pasha
June 5th, 2003, 11:17
greetz all
well, i was trying a normal approach in injecting a dll into an active process space under windows 98SE. i was able to whip up code to do that and it worked fine for most processes that were already executing.
my approach is to enumerate all the threads of the target process, and then open one of those threads using OpenProcess (of course i patched it to be able to open threads as well).
then i suspend the thread, set its context to point to a small routine on that thread stack to call loadlibrary and then jump to the original EIP of the thread by restoring all the register values.
then i issue a resumethread call and it loads the dll and then goes back to the EIP of that thread where it was before.
however, i came across this problem, some processes like services are idling in the kernel waiting for an event, for such processes, my load routine is called only after the system call returns from the kernel to the user mode.
i was thinking if there would be a way to load my DLL imeediately into the process instead of waiting for it to return from the kernel call. then i looked into elicz's ELIRt library, and he is able to do it !!!! kudos elicz. however, he messes around with some undocumented kernel32 ordinals which i am not sure about.
i tried the approach of QueueUserAPC which will add a callback to the idling thread APC queue, but then that is only if the thread enters by specifying TRUE for the alertable state for any idling calls.
i would like to know if anyone has experimented with elicz's method ? or any other method to resolve this issue.
thanking you and awaiting a reply
best regards
pasha
well, i was trying a normal approach in injecting a dll into an active process space under windows 98SE. i was able to whip up code to do that and it worked fine for most processes that were already executing.
my approach is to enumerate all the threads of the target process, and then open one of those threads using OpenProcess (of course i patched it to be able to open threads as well).
then i suspend the thread, set its context to point to a small routine on that thread stack to call loadlibrary and then jump to the original EIP of the thread by restoring all the register values.
then i issue a resumethread call and it loads the dll and then goes back to the EIP of that thread where it was before.
however, i came across this problem, some processes like services are idling in the kernel waiting for an event, for such processes, my load routine is called only after the system call returns from the kernel to the user mode.
i was thinking if there would be a way to load my DLL imeediately into the process instead of waiting for it to return from the kernel call. then i looked into elicz's ELIRt library, and he is able to do it !!!! kudos elicz. however, he messes around with some undocumented kernel32 ordinals which i am not sure about.
i tried the approach of QueueUserAPC which will add a callback to the idling thread APC queue, but then that is only if the thread enters by specifying TRUE for the alertable state for any idling calls.
i would like to know if anyone has experimented with elicz's method ? or any other method to resolve this issue.
thanking you and awaiting a reply
best regards
pasha