Log in

View Full Version : How to set BP in Dll that was injected into explore.exe ?


p0lly
September 2nd, 2011, 06:49
hi

I just made a keylogger that use "Dll jection" into explore.exe

It is injected nicely like below... (dll that was injected into explore.exe is hooker.dll)

2479

I wanna set a BP on a address in hooker.dll but don't know how to...
if can set a BP with olly, it will be great.

attach my keylogger and waiting for your advice, thank you...
(execute keylogge.exe then hooker.dll will be injected...)

deroko
September 3rd, 2011, 09:44
Attach with Olly to explorer.exe, and set breaks What I do when I need to test injections is either use softice and int 3h in the code to break there, or I attach with olly to given process before injection, and have int 3h setup all over my code.

Also if you are using windows hooks then best way to inspect what's going on (as I assume you inject it everywhere) is to make something like this:

Code:

GetModuleBaseName(GetCurrentProcess(), GetModuleHandle(0), szProcessName, sizeof(szProcessName));
if (!_stricmp(szProcessName, "explorer.exe"){
__debugbreak();
}


so this code will execute int 3h only when it's executed inside of explorer.exe. Hope this helps.

blabberer
September 4th, 2011, 06:07
hardcore

Code:

kd> .sxcmds
sxe ld ;
kd> bl

kd> g
ModLoad: 00f50000 00f57000 C:\Documents and Settings\Admin\Desktop\Keylogger\hooker.dll

eax=00000003 ebx=00000000 ecx=00f5500c edx=f0f50000 esi=00193738 edi=00000000
eip=7c90e4f4 esp=00e0f710 ebp=00e0f804 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

ntdll!KiFastSystemCallRet:
7c90e4f4 c3 ret

0:001> !dh -f 00f50000

!dh -f 00f50000

File Type: DLL
FILE HEADER VALUES
14C machine (i386)
4 number of sections
4E60BAC3 time date stamp Fri Sep 02 16:45:15 2011

0 file pointer to symbol table
0 number of symbols
E0 size of optional header
210E characteristics
Executable
Line numbers stripped
Symbols stripped
32 bit word machine
DLL

OPTIONAL HEADER VALUES
10B magic #
6.00 linker version
3000 size of code
3000 size of initialized data
0 size of uninitialized data
1149 address of entry point
1000 base of code
----- new -----
10000000 image base
1000 section alignment
1000 file alignment
2 subsystem (Windows GUI)
4.00 operating system version
0.00 image version
4.00 subsystem version
7000 size of image
1000 size of headers
0 checksum
00100000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
0 DLL characteristics
4830 [ 4A] address [size] of Export Directory
441C [ 28] address [size] of Import Directory
0 [ 0] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
0 [ 0] address [size] of Security Directory
6000 [ 3B0] address [size] of Base Relocation Directory
0 [ 0] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
0 [ 0] address [size] of Thread Storage Directory
0 [ 0] address [size] of Load Configuration Directory
0 [ 0] address [size] of Bound Import Directory
4000 [ BC] address [size] of Import Address Table Directory
0 [ 0] address [size] of Delay Import Directory
0 [ 0] address [size] of COR20 Header Directory
0 [ 0] address [size] of Reserved Directory

0:001> lm m hook*
lm m hook*
start end module name
00f50000 00f57000 hooker (deferred)

0:001> s -[la]sa 00f50000 L?(00f57000-00f50000)
s -[la]sa 00f50000 L?(00f57000-00f50000)


cutoff

00f54862 "WGHooker.dll"
00f5486f "GetMsgProc"
00f55030 "c:\test.txt"
00f56008 ""0(070K0R0"
cutoff



uf 00f50000+1149
hooker!GetMsgProc+0x149:
00f51149 55 push ebp
00f5114a 8bec mov ebp,esp
00f5114c 53 push ebx
00f5114d 8b5d08 mov ebx,dword ptr [ebp+8]
00f51150 56 push esi
00f51151 8b750c mov esi,dword ptr [ebp+0Ch]
00f51154 57 push edi
00f51155 8b7d10 mov edi,dword ptr [ebp+10h]
00f51158 85f6 test esi,esi
00f5115a 7509 jne hooker!GetMsgProc+0x165 (00f51165)

hooker!GetMsgProc+0x15c:
00f5115c 833d7053f50000 cmp dword ptr [hooker!GetMsgProc+0x4370 (00f55370)],0
00f51163 eb26 jmp hooker!GetMsgProc+0x18b (00f5118b)

hooker!GetMsgProc+0x165:
00f51165 83fe01 cmp esi,1
00f51168 7405 je hooker!GetMsgProc+0x16f (00f5116f)

hooker!GetMsgProc+0x16a:
00f5116a 83fe02 cmp esi,2
00f5116d 7522 jne hooker!GetMsgProc+0x191 (00f51191)

hooker!GetMsgProc+0x16f:
00f5116f a1fc58f500 mov eax,dword ptr [hooker!GetMsgProc+0x48fc (00f558fc)]
00f51174 85c0 test eax,eax
00f51176 7409 je hooker!GetMsgProc+0x181 (00f51181)

hooker!GetMsgProc+0x178:
00f51178 57 push edi
00f51179 56 push esi
00f5117a 53 push ebx
00f5117b ffd0 call eax
00f5117d 85c0 test eax,eax
00f5117f 740c je hooker!GetMsgProc+0x18d (00f5118d)

hooker!GetMsgProc+0x181:
00f51181 57 push edi
00f51182 56 push esi
00f51183 53 push ebx
00f51184 e8e7feffff call hooker!GetMsgProc+0x70 (00f51070)
00f51189 85c0 test eax,eax

hooker!GetMsgProc+0x18b:
00f5118b 7504 jne hooker!GetMsgProc+0x191 (00f51191)

hooker!GetMsgProc+0x18d:
00f5118d 33c0 xor eax,eax
00f5118f eb4e jmp hooker!GetMsgProc+0x1df (00f511df)

hooker!GetMsgProc+0x191:
00f51191 57 push edi
00f51192 56 push esi
00f51193 53 push ebx
00f51194 e8bc090000 call hooker!GetMsgProc+0xb55 (00f51b55)
00f51199 83fe01 cmp esi,1
00f5119c 89450c mov dword ptr [ebp+0Ch],eax
00f5119f 750c jne hooker!GetMsgProc+0x1ad (00f511ad)

hooker!GetMsgProc+0x1a1:
00f511a1 85c0 test eax,eax
00f511a3 7537 jne hooker!GetMsgProc+0x1dc (00f511dc)

hooker!GetMsgProc+0x1a5:
00f511a5 57 push edi
00f511a6 50 push eax
00f511a7 53 push ebx
00f511a8 e8c3feffff call hooker!GetMsgProc+0x70 (00f51070)

hooker!GetMsgProc+0x1ad:
00f511ad 85f6 test esi,esi
00f511af 7405 je hooker!GetMsgProc+0x1b6 (00f511b6)

hooker!GetMsgProc+0x1b1:
00f511b1 83fe03 cmp esi,3
00f511b4 7526 jne hooker!GetMsgProc+0x1dc (00f511dc)

hooker!GetMsgProc+0x1b6:
00f511b6 57 push edi
00f511b7 56 push esi
00f511b8 53 push ebx
00f511b9 e8b2feffff call hooker!GetMsgProc+0x70 (00f51070)
00f511be 85c0 test eax,eax
00f511c0 7503 jne hooker!GetMsgProc+0x1c5 (00f511c5)

hooker!GetMsgProc+0x1c2:
00f511c2 21450c and dword ptr [ebp+0Ch],eax

hooker!GetMsgProc+0x1c5:
00f511c5 837d0c00 cmp dword ptr [ebp+0Ch],0
00f511c9 7411 je hooker!GetMsgProc+0x1dc (00f511dc)

hooker!GetMsgProc+0x1cb:
00f511cb a1fc58f500 mov eax,dword ptr [hooker!GetMsgProc+0x48fc (00f558fc)]
00f511d0 85c0 test eax,eax
00f511d2 7408 je hooker!GetMsgProc+0x1dc (00f511dc)

hooker!GetMsgProc+0x1d4:
00f511d4 57 push edi
00f511d5 56 push esi
00f511d6 53 push ebx
00f511d7 ffd0 call eax
00f511d9 89450c mov dword ptr [ebp+0Ch],eax

hooker!GetMsgProc+0x1dc:
00f511dc 8b450c mov eax,dword ptr [ebp+0Ch]

hooker!GetMsgProc+0x1df:
00f511df 5f pop edi
00f511e0 5e pop esi
00f511e1 5b pop ebx
00f511e2 5d pop ebp
00f511e3 c20c00 ret 0Ch
0:001>