Log in

View Full Version : How to set BP in Dll that was injected into explore.exe ?

p0lly
September 2nd, 2011, 06:49
hi

I just made a keylogger that use "Dll jection" into explore.exe

It is injected nicely like below... (dll that was injected into explore.exe is hooker.dll)

2479

I wanna set a BP on a address in hooker.dll but don't know how to...
if can set a BP with olly, it will be great.

attach my keylogger and waiting for your advice, thank you...
(execute keylogge.exe then hooker.dll will be injected...)
deroko
September 3rd, 2011, 09:44
Attach with Olly to explorer.exe, and set breaks What I do when I need to test injections is either use softice and int 3h in the code to break there, or I attach with olly to given process before injection, and have int 3h setup all over my code.

Also if you are using windows hooks then best way to inspect what's going on (as I assume you inject it everywhere) is to make something like this:

Code:


GetModuleBaseName(GetCurrentProcess(), GetModuleHandle(0), szProcessName, sizeof(szProcessName));

if (!_stricmp(szProcessName, "explorer.exe"){

         __debugbreak();

}


so this code will execute int 3h only when it's executed inside of explorer.exe. Hope this helps.
blabberer
September 4th, 2011, 06:07
hardcore

Code:


kd> .sxcmds

sxe ld ;

kd> bl



kd> g

ModLoad: 00f50000 00f57000   C:\Documents and Settings\Admin\Desktop\Keylogger\hooker.dll



eax=00000003 ebx=00000000 ecx=00f5500c edx=f0f50000 esi=00193738 edi=00000000

eip=7c90e4f4 esp=00e0f710 ebp=00e0f804 iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246



ntdll!KiFastSystemCallRet:

7c90e4f4 c3              ret



0:001> !dh -f 00f50000



!dh -f 00f50000



File Type: DLL

FILE HEADER VALUES

     14C machine (i386)

       4 number of sections

4E60BAC3 time date stamp Fri Sep 02 16:45:15 2011



       0 file pointer to symbol table

       0 number of symbols

      E0 size of optional header

    210E characteristics

            Executable

            Line numbers stripped

            Symbols stripped

            32 bit word machine

            DLL



OPTIONAL HEADER VALUES

     10B magic #

    6.00 linker version

    3000 size of code

    3000 size of initialized data

       0 size of uninitialized data

    1149 address of entry point

    1000 base of code

         ----- new -----

10000000 image base

    1000 section alignment

    1000 file alignment

       2 subsystem (Windows GUI)

    4.00 operating system version

    0.00 image version

    4.00 subsystem version

    7000 size of image

    1000 size of headers

       0 checksum

00100000 size of stack reserve

00001000 size of stack commit

00100000 size of heap reserve

00001000 size of heap commit

       0  DLL characteristics

    4830 [      4A] address [size] of Export Directory

    441C [      28] address [size] of Import Directory

       0 [       0] address [size] of Resource Directory

       0 [       0] address [size] of Exception Directory

       0 [       0] address [size] of Security Directory

    6000 [     3B0] address [size] of Base Relocation Directory

       0 [       0] address [size] of Debug Directory

       0 [       0] address [size] of Description Directory

       0 [       0] address [size] of Special Directory

       0 [       0] address [size] of Thread Storage Directory

       0 [       0] address [size] of Load Configuration Directory

       0 [       0] address [size] of Bound Import Directory

    4000 [      BC] address [size] of Import Address Table Directory

       0 [       0] address [size] of Delay Import Directory

       0 [       0] address [size] of COR20 Header Directory

       0 [       0] address [size] of Reserved Directory



0:001> lm m hook*

lm m hook*

start    end        module name

00f50000 00f57000   hooker     (deferred)             



0:001> s -[la]sa 00f50000 L?(00f57000-00f50000)

s -[la]sa 00f50000 L?(00f57000-00f50000)





cutoff 



00f54862  "WGHooker.dll"

00f5486f  "GetMsgProc"

00f55030  "c:\test.txt"

00f56008  ""0(070K0R0"

cutoff







uf 00f50000+1149

hooker!GetMsgProc+0x149:

00f51149 55              push    ebp

00f5114a 8bec            mov     ebp,esp

00f5114c 53              push    ebx

00f5114d 8b5d08          mov     ebx,dword ptr [ebp+8]

00f51150 56              push    esi

00f51151 8b750c          mov     esi,dword ptr [ebp+0Ch]

00f51154 57              push    edi

00f51155 8b7d10          mov     edi,dword ptr [ebp+10h]

00f51158 85f6            test    esi,esi

00f5115a 7509            jne     hooker!GetMsgProc+0x165 (00f51165)



hooker!GetMsgProc+0x15c:

00f5115c 833d7053f50000  cmp     dword ptr [hooker!GetMsgProc+0x4370 (00f55370)],0

00f51163 eb26            jmp     hooker!GetMsgProc+0x18b (00f5118b)



hooker!GetMsgProc+0x165:

00f51165 83fe01          cmp     esi,1

00f51168 7405            je      hooker!GetMsgProc+0x16f (00f5116f)



hooker!GetMsgProc+0x16a:

00f5116a 83fe02          cmp     esi,2

00f5116d 7522            jne     hooker!GetMsgProc+0x191 (00f51191)



hooker!GetMsgProc+0x16f:

00f5116f a1fc58f500      mov     eax,dword ptr [hooker!GetMsgProc+0x48fc (00f558fc)]

00f51174 85c0            test    eax,eax

00f51176 7409            je      hooker!GetMsgProc+0x181 (00f51181)



hooker!GetMsgProc+0x178:

00f51178 57              push    edi

00f51179 56              push    esi

00f5117a 53              push    ebx

00f5117b ffd0            call    eax

00f5117d 85c0            test    eax,eax

00f5117f 740c            je      hooker!GetMsgProc+0x18d (00f5118d)



hooker!GetMsgProc+0x181:

00f51181 57              push    edi

00f51182 56              push    esi

00f51183 53              push    ebx

00f51184 e8e7feffff      call    hooker!GetMsgProc+0x70 (00f51070)

00f51189 85c0            test    eax,eax



hooker!GetMsgProc+0x18b:

00f5118b 7504            jne     hooker!GetMsgProc+0x191 (00f51191)



hooker!GetMsgProc+0x18d:

00f5118d 33c0            xor     eax,eax

00f5118f eb4e            jmp     hooker!GetMsgProc+0x1df (00f511df)



hooker!GetMsgProc+0x191:

00f51191 57              push    edi

00f51192 56              push    esi

00f51193 53              push    ebx

00f51194 e8bc090000      call    hooker!GetMsgProc+0xb55 (00f51b55)

00f51199 83fe01          cmp     esi,1

00f5119c 89450c          mov     dword ptr [ebp+0Ch],eax

00f5119f 750c            jne     hooker!GetMsgProc+0x1ad (00f511ad)



hooker!GetMsgProc+0x1a1:

00f511a1 85c0            test    eax,eax

00f511a3 7537            jne     hooker!GetMsgProc+0x1dc (00f511dc)



hooker!GetMsgProc+0x1a5:

00f511a5 57              push    edi

00f511a6 50              push    eax

00f511a7 53              push    ebx

00f511a8 e8c3feffff      call    hooker!GetMsgProc+0x70 (00f51070)



hooker!GetMsgProc+0x1ad:

00f511ad 85f6            test    esi,esi

00f511af 7405            je      hooker!GetMsgProc+0x1b6 (00f511b6)



hooker!GetMsgProc+0x1b1:

00f511b1 83fe03          cmp     esi,3

00f511b4 7526            jne     hooker!GetMsgProc+0x1dc (00f511dc)



hooker!GetMsgProc+0x1b6:

00f511b6 57              push    edi

00f511b7 56              push    esi

00f511b8 53              push    ebx

00f511b9 e8b2feffff      call    hooker!GetMsgProc+0x70 (00f51070)

00f511be 85c0            test    eax,eax

00f511c0 7503            jne     hooker!GetMsgProc+0x1c5 (00f511c5)



hooker!GetMsgProc+0x1c2:

00f511c2 21450c          and     dword ptr [ebp+0Ch],eax



hooker!GetMsgProc+0x1c5:

00f511c5 837d0c00        cmp     dword ptr [ebp+0Ch],0

00f511c9 7411            je      hooker!GetMsgProc+0x1dc (00f511dc)



hooker!GetMsgProc+0x1cb:

00f511cb a1fc58f500      mov     eax,dword ptr [hooker!GetMsgProc+0x48fc (00f558fc)]

00f511d0 85c0            test    eax,eax

00f511d2 7408            je      hooker!GetMsgProc+0x1dc (00f511dc)



hooker!GetMsgProc+0x1d4:

00f511d4 57              push    edi

00f511d5 56              push    esi

00f511d6 53              push    ebx

00f511d7 ffd0            call    eax

00f511d9 89450c          mov     dword ptr [ebp+0Ch],eax



hooker!GetMsgProc+0x1dc:

00f511dc 8b450c          mov     eax,dword ptr [ebp+0Ch]



hooker!GetMsgProc+0x1df:

00f511df 5f              pop     edi

00f511e0 5e              pop     esi

00f511e1 5b              pop     ebx

00f511e2 5d              pop     ebp

00f511e3 c20c00          ret     0Ch

0:001>