tag:blogger.com,1999:blog-650001352631255056.post2974392427512464146..comments2023-04-26T16:29:19.087+02:00Comments on System Programming: Hiding Injected DLL in WindowsAlexey Lyashkohttp://www.blogger.com/profile/13663908781307440762noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-650001352631255056.post-42225975432334646132012-10-26T23:06:07.606+03:002012-10-26T23:06:07.606+03:00Thanks!
Well, I could've told you about long ...Thanks! <br />Well, I could've told you about long RE sessions over Windows system files, but let me tell you the real story. MSDN is full of information about those structures. The only problem is that the description found on MSDN is quite lame and many fields are simply named "reserved". In this case you should simply google for the layout of those structures. That would bring Alexey Lyashkohttps://www.blogger.com/profile/13663908781307440762noreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-67530891750217703112012-10-26T22:50:27.544+03:002012-10-26T22:50:27.544+03:00Alexey good stuff man. been reading your post the ...Alexey good stuff man. been reading your post the last couple of days. How did you learn all the internals structs? For someone starting on this I would appreciate a good push to the right direction. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-20717280133263005512012-03-29T22:58:15.569+03:002012-03-29T22:58:15.569+03:00Manual mapping is another fancy name for emulation...Manual mapping is another fancy name for emulation of what Windows loader is responsible for.<br /><br />I will make a post in this regard some day, but ask yourself, is mapping all sections and resolving relocations what you really want to do when injecting a DLL first.Alexey Lyashkohttps://www.blogger.com/profile/13663908781307440762noreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-55411671395562858702012-03-29T22:52:22.029+03:002012-03-29T22:52:22.029+03:00Make topic about Manual mapping DLL into another p...Make topic about Manual mapping DLL into another process. How it work?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-25478882080782703062011-12-15T03:21:04.188+03:002011-12-15T03:21:04.188+03:00First of all, there's no way to make it 100% u...First of all, there's no way to make it 100% undetectable, but there are numerous ways to prevent or disturb detection.<br /><br />Iteration through the allocated memory is a costly operation. More than that, you can clear the headers, so that this method would fail.<br /><br />Manual mapping is a good but much more complicated way of injection, as you have to take care of all the relocs and Alexey Lyashkohttps://www.blogger.com/profile/13663908781307440762noreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-71912368233530845622011-12-15T03:00:49.017+03:002011-12-15T03:00:49.017+03:00This will hide your dll from simple scans, but the...This will hide your dll from simple scans, but there are others ways to detect dlls even after they have been unlinked from the system lists. For example, you could iterate through all of the allocated memory of a process, and see if there are any dll headers anywhere. Additionally, you could check for pages marked as executable that don't fall in the memory range of loaded dlls. <br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-79225433417705559112011-12-09T18:04:32.644+03:002011-12-09T18:04:32.644+03:00Thanks Kenny! Fixed the typo :)Thanks Kenny! Fixed the typo :)Alexey Lyashkohttps://www.blogger.com/profile/13663908781307440762noreply@blogger.comtag:blogger.com,1999:blog-650001352631255056.post-10311938520605917782011-12-09T18:01:29.610+03:002011-12-09T18:01:29.610+03:00Great post. This is also the path that a lot of ma...Great post. This is also the path that a lot of malware uses to find DDLs. They walks one of the lists and check the hash of each name.<br /><br />Typo:<br /><br />"all double words and should be defined as dw" --><br />"all double words and should be defined as dd"Kennyhttps://www.blogger.com/profile/06726302890667990456noreply@blogger.com