View Full Version : Where to Make Space Inside a DLL?
RobertReed
June 14th, 2009, 04:47
Problem: I need to include some custom code inside a DLL. The code must be patched into the file, so I cannot use any kind of loaders, hooking, or dynamic code injection. I do not know where I can, in the DLL, I can patch my code.
I'm assuming I'll have to overwrite some code to replace with my own custom code. I'd like some advice on where I should overwite my code.
Are there common functions inside DLLs that rarely get called that I could overwrite? I'm think of standard exception handling code or even redundant functions or "dead" functions that are unnecessary included as bloat/overhead in DLLs.
I need around 20-50 bytes of space to patch in my own code.
Lastly, am I correct in my assumption that I need to overwrite code? Is there a way to extend the instruction space of a DLL without causing instability to the program? It would be wonderful to arbitrarily patch new code.
cod
June 14th, 2009, 06:56
you can add your code using the space available at end of ".text" section. The sections on file are aligned to page boundary, and into file you can find free bytes available (check difference between Virtual Size and size on disk)
squidge
June 14th, 2009, 14:01
Have a look through the file with something like Ollydbg, you'll typically find lots of code caves as compilers and linkers align to offsets. I've noticed some that like to ensure all functions start on a 256 byte boundary, which gives lots of room for additional code.
dELTA
June 16th, 2009, 18:30
You can of course also just add a completely new PE section to the file, give it the right attributes, and presto, have as much space as you want. This will of course increase the size of the file, but I didn't see that this was "illegal" in this case?
Kayaker
June 16th, 2009, 22:13
You might want to check out Iczelion's Code Snippet Creator if you want a tool to help with the job.
dELTA
June 17th, 2009, 06:55
Almost forgot about that old gem... Just uploaded it to the CRCETL for y'all.
http://www.woodmann.com/collaborative/tools/Code_Snippet_Creator_(Iczelion)
Kayaker
June 17th, 2009, 11:18
Quote:
| [Originally Posted by dELTA;81163]Just uploaded it to the CRCETL for y'all. |
We
BanMe
June 17th, 2009, 18:42
what about the old example in hutchs masm package..the one where function1 calls function2 which overwrites function1..i forget the name of it.. but anyway what about a Code recycler similiar in effect to the example so non-precisly described above...
somekind of example would be nice but im not home.. update coming..
regards BanMe
BanMe
June 22nd, 2009, 13:56
sorry its taken me so long to stir up a rough example on this subject.. Ive been doing other things..
this is completly untested.. but hey..testing it takes times..and I didnt even do what I said I was gonna do.. but i came up with something I hope is more useful to the OP.. im still working on recycler.. as part of my server...:S
Code:
PVOID MakeCodeCaveInDll(__in PUNICODE_STRING DllName,__in size_t bSize)
{
PLDR_MODULE LdrInfo = {0};
OBJECT_NAME_INFORMATION ObName = {0};
SECTION_BASIC_INFORMATION sbInfo = {0};
LARGE_INTEGER SecNewSize = {0};
OBJECT_ATTRIBUTES oa = {0};
HANDLE hTargetSection = INVALID_HANDLE_VALUE;
NTSTATUS Status = 0;
HMODULE hMod = 0;
ULONG Result = 0;
__try
{
//you can use GetModuleHandle here..I like mine.
hMod = GetPebDll(DllName->Buffer);
if(hMod != 0)
{
Status = LdrFindEntryForAddress(hMod,&LdrInfo);
if(!NT_SUCCESS(Status))
{
__leave;
}
if(wcscmp((wchar_t*)LdrInfo->BaseDllName.Buffer,DllName->Buffer) == 0)
{
Status = NtQueryObject(LdrInfo->BaseAddress,ObjectNameInformation,&ObName,sizeof(OBJECT_NAME_INFORMATION),&Result);
if(!NT_SUCCESS(Status))
{
__leave;
}
InitializeObjectAttributes(&oa,&ObName.Name,OBJ_OPENIF,0,0);
Status = NtOpenSection(&hTargetSection,SECTION_EXTEND_SIZE,&oa);
if(!NT_SUCCESS(Status))
{
__leave;
}
Status = NtQuerySection(hTargetSection,SectionBasicInformation,&sbInfo,sizeof(SECTION_BASIC_INFORMATION),&Result);
if(!NT_SUCCESS(Status))
{
__leave;
}
SecNewSize.LowPart =(sbInfo.Size.LowPart + (DWORD)bSize);
Status = NtExtendSection(hTargetSection,&SecNewSize);
if(!NT_SUCCESS(Status))
{
__leave;
}
return (PVOID)((ULONG)hMod + sbInfo.Size.LowPart);
}
}
return 0;
}
__except(1)
{
if(hTargetSection != INVALID_HANDLE_VALUE)
NtClose(hTargetSection);
}
return 0;
}
Please see my blog for further updates to this and the other tidbits that will be included In Client Source code release sometime this week.
regards BanMe
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.