waliedassar

Redirect Execution

Jan 6th, 2013
370
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //If a new thread is created in a process, the system makes sure that DllMain's of loaded
  5. //DLLs gets called in the context of the new thread. This is accomplished by iterating
  6. //through all _LDR_MODULE nodes of the "InMemoryOrderModuleList" doubly-linked list.
  7. //The DllMain of a DLL is called if certain conditions are met:
  8. // (1) The new thread is not exempted from calling DllMain's. See "SkipThreadAttach" flag of TEB.
  9. // (2) The _LDR_MODULE node does not belong to the main executable e.g. "calc.exe".
  10. // (3) The _LDR_MODULE node does not have the "LDRP_DONT_CALL_FOR_THREADS"
  11. //     flag set. see "DisableThreadLibraryCalls" function.
  12. // (4) The LDR_MODULE node has a non-zero entrypoint.
  13. //     N.B. ntdll.dll meets all conditions except that its entrypoint is always zero.
  14. // (5) The LDR_MODULE node has the "LDRP_PROCESS_ATTACH_CALLED" flag set. i.e. Its DllMain was
  15. //     previously called as part of the "DLL_PROCESS_ATTACH" reason.
  16. // (6) The LDR_MODULE node has the "LDRP_IMAGE_DLL" flag set. i.e. the image is loaded in an
  17. //     executable state. N.B. Dlls loaded via the "LoadLibraryExW" function
  18. //     with the "DONT_RESOLVE_DLL_REFERENCES" flag don't have this flag set.
  19.  
  20. //Given the above knowledge, we can fool ntdll to think that our main executable is a Dll that needs
  21. //to have its DllMain called upon threads creation and termination. This gives us a new way to redirect
  22. //execution.
  23.  
  24. //This manipulation may result into certain functions e.g. GetModuleFileNameEx failing to behave,
  25. //and this why we should undo the manipulation.
  26.  
  27. #include "stdafx.h"
  28. #include "windows.h"
  29. #include "stdio.h"
  30.  
  31.  
  32.  
  33.  
  34. #define LDRP_IMAGE_DLL                          0x00000004
  35. #define LDRP_ENTRY_PROCESSED                    0x00004000
  36. #define LDRP_PROCESS_ATTACH_CALLED              0x00080000
  37.  
  38. extern "C"
  39. {
  40.     void __stdcall LdrFindEntryForAddress(unsigned long addr,void* pLdrModule);
  41. }
  42.  
  43. __declspec(naked) void dummy()
  44. {
  45.     __asm ret
  46. }
  47.  
  48. void Restore()
  49. {  
  50.         //restore original LDR_MODULE
  51.         __asm
  52.         {
  53.             pushad
  54.             mov eax,dword ptr fs:[0x30] ;PEB
  55.             mov esi,dword ptr[eax+0x8] ;ImageBase
  56.             inc esi                    
  57.             mov eax,dword ptr[eax+0xC]  ;_PEB->Ldr
  58.             lea eax,[eax+0x14]          ;InMemoryOrderModuleList
  59.             mov ebx,eax
  60. looop:
  61.             mov ebx,dword ptr[ebx]
  62.             cmp esi,dword ptr[ebx+0x10]
  63.             jne skip
  64.             dec dword ptr[ebx+0x10]  //Restore original ImageBase
  65.             mov dword ptr[ebx+0x34],LDRP_ENTRY_PROCESSED  //Restore original LDRP_** flags
  66. skip:
  67.             cmp ebx,eax
  68.             jnz looop
  69.             popad
  70.         }
  71.         return;
  72. }
  73. void main()
  74. {
  75.     static unsigned long i=0;
  76.     if(i++==1)
  77.     {
  78.         Restore();
  79.         //Do your own stuff here
  80.         MessageBox(0,"Redirected!","waliedassar",0);
  81.         ExitProcess(0);
  82.     }
  83.     unsigned long pLdrModule=0;
  84.     LdrFindEntryForAddress((unsigned long)&main,&pLdrModule);
  85.     (*(unsigned long*)(pLdrModule+0x18))++; //Change ImageBase
  86.     *(unsigned long*)(pLdrModule+0x34)=LDRP_IMAGE_DLL|LDRP_PROCESS_ATTACH_CALLED;
  87.     unsigned long tid=0;
  88.     CreateThread(0,0x1000,(LPTHREAD_START_ROUTINE)dummy,0,0,&tid);
  89.     Sleep(INFINITE);
  90.     return;
  91. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×