OpenRCE: Blog

Unpinning Importet dll's

Tue, 13 Jan 2009 13:19:35 -0600

HI.

ever wantet to unload a .dll from memory which was importet via the Import Table ? no , well i have , and turns out that windows prevents you from doing this , for security obiviously , as it would be pretty bad to unload a .dll by accident youd later need :) , but none the less i did some research and found out its more then possible if you preform a little magic , so here are the steps described which are required to do this.

1) Unpinning dll's

when windows Loads a .dll into your process space , the .dll is added to the PEB to be more exact in the PEB->LoaderData this Double linked list contains all the Modules Loaded into our image space , lets take a look what it looks like.

typedef struct _PEB_LDR_DATA
{
ULONG Length;
BOOLEAN Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
}
PEB_LDR_DATA, *PPEB_LDR_DATA;

now you see it contains multiple things , for this article the only ones we are interestet in are the 3 LIST_ENTRY's , these 3 are pointers to double linked lists , each entry in the double linked lists contains 1

typedef struct _LDR_MODULE {
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID BaseAddress; PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount; SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE

now all this , is various info about our .dll , but lets go back to when Windows Loads a .dll , Everytime you call LoadLibraryA("mydll.dll") windows will add a entry ( if it doesent excist already) and increase the LoadCount by 1 , now what happens when it loads a .dll via our ImportTable ?

well more or less the same except it sets LoadCount to -1 , which means the .dll is pinned , and if this is the case windows will refuse to unload the .dll from memory.

So how do we change this ? well take a look at this code:

bool Mem_Manager::UnPinnAlldlls() {
OutputDebugStringA("UnPinning All Dll's");
DWORD PebAddr = 0;
__asm
{
mov eax,DWORD PTR FS:[0x18]
mov eax,DWORD PTR DS:[eax+0x30]
mov PebAddr,eax
}
PPEB Peb = (PPEB)PebAddr;
_LDR_MODULE *peb_ldr_module;
peb_ldr_module = (_LDR_MODULE*)Peb->Ldr->InLoadOrderModuleList.Flink;
// Go through each modules one by one in their load order. DWORD First = 0; while((DWORD)peb_ldr_module != First)
{
if(First == 0)
{
First = (DWORD)peb_ldr_module;
}
peb_ldr_module->LoadCount = 1;
peb_ldr_module = (_LDR_MODULE*)peb_ldr_module->InLoadOrderModuleList.Flink;
}

return true;
}

what happens is:
1. Gets Addr of PEB via __asm{} block
2. Access PEB->PEB_LDR_DATA
3. Get First Loaded Module via : Peb->Ldr->InLoadOrderModuleList.Flink
4. Log Address of First Entry ( as its a Recursive Double linked list , so we stop once we been all the way round)
5. Set RefCount of LoadedModule to 1 , so we can unload it with FreeLibrary
6. Get Next LoadedModule Via: peb_ldr_module->InLoadOrderModuleList.Flink

so once , these steps have been preformed , you can unload any .dll with a simpel call to FreeLibrary("dllName.dll") and it will be free'd from memory

hope somebody finds this usefull , else oh well :)

My Little packer :)

Wed, 06 Feb 2008 17:17:06 -0600

ive decided to finaly get Startet on Coding my own Protection for binaries , im starting small ..and so far i made a SectionAdder which moves the PE to my own Section , updates MZ , Changes EP and writes a JMP OEP @ new EP ... gonna add some simpel Xor encryption and a Loader soon :) heres a first picture for fun ... im a little proud for some odd reason :P hehe

http://img340.imageshack.us/my.php?image=pwnz0rco7.jpg

Asm To C++ Array Converter

Thu, 10 Jan 2008 15:02:34 -0600

this is a small tool ive written to Convert Large Amounts of ASM into a c++ Comptatible Array .. i found myself doing it allot ..when i was writing test data for Decompiled Functions .. its not very hard todo yourself..but mibi some can use this and save himself the trouble .. atm it supports Olly Bytes and IDA Bytes ..theres examples and sources in the package :) i found usefull .. enjoy

http://www.openrce.org/repositories/users/Soul12/ASM%20to%20C%20Array%20Converter.v.0.2%20Final.rar

Immunity Plugin: Asm -> pseudo C

Fri, 17 Aug 2007 08:52:29 -0500

not much novelty in this :) but i made it it supports simpel commands and make some simpel analyses of cmp's and makes the apropriate IF sentence depending the the jmp below it
it also tries to find the number of args for function calls
and orther stuff
anyways here it is:

http://rapidshare.com/files/49550424/ImmunityC.rar.html

hope somebody finds it usefull :) its my first publishing of anything aswell ;)

Ranting

Sun, 29 Apr 2007 15:56:44 -0500

Here zipping some wine after a long weekend :) dident get much RE done ..but long boring story .. just figured id start blogging like everybody else ..and say hello to everybody here those who know me and those who dont .. gonna spend a lovely da y tomorow in school learning about the amazing language "php" my teacher spendt 3 hours last time just setting it up ;) wish me luck so i do not die of boredom