A Method for hiding DLL injection, DLL relocation

Address: http://lwglucky.blog.51cto.com/1228348/282331

 

From a foreigner's war3 plug-in, haha, that is, wutil has to PF, actually can display the magic value as the blood bar, in fact, this desire was previously thought about, but I really don't know how to implement it. I don't know if war3 has this function, or the foreigner actually implemented it in Bt. This is a post, and it is being studied ~~~ After analyzing MH. pdll, we found that it is implemented by injecting DLL, because some functions must be completed in DLL. Unlike the previous full graph, it is just a small patch of game. dll. I found that the injected DLL module cannot be found after running war3 (for example, processexplorer cannot be found). Does he use the same trick as my LPK. dll? Also, the LPK. dll hiding technology is based on peb. After careful analysis of MH. pdll, it is found that the idea of its injection is still special. Although it is also based on the remote thread. Generally, DLL injection in the remote thread writes the dll path to the target process, and loadliberarya/W is used as the thread start address in createremotethread. Because the standard loadliberarya/W is used to load the DLL, the DLL will be found in the target process using processexplorer. Wutil's trick is: the loader itself will load MH. pdll, so IAT in MH. pdll has been built. This is hard to say, that is, all the system APIs that need to be used get the meaning. The second is relocation. In the target process virtualallocex, a memory space of the same size as the local DLL is obtained, and its memory start address is. In this process, virtualalloc also has a space of the same size as the local DLL, B. Relocate the memory allocated by this process. Note that the base address is calculated based on a, and the difference is the difference between the base address of the local DLL and the base address of. Of course, you need to read the relocation table, that is, the. reloc section in DlLL. For the relevant structure, refer to some materials. I have not checked it here, but it is not difficult to directly post the analysis in Ida.

Dwxxx = V10-V6; // difference value
Do
{
Pblockrva = * (_ DWORD *) pcurreloc;
Dwblocksize = * (_ DWORD *) (pcurreloc + 4 );
Dwcursize = 8;
Pcurreloc + = 8;
If (dwblocksize> 8)
{
Do
{
Itemrva = * (_ word *) pcurreloc;
Pcurreloc + = 2;
Dwcursize + = 2;
If (itemrva> 12)
{
If (itemrva> 12! = 3)
Return 4;
* (_ DWORD *) (char *) modbase + pblockrva + (itemrva & 0 xfff) + = dwxxx;
}
}
While (dwcursize <dwblocksize );
}
}
While (dwblocksize); finally, put all B writeprocessmemory to the target process and then createremotethread to call a function address to pull it. Generally, when createremotethread is used up, you can set the handle of the remote thread under wait. After the function is called, the memory will be released immediately and no trace will be left. Finally, the DLL export interface function needs to determine its own address. I don't know if it is possible to use some soft anti-remote thread DLL injection. Ah, the expression ability is too poor, probably only you can understand. The main point is to simulate the loadliberary of the system. However, since the DLL has been loaded in the loader, you do not need to consider the IAT part. You only need to solve the relocation problem.