dwtf released!
 David Reguera Garca (Dreg) <Dreg fr33project org> |
Wednesday, December 16 2009 14:57.00 CST |
dwtf creates a fake.dll from real.dll
Features:
1- It exports all symbols of real.dll (also Forwarder).
2- It imports all exports of real.dll (also Forwarder).
3- It creates an area code with a JMP DWORD [ADDRESS] for each export.
4- The exports of fake dll is assigned to a JMP area which jumps to original export of real.dll.
Download: http://rootkitanalytics.com/userland/dwtf.php
For more complex information visit my post in rootkit.com:
Generating any DLL for PEB Hooking or replacing in disk, binary form:
http://www.rootkit.com/blog.php?newsid=988
If you are making PEB HOOKING, when the APP calls to fake dll export it jumps to original export, everything works fine:
Before PEB HOOKING:
APP -> IAT OF APP -> REAL DLL EXPORT
After PEB HOOKING:
APP -> IAT OF APP -> FAKE DLL EXPORT -> IAT OF FAKE DLL -> REAL DLL EXPORT
You can add or remove payloads with any IAT HOOKING in the IAT of the fake dll:
APP -> IAT OF APP -> FAKE DLL EXPORT -> IAT OF FAKE DLL -> PAYLOAD STACK -> (or never) REAL DLL EXPORT
Syntax: dwtf.exe fake_dll real_dll
Example: dwtf.exe k32.dll c:\windows\system32\kernel32.dll
Sincerely, Dreg.
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |