We will now explore static code injection. For this purpose, we will manipulate the Windows game Mineswipper so that before it runs it displays a message saying “hi IAH geeks”
First, go to C:\WINDOWS\system32 and make a copy of winmine.exe into a file with a different name (for security purpose)
In order to manipulate winmine.exe, we will use OllyDbg, “a 32-bit assembler level analysing debugger for Microsoft Windows. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.”
The first time you run OllyDbg you might get a message asking you whether you want to update on the library (.dll) files. Just say no
Click Open, and open winmine.exe. What you will get in OllyDbg is assembly code of winmine.exe
On the right part of the screen you will see the Register values. The EIP register is a pointer to the next command that will execute. In this case it should store the Module Entry Point
The memory space of winmine.exe contains a lot of useful information, but it also contains areas with no useful information whatsoever. These areas are full of noop operations (\x00’s). These areas could be modified to add code without corrupting winmine.exe.
In OllyDbg, on the left upper window (right below the menu), scroll down until you find a big group of noops put together where you have enough space to add your code. The place you find is called a ‘cave’
Now in the ‘cave’ we found we will add a Message Box call.
The function call is:
MsgBoxA(0,”hi IAH geeks”,”hi IAH geeks”,0)
So this is the ASM code for doing that:
Push 0
Push “hi IAH geeks”
Push “hi IAH geeks”
Push 0
Call User32.MessageBoxA
In Machine Code we go to an even lower level…we must allocate space for the “hi IAH geeks” string and then push the address of this allocated memory by doing a Push
We will now add the code. Highlight a bunch (about 20) of NOOPs from the cave. Right click and select Binary->Edit. Now on the Ascii field simply type in “hi IAH geeks”
You will now get some garbage on OllyDbg. Do not worry. Olly needs to reanalyze this code. Press CTRL + A to analyze the code. After this, you should see “hi IAH geeks” in some address.
Now below the address where you added your string, double click on one of the “DB 00” fields. You will get an Assemble at window.
Type in:
push 0
and press Assembler. A new Assemble at will appear. Now type in:
push MYADDRESS
where MYADDRESS is the address where your string is located. In the next address you should type:
push MYADDRESS
again (because you are pushing the same string 2 times, once for the header of the box once for the message in the box). On the next address we type in:
push 0
again. Finally we have to call the actual function call, so on the next address type:
call user32.MessageBoxA
Now press the ‘*’ key in your numpad, this will take you to the top of the window (the origin). Select the first 6 instructions, highlight them and then press CTRL + C (for backup). Paste this code into notepad.
Now we will overwrite some code. Double click on the Origin instruction and type in:
JMP CODEADDRESS
where CODEADDRESS is the address where your code starts ???
You will notice that more than one line got edited. The edited lines will be in red. Compare the first few lines with your copy in Notepad and delete the lines that are duplicated from Notepad. The lines that are not duplicated we will need to add again somewhere.
It is important to keep this address because what the program will do is read the EIP register. This points to the line where we added the JMP. The JMP will redirect the PC to the new code. The new code will execute, and then we want to jump back to the address you just wrote down so that normal execution continues as if nothing had happened. However, before we return to normal execution, we have to add the code that we overwrote. So we add this at the end of our code before we jump back to the beginning of the code.
Go to back to the origin. Highlight the origin instruction, and right click with your mouse. Then press Follow. This will take you to the address to which the origin jumps. If you have done everything correctly so far, this should take you to the beginning of your code (The first push 0).
Now we need to add the code that was overwritten (which we copied in notepad,). Add the remaining instructions from notepad at the end (immediately after the Call MessageBoxcommand).
Note: If it says something like ‘PUSH winmine.1234567' in notepad, just type in ‘push 1234567').
Now at the last line of the new code insert the command
JMP SECONDADDRESS
where SECONDADDRESS is the address of the second line, or the line after the origin
Now right click and go to Copy to executable -> All Modifications.
On the window that appears select:
Copy All
A new window will appear. Click yes to save modifications. Save as a different name.
Now press Run (the play button at the top of Olly). The Message Box should have appeared and then Winmine.
It is all how it works ,if u people also interested in dynamic dll injection then plz comment in this post
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment