1

Not sure if the title is that telling but what I want to do is hack into an executable and do as little as necessary to get the code from my DLL running since I want to write as few lines of assembly code as possible.

I already have the place where I'd like to jump in and I am ready to insert the necessary assembly instructions into the executable using ollydbg but since I never did that before I'm afraid I need a little help on those last steps.

What I want to do is basically:

  1. Force the executable to load my DLL
  2. Push a few parameters onto the stack for init_my_dll()
  3. call init_dll()

but I'm not sure what's the best way to accomplish that. Is there a straight forward way to get this done?

Btw: Is what I'm doing here actually called "dll-injection"?

Stefan Falk
  • 171
  • 1
  • 5
  • possible duplicate of http://reverseengineering.stackexchange.com/questions/2793/dll-injection-and-getprocaddress-with-the-winapi – Martin Dec 05 '16 at 23:02
  • But to answer your question - yes, what you're doing is called DLL / code injection, and what you want to do can be relatively easily achieved using Windows APIs (VirtualAllocEx -> CreateRemoteThread(..., LoadLibraryA, "your_dll.dll", ...)). You can do it yourself if you want, too (that's called manual mapping). – Martin Dec 05 '16 at 23:08
  • This is "dll-injection". Like mentioned by Martin, just create a thread at the location of 'LoadLibraryA' with the library name. As for additional parameters, you should be able to mess with the stack. – Nordwald Dec 06 '16 at 06:44
  • @Martin So the "easiest" way is to inject code into the executable which calls CreateRemoteThread() in order to load my dll, then call GetProcAddress() to get the address of init_my_dll() and call it? The link you are referring seems to do something different - if I get this right there are two processes in the end. I don't get how I would make the target process call init_my_dll() as described there. – Stefan Falk Dec 06 '16 at 09:46
  • No - you don't use GetProcAddress to call your function. You use it to find LoadLibraryA, and call it. That function will load your DLL, and will call its DllMain - and that function could be calling your init_my_dll function. That said - if you're trying to do this with a game, be careful, those have anti-cheats which usually detect this technique and ban you. – Martin Dec 06 '16 at 18:41
  • @Martin Okay, I didn't understand what LoadLibraryA is. Now I see it's a kernel function which expects the name of the dll as first parameter. The problem I see here is that this will call the DllMain from a different thread - just not the main thread - which might cause some problems. Not sure if there is a synchronous way to do that? Well, yes, I am trying to do something with a game here but not for cheating - I want to extend the script language provided for modders with additional functionality. But thanks for the hint - didn't think about anti-cheats yet ^^ – Stefan Falk Dec 06 '16 at 20:51
  • I imagine you could stop the thread, find its instruction pointer (eip / rip), make it jump to init_my_dll (you can have an empty DllMain for the purpose of using LoadLibraryA) and then resume it, so that your function gets called. But be careful - anticheats detect code modifications like this too. – Martin Dec 06 '16 at 21:46

1 Answers1

1

I ended up placing the required code in the executable:

00C0B500   68 B6B4C000      PUSH ForgedAl.00C0B4B6                    ; ASCII "lua-extension.dll"
00C0B505   FF15 88F4C000    CALL DWORD PTR DS:[<&KERNEL32.LoadLibrar> ; kernel32.LoadLibraryA

00C0B50B   68 C9B4C000      PUSH ForgedAl.00C0B4C9                    ; ASCII "initialize"
00C0B510   50               PUSH EAX                                  ; push dll handle
00C0B511   FF15 8CF4C000    CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd> ; kernel32.GetProcAddress

00C0B517   56               PUSH ESI                                  ; holds pointer to the struct I want to steal -> parameter of "initialize"
00C0B518   FFD0             CALL EAX                                  ; call "initialize"
00C0B51A   5E               POP ESI

00C0B51B  ^E9 6648D0FF      JMP ForgedAl.0090FD86                     ; jump back and continue original program flow
Stefan Falk
  • 171
  • 1
  • 5