main menuhome
forums
Show me new threads!
bookmarks
post article
view blogs
vault you must be level 2 to upload files to your vault
downloads you must be logged to access downloads
Rootkit Collection
A news back-end to implement RootKit news into your website is here or more advanced version here.
An XML/RSS feed that includes both NEWS and BLOGS for RootKit is here: XML/RSS.
![[Valid RSS]](valid-rss.png "Validate my RSS feed")
Beta feed for replied posts here. feedback to admins not forums, we know about times being off...
|
Generating any DLL for PEB Hooking or replacing in disk, binary form
Dec 16 2009, 00:19 (UTC+0) | Dreg writes: Important: This post is only for rootkit.com
Introduction:
============
This post is about the binary creation of the fake DLL via real DLL. In the past for make a PEB Hooking (or replacing a dll in disk) It was neccesary the creation of a template .c and .h from the real DLL and after compile it. The las method is for each SP and for each Windows... in a few words, in the past you needed a dll fake repository (for sp1, sp2 ...) for each dll. I resolved this problem creating a tool called dwtf published yesterday at Rootkitanalytics.com [R.0], this tool exports all symbols of the real.dll and imports all exports of real.dll, after, It creates an area code with a JMP DWORD [ADDRESS] for each export. Then you can add or remove payloads or a stack of payloads with a simple IAT hooking in fake DLL in runtime, this method for payloads is only a xchg of 32bits (micro lock..); dwtf is a opensource tool with MIT License.
dwtf demo: http://www.youtube.com/watch?v=t7UXEJieliM
Note: The errors in OllyDbg are a bugs in the debugger when you make a peb hooking.
PEB Hooking in two words:
========================
Years ago Deroko writes in Arteam "PEB DLL Hooking Novel method to Hook DLLs" [R.2]. After, Shearer and me writes an article for phrack 65 called: phook - The PEB Hooker [R.1]. I recommend you read the two articles [R.1] [R.2] to understand this post.
The two words, do you need know:
Process Environment Block (PEB) is a structure located in the user's space, that contains the process' enviroment data: Enviroment variables. Loaded modules list...
typedef struct _PEB
{
...
PVOID ImageBaseAddress;
PPEB_LDR_DATA LoaderData;
...
};
For PEB HOOKING we need use the LoaderData field, this field is a structure in which there are some data about the modules of a process. It is a doubly linked list and it can be sorted by Order of: loading, in memory and initialization. All flink and blink fields in LIST_ENTRY are in reality pointers to LDR_MODULE. We are going to manipulate from LDR_MODULE: BaseAddress, EntryPoint and SizeOfImage.
It is necessary to search DLL_FAKE and DLL_REAL for some identificative fields of LDR_MODULE, once found the following data will be exchanged: EntryPoint, BaseAddress and SizeOfImage.
typedef struct _PEB_LDR_DATA
{
...
BOOLEAN Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
....
}
typedef struct _LDR_MODULE
{
LIST_ENTRY InLoadOrderModuleList;
...
PVOID BaseAddress;
PVOID EntryPoint;
ULONG SizeOfImage;
...
} LDR_MODULE, *PLDR_MODULE;
Generating any DLL for PEB Hooking or replacing in disk, binary form:
===================================================================
I recommended you read the PECOFF [R.3] to understand this section:
To generate the DLL fake, you need:
1) Generate the PE32 for the DLL.
2) Export directory like the real dll:
typedef struct _IMAGE_EXPORT_DIRECTORY {
....
DWORD Name;
DWORD Base;
DWORD NumberOfFunctions;
DWORD NumberOfNames;
DWORD AddressOfFunctions; // RVA from base of image
DWORD AddressOfNames; // RVA from base of image
DWORD AddressOfNameOrdinals; // RVA from base of image
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
You need read the table of ordinals (AddressOfNameOrdinals) is WORD * table of NumberOfFunctions size. Also, you need read the AddressOfNames is a pointer to a RVA (DWORD) table, each entry points to the Name of dll. Also, you need read the Name, this is an other rva to the name of the dll in the image. The base must be the same value.
You need a function like:
void * GetPtrFromRVA( PIMAGE_DOS_HEADER image_dos_header, DWORD rva );
This function search the RVA in the section header and get the real address for access to the information. (view the dwtf src for more information... but you need check the values, never like me).
Well, finally, you need fill your own AddressOfFunctions, this rva must be point to the rva table which points to the JMP area.
The JMP area for each export must jump to the original export of real dll.
APP CALLS AN API --> Your Export --> Real Export
Well, now you need create the JMP area, the idea is an area like this:
JMP TABLE[0]
JMP TABLE[1]
JMP TABLE[2]
...
Now you can set the AddressOfFunctions table to the JMPs (yes, you need create the RVA for each entry in the table, see the dwtf crap code).
The best way for the creation of this JMP table is... the creation of a IAT, a real IAT which is filled by the Win Loader. Then you need creates a IAT for fake dll which imports all symbols of the real dll, very simple.
Well, The creation of the IAT is very simple, you need make a IMAGE_IMPORT_DESCRIPTOR:
typedef struct _IMAGE_IMPORT_DESCRIPTOR {
DWORD OriginalFirstThunk; // I remove the union..
...
DWORD Name;
DWORD FirstThunk; // RVA to IAT
} IMAGE_IMPORT_DESCRIPTOR;
The Name is an RVA to DLL Name (the name of the real dll), A trick, you dont need the names of the exports, only the ordinals (you got the ordinals when parsing the EXPORTs), OriginalFirstThunk and FirstThunk points to a DWORD table of RVAs.
This table is very simple you need the ordinal and (read the specification of PE) add the 0x80000000 value (yeah dwtf only works in PE32), without this, your code will be more complex.
Remember: before the IMAGE_IMPORT_DESCRIPTOR, you need create an empty IMAGE_IMPORT_DESCRIPTOR (0x000...).
Well, in this point the loader fill the FirstThunk (is a RVA this field) table with the Address of the all real dll symbols.
You need conver the RVA of the FirstThunk table to Virtual Address of fake dll, and points the JMP to this address.
JMP [IAT_ENTRY]
This is very simple: RVA + IMAGE BASE of the fake dll.
Now your exports points to JMP area wich jumps to original export.
Finally, you need update OPTINAL HEADER data and directory with the sizes and rvas of the imports and exports.
dwtf creates a section called .dwtf with EXPORTS + IMPORTS + JMPS
dwtf v1.0:
=========
dwtf v1.0 (MIT opensource, poc may with bugs), It creates a fake.dll from real.dll:
1- It exports all symbols of real.dll (also Forwarder).
2- It imports all exports of real.dll (also Forwarder).
3- It creates an area code with a JMP DWORD [ADDRESS] for each export.
4- The exports of fake dll is assigned to a JMP area which jumps to original export of real.dll.
The site of dwtf is: http://rootkitanalytics.com/tools/dwtf.php
If you are making PEB HOOKING, when the APP calls to fake dll export it jumps to original export, everything works fine:
Before PEB HOOKING:
APP -> IAT OF APP -> REAL DLL EXPORT
After PEB HOOKING:
APP -> IAT OF APP -> FAKE DLL EXPORT -> IAT OF FAKE DLL -> REAL DLL EXPORT
---
You can add or remove payloads with any IAT HOOKING in the IAT of the fake dll:
APP -> IAT OF APP -> FAKE DLL EXPORT -> IAT OF FAKE DLL -> PAYLOAD STACK -> (or never) REAL DLL EXPORT
---
Syntax: dwtf.exe fake_dll real_dll
---
Example: dwtf.exe k32.dll c:windowssystem32kernel32.dll
---
All .exes are in bin folder:
You can execute the: Generate fake kernel32.bat
This bat executes dwtf creating a fake kernel32.dll called k32.dll from c:windowssystem32kernel32.dll
After, you can make a pebhooking executing: PEB hooking poc with fake kernel32.bat
IMPORTANT: You need the NETCAT for send commands to the console:
This bat inject a console.dll in the poc.exe process using InjectorDll.exe
This console listen by default in 127.0.0.1 1234, This console is the interface to do
PEB Hooking:
Next, the bat connect to 127.0.0.1 1234 using nc command (netcat)
In the console with netcat you can write:
pebhook kernel32.dll k32.dll
resume
exit
---
In this moment poc.exe is running and it is waiting a user enter:
poc.exe try creates files with two APIs of kernel32.dll: CreateFileW and CreateFileA
When you press enter all works fine (good lucky) and the process exits creating files.
In this scenario all works by this way:
poc.exe -> IAT of POC.EXE -> k32.dll (fake kernel32.dll) -> IAT of k32.dll -> kernel32.dll
Loading payloads dynamically:
For this scenario:
poc.exe -> IAT of POC.EXE -> k32.dll (fake kernel32.dll) -> IAT of k32.dll -> payload/s
Remember: You can add a payload stack with IAT HOOKING over IAT HOOKING ...
The payloads can calls to original kernel32.dll export.
You need:
Generate fake kernel32.bat
PEB hooking poc with fake kernel32.bat
command: pebhook kernel32.dll k32.dll
Add a payload for CreateFileW, inserting a iat hook in k32.dll:
Inject the dll:
InjectorDll.exe poc_dll.dll -p PID_OF_POC_EXE
In the POC.EXE you can see:
Creating files... press enter
DLL INJECTED! ADDR OF OwnCreateFileA: 0x70651030 < --- For EXAMPLE
It is the time of IAT hooking of CreateFileA of k32.dll to OwnCreateFileA of poc_dll.dll
Example of searching CreateFileA IAT ADDR in k32:
Using peview for example (google: download peview):
Search IAT ADDR in k32 of CreateFileA with any pe32 parser.
In the IMAGE the IAT ADDR is: 0x1000C1A6
Change the IAT to payload addr:
write_process_memory.exe PID_OF_POC_EXE 0x1000C1A6 0x70651030
0x70651030 is the addr of OwnCreateFileA of poc_dll.dll injected in POC.exe
In the console with netcat you can write:
resume
exit
References:
========================
[R.0] Rootkitanalytics.com:
http://rootkitanalytics.com/tools/dwtf.php
[R.1] phook - The PEB Hooker, by [Shearer] & Dreg:
http://phrack.org/issues.html?issue=65&id=10#article
[R.2] PEB DLL Hooking Novel method to Hook DLLs, by Deroko:
http://www.arteam.accessroot.com/ezine/file_info/download1.php?file=ARTeam.eZine.Number2.rar
[R.3] PECOFF:
http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx
Sincerely, Dreg. |
| |
ROOTKITS, Subverting the Windows Kernel
By: Greg Hoglund and Jamie Butler
Rootkits are powerful tools to compromise computer systems without detection. Get the original and best book on the subject here.
|
active for last 5 minutes
registered users:79912
There are currently 0 registered users and 17 guests browsing the website.
Welcome our latest registered user: Pris
| Jul 31, 12:06 |
| May 09, 04:30 |
| May 08, 15:33 |
| May 04, 15:42 |
| May 02, 03:59 |
| Best Screenshots / Analog |
| the most active news users |
based on the number of news posts for last 30 days
|
