Flag: Tornado!
Hurricane!
|
|
Topic created on: March 22, 2007 09:09 CDT by JLeCours  .
I know this topic isn't new, but I was hoping there is an easier way to accomplish this. When I load my executable into OllyDbg, the loader loads all the DLLs it imports from and breaks at the first "System breakpoint" ( as per OllyDbg's Debugging Options ).
What is the easiest way to break on the dlls being loaded before the initial breakpoint? I've tried setting breakpoints on the address pointed to by the pe's AddressOfEntryPoint field, but they don't seem to be hitting. Is there a plugin for TRULY breaking on a new module being loaded?
http://www.security-assessment.com/files/whitepapers/PreDebug.pdf
Supposedly setting the regkey HKLM\Software\Windows NT\CurrentVersion\Image File Execution Options\<MyDllName>\BreakOnDllLoad to 1 would force the loader to throw a breakpoint when this dll is being loaded. However, when I Debug->Restart in OllyDbg, I watch it load MyDll and keep on loading. :)
The above mentioned white paper has some great references and is an interesting for anyone who was unaware of this type of technique, however I feel like debugging this type of situation can't be uncommon. There must be less painful method than replacing kernel32, editing its loading functions to force a breakpoint ( or something along those lines ). Seems like there would be an Olly plugin...
|
you can check out this plugin
http://www.reversing.be/article.php?story=20050603193932184
if you set a tempbreak on DllInitRoutines (after enabling SHOW_LOADER_SNAPS ollydbg will stop
on actual Dllinitroutine (options -> debugging option--> events --> break on new module will stop in ntdll this plugin will stop on the real dlls Dllmain if there is one avaiable
a sample output on calc.exe
Log data
Info: Simple .ARG file that decodes ZwSystemDebugControl
File 'C:\WINDOWS\SYSTEM32\calc.exe'
New process with ID 000005A8 created
01012475 Main thread with ID 0000010C created
01000000 Module C:\WINDOWS\SYSTEM32\calc.exe
70A70000 Module C:\WINDOWS\system32\SHLWAPI.dll
773D0000 Module C:\WINDOWS\system32\SHELL32.dll
77C10000 Module C:\WINDOWS\system32\msvcrt.dll
77C70000 Module C:\WINDOWS\system32\GDI32.dll
77D40000 Module C:\WINDOWS\system32\USER32.dll
77DD0000 Module C:\WINDOWS\system32\ADVAPI32.dll
77E60000 Module C:\WINDOWS\system32\kernel32.dll
77F50000 Module C:\WINDOWS\System32\ntdll.dll
CRC changed, discarding .udd data
78000000 Module C:\WINDOWS\system32\RPCRT4.dll
77F767CD System startup breakpoint
77F80889 Debug string: [5a8,10c] LDR: Real INIT LIST for process C:\WINDOWS\SYSTEM32\calc.exe pid 1448 0x5a8
77F80889 Debug string: [5a8,10c] C:\WINDOWS\system32\msvcrt.dll init routine 77C1E94F
77F80889 Debug string: [5a8,10c] C:\WINDOWS\system32\USER32.dll init routine 77D539F9
77F80889 Debug string: [5a8,10c] C:\WINDOWS\system32\RPCRT4.dll init routine 78001E0F
77F80889 Debug string: [5a8,10c] C:\WINDOWS\system32\ADVAPI32.dll init routine 77DD1D3D
77F80889 Debug string: [5a8,10c] C:\WINDOWS\system32\SHLWAPI.dll init routine 70A78386
77F80889 Debug string: [5a8,10c] C:\WINDOWS\system32\SHELL32.dll init routine 773FB164
77F80889 Debug string: [5a8,10c] LDR: msvcrt.dll loaded
77F80889 Debug string: - Calling init routine at 77C1E94F <--------------
77F80889 Debug string: - Calling init routine at 77D539F9<---------------
77F80889 Debug string: - Calling init routine at 77DD1D3D<-------------
77F80889 Debug string: - Calling init routine at 70A78386 <-----------------
77F80889 Debug string: - Calling init routine at 773FB164 <--------------
77F80889 Debug string: [5a8,10c] LDR: Real INIT LIST for process C:\WINDOWS\SYSTEM32\calc.exe pid 1448 0x5a8
77F80889 Debug string: [5a8,10c] C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll init routine 7195EDD8
77F80889 Debug string: - Calling init routine at 7195EDD8 <-------------
77F80889 Debug string: LDR: LdrLoadDll, loading psapi.dll from C:\WINDOWS\SYSTEM32;C:\WINDOWS\System32;C:\WINDOWS\system;C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
77F80889 Debug string: LDR: Loading (DYNAMIC, NON_REDIRECTED) C:\WINDOWS\SYSTEM32\psapi.dll
71950000 Module C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll
77F80889 Debug string: - Calling init routine at 76BF10C8 <------------
77F80889 Debug string: LDR: Refcount CRYPT32.dll (1)
77F80889 Debug string: LDR: Refcount MSASN1.dll (1)
77F80889 Debug string: LDR: Refcount OLEAUT32.dll (1)
77F80889 Debug string: LDR: Refcount OLE32.DLL (1)
77F80889 Debug string: [5a8,10c] LDR: Real INIT LIST for process C:\WINDOWS\SYSTEM32\calc.exe pid 1448 0x5a8
77F80889 Debug string: [5a8,10c] C:\WINDOWS\system32\MSASN1.dll init routine 762A105C
77F80889 Debug string: [5a8,10c] C:\WINDOWS\system32\CRYPT32.dll init routine 762C15B5
77F80889 Debug string: [5a8,10c] C:\WINDOWS\system32\OLE32.DLL init routine 771C0873
77F80889 Debug string: [5a8,10c] C:\WINDOWS\system32\OLEAUT32.dll init routine 77125541
77F80889 Debug string: [5a8,10c] C:\WINDOWS\system32\wininet.dll init routine 76201763
77F80889 Debug string: [5a8,10c] LDR: MSASN1.dll loaded
77F80889 Debug string: - Calling init routine at 762A105C <---------
77F80889 Debug string: [5a8,10c] LDR: CRYPT32.dll loaded
77F80889 Debug string: - Calling init routine at 762C15B5 <------------
77F80889 Debug string: [5a8,10c] LDR: Recursive DLL load
77F80889 Debug string: [5a8,10c] Previous DLL being loaded: "advapi32.dl"
77F80889 Debug string: [5a8,10c] DLL being requested: "advapi32.dll"
77F80889 Debug string: [5a8,10c] DLL whose initializer was currently running: "C:\WINDOWS\system32\CRYPT32.dll"
77F80889 Debug string: [5a8,10c] LDR: Recursive DLL load
77F80889 Debug string: [5a8,10c] Previous DLL being loaded: "kernel32.dl"
77F80889 Debug string: [5a8,10c] DLL being requested: "kernel32.dll"
77F80889 Debug string: [5a8,10c] DLL whose initializer was currently running: "C:\WINDOWS\system32\CRYPT32.dll"
77F80889 Debug string: [5a8,10c] LDR: wininet.dll loaded
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: - Calling init routine at 76201763 <--------
77F80889 Debug string: [5a8,10c] LDR: WS2HELP.dll loaded
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: - Calling init routine at 71AA1226 <----------
77F80889 Debug string: [5a8,10c] LDR: ws2_32.dll loaded
77F510A7 Conditional breakpoint at ntdll.RtlRaiseException
77F80889 Debug string: - Calling init routine at 71AB16C6 <------------
01012475 Program entry point
the arrow marked entries shows where ollydbg broke
here is another sample with (options -> debuggingg options-> events --> break on new module enabled)
Log data
Address Message
77F80889 Debug string: - Calling init routine at 77D539F9
77F80889 Debug string: [2c0,2d0] LDR: RPCRT4.dll loaded
77F80889 Debug string: - Calling init routine at 78001E0F
77F80889 Debug string: [2c0,2d0] LDR: ADVAPI32.dll loaded
77F80889 Debug string: - Calling init routine at 77DD1D3D
77F80889 Debug string: [2c0,2d0] LDR: SHLWAPI.dll loaded
77F80889 Debug string: - Calling init routine at 70A78386
77F80889 Debug string: [2c0,2d0] LDR: SHELL32.dll loaded
77F80889 Debug string: - Calling init routine at 773FB164
Break on new module(s) <--- first dynamic load break via DebugHelpApis thats trapped by debugger
77F80889 Debug string: [2c0,2d0] LDR: comctl32.dll loaded
77F80889 Debug string: - Calling init routine at 7195EDD8
Break on new module(s)
77F80889 Debug string: [2c0,2d0] LDR: Real INIT LIST for process C:\WINDOWS\SYSTEM32\calc.exe pid 704 0x2c0
77F80889 Debug string: [2c0,2d0] C:\WINDOWS\SYSTEM32\psapi.dll init routine 76BF10C8
77F80889 Debug string: [2c0,2d0] LDR: psapi.dll loaded
76BF0000 Module C:\WINDOWS\SYSTEM32\psapi.dll
Break on new module(s)
76200000 Module C:\WINDOWS\system32\wininet.dll
Break on new module(s)
762C0000 Module C:\WINDOWS\system32\CRYPT32.dll
Break on new module(s)
762A0000 Module C:\WINDOWS\system32\MSASN1.dll
Break on new module(s)
Break on new module(s)
77F80889 Debug string: [2c0,2d0] LDR: Real INIT LIST for process C:\WINDOWS\SYSTEM32\calc.exe pid 704 0x2c0
77F80889 Debug string: [2c0,2d0] C:\WINDOWS\system32\MSASN1.dll init routine 762A105C
77F80889 Debug string: [2c0,2d0] C:\WINDOWS\system32\CRYPT32.dll init routine 762C15B5
77F80889 Debug string: [2c0,2d0] C:\WINDOWS\system32\OLE32.DLL init routine 771C0873
77F80889 Debug string: [2c0,2d0] C:\WINDOWS\system32\OLEAUT32.dll init routine 77125541
77F80889 Debug string: [2c0,2d0] C:\WINDOWS\system32\wininet.dll init routine 76201763
77F80889 Debug string: [2c0,2d0] LDR: MSASN1.dll loaded
77F80889 Debug string: - Calling init routine at 762A105C
77F80889 Debug string: [2c0,2d0] LDR: CRYPT32.dll loaded
77F80889 Debug string: - Calling init routine at 762C15B5
77F80889 Debug string: [2c0,2d0] LDR: OLE32.DLL loaded
77F80889 Debug string: - Calling init routine at 771C0873
77F80889 Debug string: [2c0,2d0] LDR: OLEAUT32.dll loaded
77F80889 Debug string: - Calling init routine at 77125541
77F80889 Debug string: [2c0,2d0] LDR: wininet.dll loaded
77F80889 Debug string: - Calling init routine at 76201763
771B0000 Module C:\WINDOWS\system32\OLE32.DLL
Break on new module(s)
71AB0000 Module C:\WINDOWS\SYSTEM32\ws2_32.dll
Break on new module(s)
77F80889 Debug string: [2c0,2d0] LDR: Real INIT LIST for process C:\WINDOWS\SYSTEM32\calc.exe pid 704 0x2c0
77F80889 Debug string: [2c0,2d0] C:\WINDOWS\SYSTEM32\WS2HELP.dll init routine 71AA1226
77F80889 Debug string: [2c0,2d0] C:\WINDOWS\SYSTEM32\ws2_32.dll init routine 71AB16C6
77F80889 Debug string: [2c0,2d0] LDR: WS2HELP.dll loaded
77F80889 Debug string: - Calling init routine at 71AA1226
77F80889 Debug string: [2c0,2d0] LDR: ws2_32.dll loaded
77F80889 Debug string: - Calling init routine at 71AB16C6
77F80889 Debug string: LDR: Loading (DYNAMIC, NON_REDIRECTED) C:\WINDOWS\SYSTEM32\wsock32.dll
71AA0000 Module C:\WINDOWS\SYSTEM32\WS2HELP.dll
Break on new module(s)
01012475 Program entry point
as you can see some init calls by dlls that are imported dlls are kinda missed by DebugHelpApis
|
|
Definitely cool. I'll have to give that a spin -- nice find!
|
The plugin works great for some breaking... but for what I'm looking for, it's still missing.
Log data
Address Message
File 'C:\Program Files\Internet Explorer\IEXPLORE.EXE'
New process with ID 000009A0 created
00402451 Main thread with ID 00000EA8 created
7C812A5B Debug string: MyText
7C812A5B Debug string: MyText
7C812A5B Debug string: MyText
7C809E3A Access violation when reading [00040000]
7C809E3A Access violation when reading [00040000]
7C809E3A Access violation when reading [00040000]
7C809E3A Access violation when reading [00040000]
7C809E3A Access violation when reading [00040000]
7C809E3A Access violation when reading [00040000]
7C809E3A Access violation when reading [00040000]
7C809E3A Access violation when reading [00040000]
7C809E3A Access violation when reading [003C0000]
7C809E3A Access violation when reading [00E00000]
7C809E3A Access violation when reading [7C9B0000]
7C809E3A Access violation when reading [7F7F0000]
7C812A5B Debug string: MyText
7C812A5B Debug string: MyText
7C812A5B Debug string: MyText
7C812A5B Debug string: MyText
7C812A5B Debug string: MyText
7C812A5B Debug string: MyText
7C812A5B Debug string: MyText
7C812A5B Debug string: MyText
7C812A5B Debug string: MyText
7C810659 New thread with ID 00000748 created
7C812A5B Debug string: MyText
7C812A5B Debug string: MyText
00400000 Module C:\Program Files\Internet Explorer\IEXPLORE.EXE
CRC changed, discarding .udd data
20000000 Module c:\MyDLL.dll
CRC changed, discarding .udd data
Debugging information (DIA format) available
41000000 Module C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
48000000 Module C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
5D090000 Module C:\WINXP\system32\comctl32.dll
62000000 Module C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopResources_en.dll
71A50000 Module C:\WINXP\system32\mswsock.dll
71AA0000 Module C:\WINXP\system32\WS2HELP.dll
71AB0000 Module C:\WINXP\system32\WS2_32.dll
77120000 Module C:\WINXP\system32\OLEAUT32.dll
771B0000 Module C:\WINXP\system32\WININET.dll
773D0000 Module C:\WINXP\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
774E0000 Module C:\WINXP\system32\ole32.dll
77A80000 Module C:\WINXP\system32\CRYPT32.dll
77B20000 Module C:\WINXP\system32\MSASN1.dll
77C00000 Module C:\WINXP\system32\VERSION.dll
77C10000 Module C:\WINXP\system32\msvcrt.dll
77D40000 Module C:\WINXP\system32\USER32.dll
77DD0000 Module C:\WINXP\system32\ADVAPI32.dll
77E70000 Module C:\WINXP\system32\RPCRT4.dll
77F10000 Module C:\WINXP\system32\GDI32.dll
77F60000 Module C:\WINXP\system32\SHLWAPI.dll
7C800000 Module C:\WINXP\system32\kernel32.dll
7C900000 Module C:\WINXP\system32\ntdll.dll
7C9C0000 Module C:\WINXP\system32\SHELL32.dll
7E1E0000 Module C:\WINXP\system32\urlmon.dll
2010349F System startup breakpoint
I break during a few of my access violations during startup, however, the next breakpoint I hit is on System startup breakpoint. I REALLY want to break when GoogleDesktopIE.dll is loaded. Any other suggestions for breaking on it? I really wish "Break on Module Load" option in OllyDbg worked in this case.
|
[quote]
41000000 Module C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
[/quote]
that line doesn't mean anything it is just a debug string spat out before system calls the MapSection apis
at that point the dll's is being mapped into the process
by the loader
as far as i know you cant break at that point in a ring 3 debuger (not sure whether you can step through all this in a ring 0 debugger too (step as in stepiing every single execution as far i am aware of windbg aka kd cant single step cleanly through transition mechanism thats is through sysenter and back cleanly)
the plugin does its work only after system start breakpoint is hit
if you hit f9 after system start breakpoint im sure you can stop in googlewhatever's dllMain if it had one
break on module provided by DebugApis (leave ollydbg aside even if you code your own l33t debugger) like i said breaks far far down in the chain (the notification from system itself is at a later stage)
well all this are my observation not sure if im absolutely right or wrong
|
here is where it would stop on google toolbar
7C946E68 Debug string: LDR: LdrLoadDll, loading c:\program files\google\googletoolbar1.dll from c:\program files\google;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI
7C946E68 Debug string: LDR: Loading (DYNAMIC, NON_REDIRECTED) c:\program files\google\googletoolbar1.dll
769C0000 Module C:\WINDOWS\system32\USERENV.dll
7C946E68 Debug string: LDR: KERNEL32.dll used by googletoolbar1.dll
7C946E68 Debug string: LDR: Snapping imports for googletoolbar1.dll from KERNEL32.dll
7C946E68 Debug string: LDR: USER32.dll used by googletoolbar1.dll
7C946E68 Debug string: LDR: Snapping imports for googletoolbar1.dll from USER32.dll
7C946E68 Debug string: LDR: msi.dll used by googletoolbar1.dll
7C946E68 Debug string: LDR: Loading (STATIC, NON_REDIRECTED) C:\WINDOWS\system32\msi.dll
10000000 Module c:\program files\google\googletoolbar1.dll
7C946E68 Debug string: LDR: WINMM.dll used by googletoolbar1.dll
7C946E68 Debug string: LDR: Loading (STATIC, NON_REDIRECTED) C:\WINDOWS\system32\WINMM.dll
745E0000 Module C:\WINDOWS\system32\msi.dll
7C946E68 Debug string: LDR: WSOCK32.dll used by googletoolbar1.dll
7C946E68 Debug string: LDR: Loading (STATIC, NON_REDIRECTED) C:\WINDOWS\system32\WSOCK32.dll
76B40000 Module C:\WINDOWS\system32\WINMM.dll
7C946E68 Debug string: LDR: WSOCK32.dll bound to WS2_32.dll
7C946E68 Debug string: LDR: Loading (STATIC, NON_REDIRECTED) C:\WINDOWS\system32\WS2_32.dll
71AD0000 Module C:\WINDOWS\system32\WSOCK32.dll
7C946E68 Debug string: LDR: IMM32.dll used by googletoolbar1.dll
7C946E68 Debug string: LDR: Loading (STATIC, NON_REDIRECTED) C:\WINDOWS\system32\IMM32.dll
71AA0000 Module C:\WINDOWS\system32\WS2HELP.dll
7C946E68 Debug string: LDR: MSIMG32.dll used by googletoolbar1.dll
7C946E68 Debug string: LDR: Loading (STATIC, NON_REDIRECTED) C:\WINDOWS\system32\MSIMG32.dll
7C946E68 Debug string: [170,174] LDR: Real INIT LIST for process C:\Program Files\Internet Explorer\IEXPLORE.EXE pid 368 0x170
7C946E68 Debug string: [170,174] C:\WINDOWS\system32\msi.dll init routine 745E3065
7C946E68 Debug string: [170,174] C:\WINDOWS\system32\WINMM.dll init routine 76B42B69
7C946E68 Debug string: [170,174] C:\WINDOWS\system32\WS2HELP.dll init routine 71AA1642
7C946E68 Debug string: [170,174] C:\WINDOWS\system32\WS2_32.dll init routine 71AB1273
7C946E68 Debug string: [170,174] C:\WINDOWS\system32\WSOCK32.dll init routine 71AD1039
7C946E68 Debug string: [170,174] C:\WINDOWS\system32\IMM32.dll init routine 763912C0
7C946E68 Debug string: [170,174] C:\WINDOWS\system32\MSIMG32.dll init routine 7638110C
7C946E68 Debug string: [170,174] c:\program files\google\googletoolbar1.dll init routine 100C5C2C
7C946E68 Debug string: [170,174] LDR: msi.dll loaded
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: - Calling init routine at 745E3065
7C946E68 Debug string: [170,174] LDR: WINMM.dll loaded
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: - Calling init routine at 76B42B69
7C946E68 Debug string: [170,174] LDR: WS2HELP.dll loaded
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: - Calling init routine at 71AA1642
7C946E68 Debug string: [170,174] LDR: WS2_32.dll loaded
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: - Calling init routine at 71AB1273
7C946E68 Debug string: [170,174] LDR: WSOCK32.dll loaded
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: - Calling init routine at 71AD1039
7C946E68 Debug string: [170,174] LDR: IMM32.dll loaded
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: [170,174] LDR: Recursive DLL load
7C946E68 Debug string: [170,174] Previous DLL being loaded: "c:\program files\google\googletoolbar1.dll"
7C946E68 Debug string: [170,174] DLL being requested: "C:\WINDOWS\system32\IMM32.DLL"
7C946E68 Debug string: [170,174] DLL whose initializer was currently running: "C:\WINDOWS\system32\IMM32.dll"
7C946E68 Debug string: LDR: LdrLoadDll, loading C:\WINDOWS\system32\IMM32.DLL from C:\Program Files\Internet Explorer;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI C
7C946E68 Debug string: [170,174] LDR: MSIMG32.dll loaded
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: - Calling init routine at 7638110C
7C946E68 Debug string: [170,174] LDR: googletoolbar1.dll loaded
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: - Calling init routine at 100C5C2C
i dont have this desktopsearch or whatever is offered by google just installed google toolbar to check it out
if it can stop on google toolbar.dll then im almost certain that it will stop in googledesktop.dll as well
|
oops third post in a row answering myself :)
anyway what does another dumb download of desktopie cost me in a sacrificial machine :)
installed googledesktop
and here is the result
7C946E68 Debug string: LDR: LdrLoadDll, loading C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll from C:\Program Files\Internet Explorer;C:\WINDOWS\system32;C:\WINDOWS\system;C:\WINDOWS;.;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\
7C946E68 Debug string: LDR: Loading (DYNAMIC, NON_REDIRECTED) C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
7C946E68 Debug string: LDR: Loading (DYNAMIC, NON_REDIRECTED) C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
7C946E68 Debug string: LDR: GoogleDesktopIE.dll bound to ole32.dll
7C946E68 Debug string: LDR: GoogleDesktopIE.dll has correct binding to ole32.dll
7C946E68 Debug string: LDR: GoogleDesktopIE.dll bound to OLEAUT32.dll
7C946E68 Debug string: LDR: GoogleDesktopIE.dll has correct binding to OLEAUT32.dll
7C946E68 Debug string: LDR: GoogleDesktopIE.dll bound to ADVAPI32.dll
7C946E68 Debug string: LDR: GoogleDesktopIE.dll has correct binding to ADVAPI32.dll
7C946E68 Debug string: LDR: GoogleDesktopIE.dll bound to WININET.dll
7C946E68 Debug string: LDR: GoogleDesktopIE.dll has correct binding to WININET.dll
7C946E68 Debug string: LDR: GoogleDesktopIE.dll bound to GoogleDesktopCommon.dll
7C946E68 Debug string: LDR: Loading (STATIC, NON_REDIRECTED) C:\Program Files\Google\Google Desktop Search\GoogleDesktopCommon.dll
41000000 Module C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
7C946E68 Debug string: [398,638] LDR: Real INIT LIST for process C:\Program Files\Internet Explorer\IEXPLORE.EXE pid 920 0x398
7C946E68 Debug string: [398,638] C:\Program Files\Google\Google Desktop Search\GoogleDesktopCommon.dll init routine 1001081E
7C946E68 Debug string: [398,638] C:\WINDOWS\system32\SHELL32.dll init routine 7C9E7366
7C946E68 Debug string: [398,638] C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll init routine 410118CD
7C946E68 Debug string: [398,638] LDR: GoogleDesktopIE.dll loaded
7C90EBAC Conditional breakpoint at ntdll.RtlRaiseException
7C946E68 Debug string: - Calling init routine at 410118CD
sample disassembly of Dllmain of googleDesktop
410118CD > 837C24 08 01 CMP DWORD PTR SS:[ESP+8], 1
410118D2 75 15 JNZ SHORT GoogleDe.410118E9
410118D4 E8 28FFFFFF CALL GoogleDe.41011801
410118D9 68 40700141 PUSH GoogleDe.41017040
410118DE B8 00700141 MOV EAX, GoogleDe.41017000
410118E3 E8 01FFFFFF CALL GoogleDe.410117E9
410118E8 59 POP ECX ; ntdll.7C9011A7
410118E9 56 PUSH ESI
410118EA FF7424 10 PUSH DWORD PTR SS:[ESP+10] ; GoogleDe.<ModuleEntryPoint>
410118EE FF7424 10 PUSH DWORD PTR SS:[ESP+10] ; GoogleDe.<ModuleEntryPoint>
410118F2 E8 0E29FFFF CALL GoogleDe.41004205
410118F7 837C24 0C 00 CMP DWORD PTR SS:[ESP+C], 0
410118FC 8BF0 MOV ESI, EAX
410118FE 75 05 JNZ SHORT GoogleDe.41011905
41011900 E8 39FFFFFF CALL GoogleDe.4101183E
41011905 8BC6 MOV EAX, ESI
41011907 5E POP ESI ; ntdll.7C9011A7
41011908 C2 0C00 RETN 0C
4101190B C3 RETN
4101190C - FF25 6C300141 JMP NEAR DWORD PTR DS:[<&GoogleDeskt>; Google_1.CreateFingerprint32
41011912 - FF25 70300141 JMP NEAR DWORD PTR DS:[<&GoogleDeskt>; Google_1.Url::Url
41011918 - FF25 74300141 JMP NEAR DWORD PTR DS:[<&GoogleDeskt>; Google_1.Url::~Url
4101191E - FF25 78300141 JMP NEAR DWORD PTR DS:[<&GoogleDeskt>; Google_1.Url::CrackUrl
41011924 - FF25 7C300141 JMP NEAR DWORD PTR DS:[<&GoogleDeskt>; Google_1.Url::GetScheme
4101192A - FF25 80300141 JMP NEAR DWORD PTR DS:[<&GoogleDeskt>; Google_1.Url::GetUrlPath
41011930 - FF25 84300141 JMP NEAR DWORD PTR DS:[<&GoogleDeskt>; Google_1.InetGetSimpleNoResponse
here is a simple call stack when it hasnt still returned back to system
Call stack of main thread
Address Stack Procedure / arguments Called from Frame
0013F260 410117F6 Includes GoogleDe.41012425 GoogleDe.410117F4 0013F28C
0013F268 410118E8 GoogleDe.410117E9 GoogleDe.410118E3 0013F28C
0013F270 7C9011A7 Includes GoogleDe.410118E8 ntdll.7C9011A4 0013F28C
0013F290 7C91CBAB ? ntdll.7C901193 ntdll.7C91CBA6 0013F28C
0013F398 7C916178 ? ntdll.7C91C9E4 ntdll.7C916173 0013F394
0013F644 7C9162DA ? ntdll.7C916329 ntdll.7C9162D5 0013F640
0013F8EC 7C801BB9 ? <JMP.&ntdll.LdrLoadDll> kernel32.7C801BB4 0013F8E8
0013F954 7C80ACE4 ? kernel32.LoadLibraryExW kernel32.7C80ACDF 0013F950
0013F958 0015CEE0 FileName = "C:\Program Files\Google\Google Desk
0013F95C 00000000 hFile = NULL
0013F960 00000000 Flags = 0
0013F968 48001285 ? kernel32.LoadLibraryW GOEC62~1.4800127F 0013F964
0013F96C 0015CEE0 FileName = "C:\Program Files\Google\Google Desk
0013F984 7C8341CC Includes GOEC62~1.48001285 kernel32.7C8341C9 0013F980
have fun
|
First, let me say I appreciate your help... and can only return the favor with some more analysis. :) I am not interested in how GoogleDesktop.exe works, as I am in what the dll being injected into every process ( GoogleDesktopNetwork3.dll via the Appinit_Dlls registry entry ) is doing. Specifically because, my dll is being loaded extremely early and is forcing GoogleDesktopIE.dll to stack overflow.
The following code is without my dll involved:
41009605 push ebp
41009606 mov ebp,esp
41009608 push esi
41009609 mov esi,dword ptr ds:[4101F5A8h] ; [4101F5A8] => 7E1F0F2A
4100960F push edi
41009610 mov edi,dword ptr [ebp+10h]
41009613 mov eax,4101F5A8h
41009618 call 410094FC
4100961D push dword ptr [ebp+1Ch]
41009620 push dword ptr [ebp+18h]
41009623 push dword ptr [ebp+14h]
41009626 push edi
41009627 push dword ptr [ebp+0Ch]
4100962A push dword ptr [ebp+8]
4100962D call esi ; urlmon.dll!CINet::Start()
However.. when I'm involved:
41009605 push ebp
41009606 mov ebp,esp
41009608 push esi
41009609 mov esi,dword ptr ds:[4101F5A8h] ; [4101F5A8] => 41009605
4100960F push edi
41009610 mov edi,dword ptr [ebp+10h]
41009613 mov eax,4101F5A8h ; eax => pointer to address to call at 4100962D
41009618 call 410094FC ; esi unaffected
4100961D push dword ptr [ebp+1Ch]
41009620 push dword ptr [ebp+18h]
41009623 push dword ptr [ebp+14h]
41009626 push edi
41009627 push dword ptr [ebp+0Ch]
4100962A push dword ptr [ebp+8]
4100962D call esi ; esi => 41009605
call esi invokes the recursive call to itself which blows up the stack. [4101F5A8] ( which is what ESI from CALL ESI is being assigned ) is getting it's value from 7E1EDB5C ( some kind of table in urlmon? )
urlmon.dll when my dll is not involved:
7E1EDB50 E3 11 1F 7E 4D 12 1F 7E ���~M��~
7E1EDB58 90 14 1F 7E 2A 0F 1F 7E ���~*��~
7E1EDB60 22 CA 1F 7E 39 3D 21 7E "��~9=!~
7E1EDB68 46 B9 1F 7E 62 3D 21 7E F��~b=!~
7E1EDB70 7E 3D 21 7E DA C9 1F 7E ~=!~���~
7E1EDB78 B8 3D 21 7E 40 3F 1F 7E �=!~@?�~
when my dll is involved notice 7E1EDB5C
7E1EDB50 E3 11 1F 7E 4D 12 1F 7E ���~M��~
7E1EDB58 90 14 1F 7E 05 96 00 41 ���~��.A
7E1EDB60 22 CA 1F 7E 39 3D 21 7E "��~9=!~
7E1EDB68 46 B9 1F 7E 62 3D 21 7E F��~b=!~
7E1EDB70 7E 3D 21 7E DA C9 1F 7E ~=!~���~
7E1EDB78 B8 3D 21 7E 40 3F 1F 7E �=!~@?�~
The reason I originally asked how I can break on dll's being loaded, is because at the point in which I hit the System startup breakpoint, 7E1EDB5C has already be overwritten. I believe that GD is hooking a function call ( urlmon!DllGetClassObject? ). It seems like they try and hook four different calls, then revert the hooks on the way out within this function
41009240 /$ 56 PUSH ESI
41009241 |. BE A8F50141 MOV ESI,GoogleDe.4101F5A8
41009246 >|. E8 26FFFFFF CALL <GoogleDe.PatchRoutine>
4100924B |. BE B0F50141 MOV ESI,GoogleDe.4101F5B0
41009250 |. E8 1CFFFFFF CALL <GoogleDe.PatchRoutine>
41009255 |. BE B8F50141 MOV ESI,GoogleDe.4101F5B8
4100925A |. E8 12FFFFFF CALL <GoogleDe.PatchRoutine>
4100925F |. BE C0F50141 MOV ESI,GoogleDe.4101F5C0
41009264 |. E8 08FFFFFF CALL <GoogleDe.PatchRoutine>
41009269 |. 33C0 XOR EAX,EAX
4100926B |. 5E POP ESI
4100926C \. C3 RETN
410xxxxx is GoogleDesktopIE.dll
Anyways.. I'd love to find out when 7E1EDB5C is being changed. Hardware/Software breakpoints arne't catching it. I believe its happening when one of GD's dll's are being brought into memory ( Appinit_Dlls brings GoogleDesktopNetwork3.dll which brings in GoogleDesktopIE.dll which I believe does the overwrite ). Any suggestions? ( I apologize ahead of time for not being able to distribute my dll which is invoking this awkward behavior )
|
well i dont get you
you mean googledesktop patches the address even before it got loaded ? or you mean google desktop uses an address thats invalid to start with and patches it wrongly again ?
anyway the only thing i noticed was some thing off in your first output was
2010349F System startup breakpoint
the address doesnt seem to be in highaddress where ntdll resides
the reported address resides in your mydll probably
i havent got so much expertise with me to subvert system breakpoint to my own dll
so unless i'm playing with it physically all i can offer is guesses
also it seems you edited your output
dont you get a break on your dlls init routine ?
cant you check if the address is intact at that point
how are you injecting your dll ?
via appinit key ?
loaded very early you mean even before ntdll/kernel32/user32/etc are loaded ?
i ve never seen appinit dlls being loaded into a process earlier than ntdll
for example if you load piotr banias efilter vial appinit key
you can stop and examine its code
Log data, item 3
Address=77F80889
Message=Debug string: [1c8,6b8] C:\efilter.dll init routine 100014E0
does your dll have relocations ? if it didnt is it loading at its preferred imagebase ?
there could be problems if it is not the case and you will have weird resutls
|
I am observing this behavior when launching iexplore.exe. When my dll is not involved, GoogleDesktop isn't in memory when I hit the System startup breakpoint. When my dll IS involved, GoogleDesktop is being brought into memory and patching... all before System startup breakpoint.
Give me a few minutes and I'll reply with answers to the rest of your questions.
|
I wasn't the engineer that coded the injection routines, but I'm looking into it now. It's not via appinit_dlls. When launching iexplore.exe, mydll happens to throw a couple access violations which give me a chance to look at what ollydbg is displaying for its memory map. The memory map shows no section names loaded. System startup breakpoint has not hit yet. And mydll is doing its work ( as shown by a very active call stack ). I think mydll is forcing other dlls to be loaded earlier than they normally would ( at least before system startup breakpoint has occured ) which may be throwing them off ( namely googledesktop's dlls ).
I'll post more information when its available to me
|
well may be you could also switch on the break on tls init callbacks and see if some thing is happening in there
the normal flow is
call tls callbacks in dll
call dllinit routines in dlls
call of tls callbacks in exe
then program entry point of the exe in question
the access violations that shows up are reading acces violations and the address thats pointed by it normally isnt much used afai've seen
0x20000 is RTL_PROCESS_PARAMETERS page [fs:[18]+0x30] + 10]
stack noramlly would be in higher address
around 60000 and above
Memory map, item 3
Address=00110000
Size=00020000 (131072.)
Owner= 00030000
Section=
Contains=stack of main thread
Type=Priv 00021104
Access=RW Guarded
Initial access=RW
|
btw, some programs hide certain dlls in the NTFS streams,
try this one for example: http://nezumi.org.ru/souriz/zx-crackme.rar
pretty good trick, isn't it?
IDA Pro has integrated debugger and this debugger has
the "Stop on library load/unload" option in the configuration menu.
well, IDA can't insert a breakpoint into DllMain automatically,
but we can do it manually: just load dll into IDA Pro,
determine address of the _real_ DllMain (not the DllEntryPoint with library start-up code)
and ask IDA Pro debugger to add new breakpoint.
this method works well and helps to concentrate only on the really interesting dlls,
skipping the standard ones (like KERNEL32.DLL).
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,322 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}