Flag: Tornado! Hurricane!

Other: AppInit Hot Code Patching

File Information
Category Open Source # Downloads Version
Other No 3,913 1.0

Download from OpenRCE
MD5 Sum: 8EE2CEC22C6340B890C2CE475EDD9E96

Last updated on Mar 2, 2006.

Author Information
Username Name E-Mail URL
  vam Vinay A. Mahadik vamahadikfastmailfm http://

Description This utility is essentially a combination of the "AppInit_DLLs" and "Hot Code Patching" tricks applied to reverse engineering. Very briefly, this is how it works:

- The utility is compiled as a DLL
- The AppInit_DLLs value in the registry (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs) is modified to point to this DLL.
- This way each Win32 exe that uses user32.dll loads this DLL (and its dependencies) at load time. (No reboot is necessary contrary to what the Richter book says).
- Inside the DLL, you check whether the exe name is the one you want to monitor, else you just return.
- For the target exe, the DLL is loaded very early on by the loader (when user32.dll is loaded).
- It first creates a thread that initially checks if the exe is unpacked in memory. The threading is required for polling the exe for its unpacked status (for exes that are indeed packed).
- Once it finds that the exe is unpacked in memory, it patches the exe's memory image so that the debugging info target subroutine has a jump to a "shellcode" in the DLL.
- The shellcode is relocatable so the DLL can be loaded at a non standard imagebase, and things should still work. (I rebased the DLL to test this).
- The shellcode first saves the state of the process to memory so it is free to process and do almost anything it wants.
- There I dump all the debug info into a log file on disk. This is just an illustration, you could do pretty much anything you want in the shellcode such as gathering/logging (or even altering) the state of the process.
- Then the state is restored, and the instructions that were patched are executed as part of the shellcode's trailer itself.
- Then we jump back to the start of the original unpatched code as if nothing happened.
- This repeats each time that subroutine/base address is executed.


Build Instructions:

On MS VC++ (tested on .NET 2003):
cl /c RE_DLLCodeInj.cpp
link /DLL RE_DLLCodeInj.obj


Pros:

- Relocatable shellcode/dll, image base collisions will not affect the shellcode functionality.
- Ideal for cases where a GUI based Win32 app first unpacks in memory.
- A scritable debugger can be used to jump to the shellcode inside the DLL when the "execute" breakpoint is hit. Typically, this can't be used because the scripting is usually too slow, and/or the debugger might get detected when it attachs or starts the process under it.
- CreateRemoteThread method loses out on the activity that occurs before it attaches to the process. The AppInit_DLLs trick starts from the time the exe is loaded.
- Can be used along with Microsoft's detours library. This latter is more suited for *function* hooking/instrumentation. Try using it for patching the middle of a function inside an exe that unpacks after loading - not easy/suited.

Cons:

- Will not work if code integrity checks are calculated over the patched ares of the process. A scritable debug execute breakpoint can be used in that case (slow/might be detected as well).

There are 31,016 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit