Log in

View Full Version : fun remote DLL loading found in malware :)


evaluator
January 1st, 2009, 11:14
yestrday found fun remote DLL loading method in malware:

VAllocEx memory and Write there only DLL_path-name;
then CreateRemoteThread with
ThreadIP=LoadLibraryA(W)
Argument=that_AddrName;

GOAS> not injects any code in process

fun, ye?
did you know it?

roxaz
January 2nd, 2009, 07:17
its old as world....

evaluator
January 3rd, 2009, 06:08
if so old, why i see firzt-time??
point me

roxaz
January 3rd, 2009, 06:22
well i guess you have not seen much techniques (and i find it weird judging from your posts count). http://www.codeproject.com/KB/threads/winspy.aspx July 25, 2003: Article published. Old as world indeed

evaluator
January 3rd, 2009, 06:59
good!

what can i say? i first time sow it in target, so that ALL FOLKS! : )

roxaz
January 3rd, 2009, 07:02
sad thing tho, this does not work on vista as it worked on xp..

evaluator
January 3rd, 2009, 09:09
why?? LoadLibrary changed??

roxaz
January 3rd, 2009, 09:19
nah, just extra protections to make our life harder and victims life easier.

evaluator
January 3rd, 2009, 09:29
?? who is "OUR"? are you virus/trojan-maker??

roxaz
January 3rd, 2009, 09:41
well 'we' are guys who use these techniques and victims are either targeted processes or even ppl. i guess i expressed myself in a bit wrong way and no, i dont make malware, im not good enough

evaluator
January 3rd, 2009, 11:16
huh!
You ARE enough good > until you not doing bad!

roxaz
January 3rd, 2009, 13:04
i mean i lack experience

int0
January 7th, 2009, 03:04
Yes it's old, and how about ntdll.NtMapViewOfFile technique have you seen it?

roxaz
January 7th, 2009, 03:14
no, would be interesting to see tho

int0
January 7th, 2009, 03:30
Emmm sorry not ntdll.NtMapViewOfFile but ntdll.NtMapViewOfSection anyway kernel32.MapViewOfFile call ntdll.NtMapViewOfSection so...

It goes like malware create file in temp then write path to dll which need to be injected then mapping this file into victim process and then simply call createremotethread. Ok just found good sample about this tecnique:
http://www.nologin.org/Downloads/Papers/remote-library-injection.pdf ("http://www.nologin.org/Downloads/Papers/remote-library-injection.pdf")

int0
January 7th, 2009, 03:35
Some kernel firewalls as Outpost detect WriteProcessMemory and prevent standard methods of injection.

roxaz
January 7th, 2009, 03:35
oh.. CreateRemoteThread.. vista crap yanno.. anyway they said that windows7 will have less harsh UAC. lets hope MS will fix this bug of hardly working remote injection lol

int0
January 7th, 2009, 03:42
Hm interesting I have beta1 installed on my laptop need to try thnx for info. Yes UAC is smarter now