You are here: Home / Blog / Archives for mikado

Another way to inject a DLL

July 12, 2007 by mikado · 1 Comment 

Read this first: OllyDbg plugin: Catcha! v1.1 – Catcha anywhere

Nothing special :D Just write a trap function that call LoadLibrary() function…

Pros:
- We have an advantage that we don’t have to call CreateRemoteThread() function.

Cons:
- Must pause target process to hook its EntryPoint :D.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Add to favorites
  • Reddit
  • Technorati
  • Tumblr
  • Twitter
  • Slashdot
  • Identi.ca

Filed under Reverse Engineering · Tagged with

OllyDbg plugin: Catcha! v1.1 – Catcha anywhere

July 10, 2007 by mikado · Leave a Comment 

OllyDbg plugin: Catcha! v1.1

In order to reach the target program EntryPoint, we call CEngine::EngineTrap() function below before resuming the target program to hook its EntryPoint and raise debug exception by INT3 instruction then we can attach to it. 

///pAddress: the address inside target process (the EntryPoint in our case) that will be hooked with trap function.
VOID CEngine::EngineTrap(LPVOID pAddress)
{
	HANDLE hProcess = NULL, hLibRemote = NULL;
	UCHAR pEntryPointOpcodes[5] = {0,};
	//Trap function opcodes
	UCHAR pTrap[] = {0x50,				// 0 - PUSH EAX				; Save EAX
			 0xB8, 0x00, 0x00, 0x00, 0x00,	// 1 - MOV EAX,XXXXXXXX			; EAX = XXXXXXXX = pAddress
			 0xC6, 0x00, 0xFF,		// 6 - MOV BYTE PTR DS:[EAX],0FF	;\
			 0xC6, 0x40, 0x01, 0xFF,	// 9 - MOV BYTE PTR DS:[EAX+1],0FF	; |
			 0xC6, 0x40, 0x02, 0xFF,	//13 - MOV BYTE PTR DS:[EAX+2],0FF	; | Restore original opcodes at pAddress
			 0xC6, 0x40, 0x03, 0xFF,	//17 - MOV BYTE PTR DS:[EAX+3],0FF	; |
			 0xC6, 0x40, 0x04, 0xFF,	//21 - MOV BYTE PTR DS:[EAX+4],0FF	;/
			 0x58,				//25 - POP EAX				; Restore EAX
			 0xCC,				//26 - INT3				; Raise debug exception
			 0xE9, 0x00, 0x00, 0x00, 0x00	//27 - JMP YYYYYYYY			; YYYYYYYY = relative address value of pAddress
			};
	DWORD nOldProtect;

	do {
		//Open target process
		hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, m_ProcessInfo.m_nProcessId);
		if (!hProcess) {
			EngineLog("Error: CEngine::EngineTrap() -> ::OpenProcess()");
			EngineError();
			break;
		}

		//Allocate memory space inside target process for trap function
		//hLibRemote = allocated virtual address inside target process
		hLibRemote = ::VirtualAllocEx(hProcess,
					      NULL,
					      sizeof(pTrap),
					      MEM_COMMIT,
					      PAGE_READWRITE);
		if (!hLibRemote) {
			EngineLog("Error: CEngine::EngineTrap() -> ::VirtualAllocEx()");
			EngineError();
			break;
		}

		//Ensure that we can read/write/execute sizeof(pEntryPointOpcodes) bytes at pAddress
		if (!::VirtualProtectEx(hProcess,
					(LPVOID)(m_ProcessInfo.m_nImageBase + m_ProcessInfo.m_nAddressOfEntryPoint),
					sizeof(pEntryPointOpcodes),
					PAGE_EXECUTE_READWRITE,
					&nOldProtect)) {
			EngineLog("Error: CEngine::EngineTrap() -> ::VirtualProtectEx()");
			EngineError();
			break;
		}

		//Ensure that we can read/write/execute sizeof(pTrap) bytes at hLibRemote
		if (!::VirtualProtectEx(hProcess,
					(LPVOID)hLibRemote,
					sizeof(pTrap),
					PAGE_EXECUTE_READWRITE,
					&nOldProtect)) {
			EngineLog("Error: CEngine::EngineTrap() -> ::VirtualProtectEx()");
			EngineError();
			break;
		}

		//Save sizeof(pEntryPointOpcodes) bytes at pAddress in pEntryPointOpcodes
		if (!::ReadProcessMemory(hProcess,
					 (LPVOID)(m_ProcessInfo.m_nImageBase + m_ProcessInfo.m_nAddressOfEntryPoint),
					 (LPVOID)pEntryPointOpcodes,
					 sizeof(pEntryPointOpcodes),
					 NULL)) {
			EngineLog("Error: CEngine::EngineTrap() -> ::ReadProcessMemory()");
			EngineError();
			break;
		}

		//Repair trap function

		//XXXXXXXX = pAddress
		*(PDWORD)(pTrap + 2) = (DWORD)pAddress;

		//Calculate value for JMP instruction
		//YYYYYYYY = relative address value of pAddress
		*(PDWORD)(pTrap + 28) = (DWORD)pAddress - ((DWORD)hLibRemote + sizeof(pTrap));

		//Restore original opcodes at pAddress
		pTrap[8] = pEntryPointOpcodes[0];
		pTrap[12] = pEntryPointOpcodes[1];
		pTrap[16] = pEntryPointOpcodes[2];
		pTrap[20] = pEntryPointOpcodes[3];
		pTrap[24] = pEntryPointOpcodes[4];

		//Replace opcodes at pAddress with JMP instruction to trap function
		pEntryPointOpcodes[0] = 0xE9;
		//Calculate value for JMP instruction
		*(PDWORD)(pEntryPointOpcodes + 1) = (DWORD)hLibRemote - ((DWORD)pAddress + sizeof(pEntryPointOpcodes));

		//Write our codes into target process

		if (!::WriteProcessMemory(hProcess,
					  pAddress,
					  (LPVOID)pEntryPointOpcodes,
					  sizeof(pEntryPointOpcodes),
					  NULL)) {
			EngineLog("Error: CEngine::EngineHookEntryPoint() -> ::WriteProcessMemory()");
			EngineError();
			break;
		}

		if (!::WriteProcessMemory(hProcess,
					  (LPVOID)hLibRemote,
					  (LPVOID)pTrap,
					  sizeof(pTrap),
					  NULL)) {
			EngineLog("Error: CEngine::EngineTrap() -> ::WriteProcessMemory()");
			EngineError();
			break;
		}
	}
	while (FALSE);

	::CloseHandle(hProcess);

	EngineLog("Done: CEngine::EngineTrap()");
}

Besides, this function is also used to hook and trap at any address inside target process. It will be useful for attaching OllyDbg after bypassing some codes we are not interested in (e.g: anti-debugger codes :D). Because I don’t have much time at this moment, I will add this option in next version of Catcha!.

mikado.

P.S: As lamer’s comment, the next feature can only be applied to applications that don’t handle INT3 exception themselves. Another problem is that this version is still not be able to catch .NET applications because their EntryPoint is located in mscoree.dll.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Add to favorites
  • Reddit
  • Technorati
  • Tumblr
  • Twitter
  • Slashdot
  • Identi.ca

Filed under Reverse Engineering · Tagged with

OllyDbg plugin: Catcha! v1.0

July 6, 2007 by mikado · Leave a Comment 

OllyDbg plugin: Catcha! v1.0

Catcha! v1.0
Coded by mikado @ vnsecurity, 4vn
Website: http://www.vnsecurity.net - http://www.4vn.org
Email: mikado[at]4vn[dot]org

[ About ]
Sometimes you don't know how to start a program correctly
from OllyDgb. Catcha! plugin will help you to attach to your
program automatically as soon as possible each time your
program runs (outside OllyDbg).

It works like Olly De-Attach Helper plugin:
http://www.openrce.org/downloads/details/185/Olly%20De-Attach%20Helper

Catcha! has more advantages than Olly De-Attach Helper.
It helps reversers not to miss many opcodes before attaching
target program.

Check it out! Have fun and feel free to contact me.

[ Instructions ]
- Copy Catcha!.dll and Catcha!.sys to OllyDbg plugin directory.
- First, select target program by chosing menu:
  Plugins -> Catcha! -> Select Catcha! target.
- Run target program outside OllyDbg.
  It will be attached in OllyDbg automatically as soon as possible.
- Press F9 to continue running program or,
  right click on Disassembler window and chose Thread -> Main
  on Popup menu to switch to program's main thread and continue
  your debug session.

[ History ]
2007.07.06:
- Version 1.0 released.

[ Known bugs ]
1. Target program can only be attached automatically one time.
   You have to restart OllyDbg in order for Catcha! to work correctly.
2. Only tested on Windows XP SP2. The kernel driver was built
   on WinDDK with Windows XP Build Environment.

[ TODO ]
- Fix bug (1).
- Implement de-attach function without closing target program.

mikado.
Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Add to favorites
  • Reddit
  • Technorati
  • Tumblr
  • Twitter
  • Slashdot
  • Identi.ca

Filed under Reverse Engineering · Tagged with