

Examples with Injectors which try to inject the dll in the bypass_dllinj_wbti.exe process:

- InjectorDLL of phook (http://www.fr33project.org/projects):

C:\bypass_dllinj_wbti\Release>InjectorDll.exe" FileMonInject.dll -p 268
...
[OK]   - Procces Attached [0268].
[INFO] - Injecting DLL...
     [OK]   - Allocate memory in the extern process.
     [INFO] - Address reserved on the other process: 0x003C0000
     [INFO] - Space requested: 306
     [OK]   - Creating structure for the dll load.
     [OK]   - Writing structure for the dll load.
     [OK]   - Creating remote thread.
     [INFO] - Thread created with TID: 0x03E0
     [INFO] - Attempt: 10
     [FAIL] - Thread couldn't be suspended.
     [OK]   - Injection thread ended.
...

- EasyHook FILEMON (which inject the easy-hook DLL):

C:\bypass_dllinj_wbti\Release>FileMon.exe 1180
....

Number of assemblies processed = 3
Number of assemblies installed = 3
Number of failures = 0

There was an error while connecting to target:
System.ApplicationException: STATUS_INTERNAL_ERROR:  (Code: 0)
   en EasyHook.NativeAPI.Force(Int32 InErrorCode)
....

The project: http://www.fr33project.org/projects/bypass_dllinj_wbti.rar

Blog Comments

camus	Posted: Tuesday, December 16 2008 08:03.56 CST
But this affect any LoadLibrary call in your app. Even in proc COM initializations.. This not good at all.

Dreg

Posted: Tuesday, December 16 2008 10:24.39 CST

Of course, this POC is for LoadLibrary and other APIs which use LoaderLock, about the COM initializations:

"Initialize COM threads by using CoInitializeEx. Under certain conditions, this function can call LoadLibraryEx." [R.1]

[R.1] - http://www.microsoft.com/whdc/driver/kernel/DLL_bestprac.mspx

Included in this paper:

- The Library Loader, DLLMain, and the Loader Lock

- Interactions Between the Loader, the Loader Lock, and DLLMain

- Best Practices for Implementing DLLMain

Active in Last 5 Minutes
	timtoady

There are 21,677 total registered users.

Recently Created Topics
PyEmu error when cal...	Sep/02
Restore Themida/Winl...	Sep/02
Anti-olly technique	Aug/30
RAR Password	Aug/29
Heap protection on W...	Aug/23
Why Inline asm in C+...	Aug/20
Bypassing OllyAdvance	Aug/17
Error in logic for g...	Aug/17
Has anyone seen this...	Aug/17
ARM Executable - Pat...	Aug/16

Recent Forum Posts
reverse engineering ...	raiden56
pydbg, memory breakp...	Researc...
RAR Password	Ineedhelp
RAR Password	cod
Heap protection on W...	voila
Heap protection on W...	j00ru
Heap protection on W...	voila
Heap protection on W...	j00ru
Heap protection on W...	psylocn
Why Inline asm in C+...	ronnie2...

Recent Blog Entries
	meshmesh	Sep/01
Is it legal??
	waleedassar	Aug/30
Anti-olly technique
	QvasiModo	Aug/24
WinAppDbg 1.4 is out!
	artemblagodarenko	Aug/18
Dataflow-0.2.0 released. Ne...
	grzonu	Aug/17
Bypassing OllyAdvanced
More ...

Recent Blog Comments
	tosanjay on:	Sep/02
PyEmu 0.0.2
	GynvaelColdwind on:	Sep/01
Is it legal??
	PeterFerrie on:	Aug/31
Anti-olly technique
	dennis on:	Aug/26
Dr. Gadget IDAPython plugin
	halsten on:	Aug/19
Dataflow-0.2.0 released. Ne...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit