View Full Version : PEB.Ldr - Unlinking an entry
OHPen
August 17th, 2008, 12:48
Hey,
after a dll is loaded via LoadLibrary into a Process a new entry in the PEB.Ldr.InMemoryOrderModuleList is created. Because i want to hide the loading of a certain dll i removed this entry after loading the dll. The dll still works fine, but I'm asking what other reference were create by the usage of LoadLibrary. I know that there is some internal struct on the kernel side for each process, maybe this internal struct also holds an entry of my dll ( i think its called KPEB, but i'm not sure ).
Information regards the behaviour of LoadLibrary concerning dll references would be nice.
OHPen.
blabberer
August 17th, 2008, 13:46
look for mgriers blog in msdn iirc he wrote a very lengthy 6,7 part series on Loadlibrary and its allied functions LdrLoadDll
OHPen
August 17th, 2008, 13:53
Hi blabberer,
thank you for the hint. I will read the 7 articles. I need to understand what LoadLibrary is exactly doing because i have to make a decision between manually loading the dll ( fixing the relocation, etc. ) or using system functions + clean all created references in the operating system.
To be honest i would prefere the first method, but i don't find any source which i could use the manually loading a dll.
Regards,
OHPen
PS: i read the first one which is about LoadLibrary and from that point of view only the entry in the load order list is created if that would be everything it would be stupid not to use LoadLibrary + removing the created entry. I can't believe that there are not more references created...
blabberer
August 17th, 2008, 14:00
i cant be sure if this fits your bill but
you can check anonymouse's modified commandline plugin its available for download at openrce
that plugin has a command loaddll and i have used it to load certain dlls to debuggees in ollydbg
it comes with src
OHPen
August 17th, 2008, 14:11
@blabberer: I'm not pretty sure if i completly understand what anonymouse here do but for me he seems to use some api from the dbghelp.dll from ms and use it to load the dlls. Is that correct ? Does the dbghelp use another way to load dlls ?
regards, OHPen
PS: I checked the plugin again and its definitivly not doin what i want to do

blabberer
August 17th, 2008, 14:31
i dont think he is using any apis at all in his loaddll function
iirc he simply allocates memory in process , writes the dll string some where in the memory
assembles pusad,pushfd,push &string,call Loadlibrary , popfd,popad modifies thread context and jumps back to the previously fetched eip from unmodified context and has his process suspended for the whole duration
deroko
August 17th, 2008, 14:37
At my website : deroko.phearless.org there is source for dllbande, which uses manual mapping of a dll for debugging purposes. It's C code

OHPen
August 17th, 2008, 16:40
@blabberer: i really take a short look at the code. I will study it when i have more time
@deroko: thanks for the hint, but i to stupid to find a download called dllbande on your side. can you post a link ?
regards,
OHPen
DeepBlueSea
August 17th, 2008, 16:50
DLL Break and Enter
http://deroko.phearless.org/dllbande.rar
OHPen
August 17th, 2008, 18:03
danke

OHPen
August 18th, 2008, 04:40
I now check the code, and that was exactly was i searching for. Thank you deroko
Regards,
OHPen
darawk
August 18th, 2008, 08:29
http://www.edgeofnowhere.cc/viewtopic.php?t=305739
Search the page for "CloakDll" and you will find what your looking for along with a very detailed explanation of the inner workings of GetModuleHandle.
OHPen
August 18th, 2008, 08:47
I would really enjoy reading that code too, but your server seems to be down. I cannot access www.darawk.com at all...
Regards,
OHPen
darawk
August 18th, 2008, 08:57
I know, but the code is posted later in the thread. Keep scrolling down.
OHPen
August 18th, 2008, 10:28
Ok, great thank you.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.