Injecting a DLL into windows x86 PE on startup without using external injector.
First of all, sorry for my bad english. Russian is not allowed here, so, deal with it. I really hope you can understand this, lol. I do know there are some guides to do this out there. But this is focused on sro, and I do actually give support to people having issues.
Sorry for the images. They will be visible as soon as I get premium subscription or 20 posts, I guess.
1. Purpose
As many of you already know, there are multiple dll injectors out there. Unfortunately, they run as external process (in most cases, it's totally okay, unless you don't want each of your dll users to inject it manually each time he starts your redistributed exe/dll). This guide will explain you the basic idea of manual dll injection.
2. Requirements
OllyDbg 1.10 [Only registered and activated users can see links. Click Here To Register...]
PE Explorer (trial)
[Only registered and activated users can see links. Click Here To Register...]
3. Theory
Each Windows executable has so called header. All we have to know for now is that header has the following stucture:
[Only registered and activated users can see links. Click Here To Register...]
The only thing that interests us is PE Header which contains OEP (Original Entry Point). OEP value is an address from where execution of program will start. This is important because we are going to change it to our own code address, which will load the desired DLL and go back to the original entry point address, so program flow executes as normal after our "dirty job" is done. We can divide dll injection into 7 simple steps.
1. Locate OEP
2. Find free space for your dll loading code
3. Replace OEP with your code address
4. Write DLL name to some place in executable.
5. push dll name address to stack
6. call kernel32.LoadLibraryA
7. return to the original entry point
4. Implementation
What we will do inject a really basic dll into silkroad.exe. First of all, you will need to find the original entry point of silkroad.exe. This can be done by running PE Explorer your previously installed. Simply open silkroad.exe and take a look at "Address of entry point" field.
[Only registered and activated users can see links. Click Here To Register...]
You will need to copy it somewhere (ex: some text file).
For now, that's all we need from the PE Explorer.
Let's run OllyDbg 1.10 and go to the OEP. This can be done by opening silkroad.exe, pressing CTRL + G and pasting OEP you got from PE Explorer and hitting enter. After you are done, you should see something like this at the left side of OllyDbg window:
[Only registered and activated users can see links. Click Here To Register...]
Now, we have to find some empty space for our code. Normally you can just scroll down to the buttom until you each the end:
[Only registered and activated users can see links. Click Here To Register...]
I've selected
Since 0x00497FFE (section end) - 0x00497F7A (our code start address) = 84 bytes, which should be totally enough for both dll name ascii string and dll loading code itself. Now we have to put our dll name somewhere near the code (remember, it will take some space... so move it after or before expected code position for ~ 20 - 30 bytes at least). This can be done by selecting multiple lines (should be enough space for your dll name string) and pressing pressing CTRL + E. Entering your dll name into ASCII field and pressing OK button. I've chosen address starting from 0x0049F96. When we will do push to stack, we will need to specify that one.
[Only registered and activated users can see links. Click Here To Register...]
Now we do have desired dll name writen into silkroad.exe, and we can use it for LoadLibraryA function call. You should have something like this:
[Only registered and activated users can see links. Click Here To Register...]
Now what we have to do is to write a little a little codecave which will load our dll.
<dllNameAddr> = 00497F96
<oep> = 004778D0 (see in PE Explorer, or loop at olly EIP register value on the right upper corner).
When you are done, everything should look like this:
[Only registered and activated users can see links. Click Here To Register...]
Now we have to save our changes made in olly. To do this, right click somewhere on frame you did put your code / dll name in and select Copy to executable -> All Modifications and save your silkroad.exe to any place you want.
There's just one step left now. You have to modify your original OEP to the new one (where you did put your CODE at).
Open the saved exe with PE Explorer, and mofiy OEP (004778D0) to 00497F7A
. Press the green button near OEP text box, and go to File -> Save file as... and save it to some location (most likely, in our case, game client folder).
And you're done. Now just place dll that has DllMain function in same folder as your modified exe, and run it. Dll should load at startup.
Update: Added a youtube video.
If you still got any questions, feel free to contact me.
Skype: hedgehock94
First of all, sorry for my bad english. Russian is not allowed here, so, deal with it. I really hope you can understand this, lol. I do know there are some guides to do this out there. But this is focused on sro, and I do actually give support to people having issues.
Sorry for the images. They will be visible as soon as I get premium subscription or 20 posts, I guess.
1. Purpose
As many of you already know, there are multiple dll injectors out there. Unfortunately, they run as external process (in most cases, it's totally okay, unless you don't want each of your dll users to inject it manually each time he starts your redistributed exe/dll). This guide will explain you the basic idea of manual dll injection.
2. Requirements
OllyDbg 1.10 [Only registered and activated users can see links. Click Here To Register...]
PE Explorer (trial)
[Only registered and activated users can see links. Click Here To Register...]
3. Theory
Each Windows executable has so called header. All we have to know for now is that header has the following stucture:
[Only registered and activated users can see links. Click Here To Register...]
The only thing that interests us is PE Header which contains OEP (Original Entry Point). OEP value is an address from where execution of program will start. This is important because we are going to change it to our own code address, which will load the desired DLL and go back to the original entry point address, so program flow executes as normal after our "dirty job" is done. We can divide dll injection into 7 simple steps.
1. Locate OEP
2. Find free space for your dll loading code
3. Replace OEP with your code address
4. Write DLL name to some place in executable.
5. push dll name address to stack
6. call kernel32.LoadLibraryA
7. return to the original entry point
4. Implementation
What we will do inject a really basic dll into silkroad.exe. First of all, you will need to find the original entry point of silkroad.exe. This can be done by running PE Explorer your previously installed. Simply open silkroad.exe and take a look at "Address of entry point" field.
[Only registered and activated users can see links. Click Here To Register...]
You will need to copy it somewhere (ex: some text file).
For now, that's all we need from the PE Explorer.
Let's run OllyDbg 1.10 and go to the OEP. This can be done by opening silkroad.exe, pressing CTRL + G and pasting OEP you got from PE Explorer and hitting enter. After you are done, you should see something like this at the left side of OllyDbg window:
[Only registered and activated users can see links. Click Here To Register...]
Now, we have to find some empty space for our code. Normally you can just scroll down to the buttom until you each the end:
[Only registered and activated users can see links. Click Here To Register...]
I've selected
Code:
00497F7A 0000 ADD BYTE PTR DS:[EAX],AL
[Only registered and activated users can see links. Click Here To Register...]
Now we do have desired dll name writen into silkroad.exe, and we can use it for LoadLibraryA function call. You should have something like this:
[Only registered and activated users can see links. Click Here To Register...]
Now what we have to do is to write a little a little codecave which will load our dll.
Code:
push <dllNameAddr> call LoadLibraryA jmp <oep>
<oep> = 004778D0 (see in PE Explorer, or loop at olly EIP register value on the right upper corner).
When you are done, everything should look like this:
[Only registered and activated users can see links. Click Here To Register...]
Now we have to save our changes made in olly. To do this, right click somewhere on frame you did put your code / dll name in and select Copy to executable -> All Modifications and save your silkroad.exe to any place you want.
There's just one step left now. You have to modify your original OEP to the new one (where you did put your CODE at).
Open the saved exe with PE Explorer, and mofiy OEP (004778D0) to 00497F7A
. Press the green button near OEP text box, and go to File -> Save file as... and save it to some location (most likely, in our case, game client folder).
And you're done. Now just place dll that has DllMain function in same folder as your modified exe, and run it. Dll should load at startup.
Update: Added a youtube video.
|
|
If you still got any questions, feel free to contact me.
Skype: hedgehock94
