Log In
Register
Semisecure Login is not enabled!
Please enable JavaScript and use a modern browser to ensure that your password is encrypted.
Home
Topic RSS
10:28
Jr. Member
June 23, 2010
Offline
Hi there,
I'm currently working on DLL injection. The process of injecting dll's is absolutely clear, but i do not understand how I can get the correct function address on a separate process.
the python code is as followed:
kernel32 = windll.kernel32 handle = kernel32.GetModuleHandleA(dll)
address = kernel32.GetProcAddress(handle, function)
I do not understand how process A (injector) can get the correct ModuleHandler of proccess B ("victim").
I was thinking, the dll's are loaded dynamically at different addresses and when I get the handle for the dll on my own process and get the address of my wanted function, why is the address the same on the other process?
I hope u understand what I mean.
regards
10:30
Moderator
September 7, 2008
Offline
could be caused by ASLR or rebase/relocation
I guess you could inject some code into the remote process first, which retrieves the desired function pointers dynamically within the context of that specific process
Corelan Live Win32 Exploit Development Bootcamp http://www.corelan-training.com/
10:34
Jr. Member
June 23, 2010
Offline
is a dll on every process (maybe different programms) at the same address if ASLR is not turned on?
10:36
Moderator
September 7, 2008
Offline
not necessarily – rebase/relocations might change the base address
usually, the OS libraries will be at static locations if there is no ASLR
Corelan Live Win32 Exploit Development Bootcamp http://www.corelan-training.com/
10:41
Jr. Member
June 23, 2010
Offline
thanks for u explanation. So the injection code above would not be working on rebase/relocations and if ASLR is turned on?
what can be the trigger for rebase/relocations ?
10:44
Moderator
September 7, 2008
Offline
the code would work, but you need to run it within the context of the app, not outside the app (in other words, python won't be very helpful as it runs inside it's own process)
rebase/relocation : this is a functionality feature to avoid overlap between multiple modules.
if 2 modules are compiled with the same preferred base address, only the first one will get loaded at that address, the second will be loaded at a different (more or less random) location
Corelan Live Win32 Exploit Development Bootcamp http://www.corelan-training.com/
10:47
Jr. Member
June 23, 2010
Offline
ok I think I got it. Hopefully one last question. Who defines the preferred base address and how it knows the other preferred addresses to avoid overlapping?
10:48
Moderator
September 7, 2008
Offline
the developer/compiler can specify it – most compilers use the same base address for all modules
the value is stored in the PE header of the binary
Corelan Live Win32 Exploit Development Bootcamp http://www.corelan-training.com/
10:51
Jr. Member
June 23, 2010
Offline
that means basically all modules will be at a random location if all compiles modules have the same preferred base address.
10:53
Moderator
September 7, 2008
Offline
yeah, except for the first one… unless the developer actually told the compiler to use a specific base address
Corelan Live Win32 Exploit Development Bootcamp http://www.corelan-training.com/
10:56
Jr. Member
June 23, 2010
Offline
hmmm but the kernel32.dll is at his own preferred location. is this because MS compiles every dll with an own preferred base address and windows loads this dll before any others?
11:04
Moderator
September 7, 2008
Offline
correct
Corelan Live Win32 Exploit Development Bootcamp http://www.corelan-training.com/
Most Users Ever Online: 91
Currently Online: alsob, wolakec
12 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
mr_me: 313
Lincoln: 198
rick2600: 181
redsees: 179
Member Stats:
Guest Posters: 1
Members: 11606
Moderators: 1
Admins: 1
Forum Stats:
Groups: 3
Forums: 54
Topics: 989
Posts: 6266
Newest Members: wolakec, devon303, k12321, bkd1958
Moderators: Peter Van Eeckhoutte (2942)
Administrators: Peter Van Eeckhoutte (2942)
