[Mingw-w64-public] Help required about process and dll injection
Hello My question is not related to mingw-w64 itself, I know, but i'm desperatly trying to find help. Kai told me that maybe some people here could help me. I'm trying to write some kind of debugger to find leaks in a program by injecting a DLL in the process I want to debug [1]. I have already a code that injects a dll in a child process (but not in its dependencies, and that is the problem). I use the CreateRemoteThread method. So I do basically : 1) CreateProcess of the process I want to debug, in suspend mode 2) I inject the DLL. but it is not good because : a) the state of the process is not in a good shape when it is in suspend mode b) and at this stage, the dll of the dependencies are not even loaded. And I need them so I've read here and there that a (and certainly the correct) solution is to patch the entry point of the process with an infinite loop. A rough description is here : https://opcode0x90.wordpress.com/2011/01/15/injecting-dll-into-process-on-load/ but : i) there is no detailed code (there are some non-detailed functions and i'm not good enough to write them :-( ) ii) even if it works it's only for x86 (32 bits) and not x86_64 (the CONTEXT structure has no Eip member on x86_64. Maybe using the Rip member ?) So does someone know where I can find detailed description for i) and ii) (a piece of code would be the best :-p) ? thank you Vincent Torri [1] https://github.com/vtorri/examine (in very early stage, but comments and remarks are welcome of course) -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111iu=/4140/ostg.clktrk ___ Mingw-w64-public mailing list Mingw-w64-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
Re: [Mingw-w64-public] Help required about process and dll injection
Possible solution: 0) Load the debugee in suspended mode; 1) Calculate the address of its entry point (typically mainCRTStartup or WinMainCRTStartup) from its PE header, since its header should now have been loaded into RAM; 2) Overwrite the byte at that address with 0xCC (a.k.a. int3 instruction on both x86 and x64); 3) Resume the process and it should hit the breakpoint, after all statically-linked DLLs have been loaded successfully, before any static constructors are invoked; 4) Restore that byte; 5) Inject your DLL; 6) Resume the process as normal. I haven't tested it, but it should work. Some debuggers (specifically, OllyDbg) have an option to decide where the first breakpoint should be set, at system breakpoint(before any DLLs are loaded), PE entry(the point mentioned above), or WinMain. -- Best regards, lh_mouse 2014-11-14 - 发件人:Vincent Torri vincent.to...@gmail.com 发送日期:2014-11-14 21:58 收件人:mingw-w64-public@lists.sourceforge.net 抄送: 主题:[Mingw-w64-public] Help required about process and dll injection Hello My question is not related to mingw-w64 itself, I know, but i'm desperatly trying to find help. Kai told me that maybe some people here could help me. I'm trying to write some kind of debugger to find leaks in a program by injecting a DLL in the process I want to debug [1]. I have already a code that injects a dll in a child process (but not in its dependencies, and that is the problem). I use the CreateRemoteThread method. So I do basically : 1) CreateProcess of the process I want to debug, in suspend mode 2) I inject the DLL. -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111iu=/4140/ostg.clktrk ___ Mingw-w64-public mailing list Mingw-w64-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
Re: [Mingw-w64-public] Help required about process and dll injection
Hey, thanks for the answer. coments below On Fri, Nov 14, 2014 at 3:35 PM, lh_mouse lh_mo...@126.com wrote: Possible solution: 0) Load the debugee in suspended mode; 1) Calculate the address of its entry point (typically mainCRTStartup or WinMainCRTStartup) from its PE header, since its header should now have been loaded into RAM; I guess that I call CreateFilemapping() like that : CreateFilemapping(pi.hProcess, NULL, PAGE_READWRITE, 0, 0, NULL); with pi the PROCESS_INFORMATION structure passed to CreateProcess() ? 2) Overwrite the byte at that address with 0xCC (a.k.a. int3 instruction on both x86 and x64); 3) Resume the process and it should hit the breakpoint, after all statically-linked DLLs have been loaded successfully, before any static constructors are invoked; shouldn't I have to wait a bit so that all the DLL are loaded ? It might take some time to load them, no ? That's what is done in the link that i have posted 4) Restore that byte; 5) Inject your DLL; 6) Resume the process as normal. I haven't tested it, but it should work. Some debuggers (specifically, OllyDbg) have an option to decide where the first breakpoint should be set, at system breakpoint(before any DLLs are loaded), PE entry(the point mentioned above), or WinMain. Vincent Torri -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111iu=/4140/ostg.clktrk ___ Mingw-w64-public mailing list Mingw-w64-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
Re: [Mingw-w64-public] Help required about process and dll injection
Hmm have a test yourself. : Since you are writing a debugger you can wait for the breakpoint. The system generates an exception with code EXCEPTION_BREAKPOINT and your debugger should handle it. Otherwise your program would be terminated. -- Best regards, lh_mouse 2014-11-14 - 发件人:Vincent Torri vincent.to...@gmail.com 发送日期:2014-11-14 23:49 收件人:mingw-w64-public@lists.sourceforge.net 抄送: 主题:Re: [Mingw-w64-public] Help required about process and dll injection Hey, thanks for the answer. coments below On Fri, Nov 14, 2014 at 3:35 PM, lh_mouse lh_mo...@126.com wrote: Possible solution: 0) Load the debugee in suspended mode; 1) Calculate the address of its entry point (typically mainCRTStartup or WinMainCRTStartup) from its PE header, since its header should now have been loaded into RAM; I guess that I call CreateFilemapping() like that : CreateFilemapping(pi.hProcess, NULL, PAGE_READWRITE, 0, 0, NULL); with pi the PROCESS_INFORMATION structure passed to CreateProcess() ? 2) Overwrite the byte at that address with 0xCC (a.k.a. int3 instruction on both x86 and x64); 3) Resume the process and it should hit the breakpoint, after all statically-linked DLLs have been loaded successfully, before any static constructors are invoked; shouldn't I have to wait a bit so that all the DLL are loaded ? It might take some time to load them, no ? That's what is done in the link that i have posted -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111iu=/4140/ostg.clktrk ___ Mingw-w64-public mailing list Mingw-w64-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
Re: [Mingw-w64-public] Help required about process and dll injection
Hi! You had to go and have an interesting problem, so I wrote a crappy sample :p https://gist.github.com/mook/33abbeb13b6bb511fc21 - Note that I didn't close the handles that I should (see the various WaitForDebugEvent-related documentation). On 11/14/2014 07:49 AM, Vincent Torri wrote: Hey, thanks for the answer. coments below On Fri, Nov 14, 2014 at 3:35 PM, lh_mouse lh_mo...@126.com wrote: Possible solution: 0) Load the debugee in suspended mode; 1) Calculate the address of its entry point (typically mainCRTStartup or WinMainCRTStartup) from its PE header, since its header should now have been loaded into RAM; If you're using debugging anyway, DEBUG_EVENT.u.CreateProcessInfo.lpStartAddress looks suspiciously like what the entry point would be anyway. (In my tests - ran on Wine, not real Windows, because I don't have one of those handy anymore - it's _mainCRTStartup). Of course, this solution won't work if somebody spawns their own children with DEBUG_PROCESS set for whatever reason. 2) Overwrite the byte at that address with 0xCC (a.k.a. int3 instruction on both x86 and x64); 3) Resume the process and it should hit the breakpoint, after all statically-linked DLLs have been loaded successfully, before any static constructors are invoked; shouldn't I have to wait a bit so that all the DLL are loaded ? It might take some time to load them, no ? That's what is done in the link that i have posted No, since lh_mouse's solution traps the breakpoint instruction, you just wait until that breakpoint is hit. (Note that there's an additional breakpoint in the loader, you don't want that one - it's a bit early.) The solution you linked to patches it with an infinite loop, so it must poll for the loop to be hit. The downside to breakpointing, of course, is that you must be the debugger in order to be able to catch that breakpoint. 4) Restore that byte; 5) Inject your DLL; (I didn't implement that part, because I'm lazy. Beware ASLR, etc.) 6) Resume the process as normal. If you feel like code-splunking, I believe ConEmu has an implementation of hooking descendant processes (to redirect console output). I have no idea how easy that is to read, though; I've never tried. -- Mook -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111iu=/4140/ostg.clktrk ___ Mingw-w64-public mailing list Mingw-w64-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
Re: [Mingw-w64-public] Help required about process and dll injection
On Fri, Nov 14, 2014 at 4:49 PM, Vincent Torri vincent.to...@gmail.com wrote: Hey, thanks for the answer. coments below On Fri, Nov 14, 2014 at 3:35 PM, lh_mouse lh_mo...@126.com wrote: Possible solution: 0) Load the debugee in suspended mode; 1) Calculate the address of its entry point (typically mainCRTStartup or WinMainCRTStartup) from its PE header, since its header should now have been loaded into RAM; I guess that I call CreateFilemapping() like that : CreateFilemapping(pi.hProcess, NULL, PAGE_READWRITE, 0, 0, NULL); with pi the PROCESS_INFORMATION structure passed to CreateProcess() ? what about that part ? Vincent Torri -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111iu=/4140/ostg.clktrk ___ Mingw-w64-public mailing list Mingw-w64-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
Re: [Mingw-w64-public] Help required about process and dll injection
On Fri, Nov 14, 2014 at 5:01 PM, lh_mouse lh_mo...@126.com wrote: Hmm have a test yourself. : Since you are writing a debugger you can wait for the breakpoint. The system generates an exception with code EXCEPTION_BREAKPOINT and your debugger should handle it. Otherwise your program would be terminated. i'm currently writing something more like valgrind, actually. Not a program like gdb. So i'm not sure i can call what i write a debugger :) Vincent Torri -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://pubads.g.doubleclick.net/gampad/clk?id=154624111iu=/4140/ostg.clktrk ___ Mingw-w64-public mailing list Mingw-w64-public@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mingw-w64-public
