Dll injection is a dangerous technique which has the purpose of executing code into another process space, which is potentially the behavior of a malware. To do it is quite simple, the most known way is opening the target process with OpenProcess(), getting a handle, using VirtualAllocEx() to allocate memory in the target process, WriteProcessMemory() to write dll's name into the target process and then calling CreateRemoteThread():
HANDLE WINAPI CreateRemoteThread(
__in HANDLE hProcess,
__in LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in SIZE_T dwStackSize,
__in LPTHREAD_START_ROUTINE lpStartAddress,
__in LPVOID lpParameter,
__in DWORD dwCreationFlags,
__out LPDWORD lpThreadId
);
Monday, March 21, 2011
Monday, March 14, 2011
The Anti Attach
Well it's been a long time, but today i'm going to write about a feature that is very important when one wants to improve it's software security against reverse engineering.
The protection mecanism consists on hooking DbgUiRemoteBreakin from ntdll.dll, which is an API called IN TARGET PROCESS by most known debuggers when it attaches itself to a running process, then the idea of hooking it is to execute our own code instead of the breakpoint.
Here is the original DbgUiRemoteBreakin:
The protection mecanism consists on hooking DbgUiRemoteBreakin from ntdll.dll, which is an API called IN TARGET PROCESS by most known debuggers when it attaches itself to a running process, then the idea of hooking it is to execute our own code instead of the breakpoint.
Here is the original DbgUiRemoteBreakin:
