Re: DLL Injection from kernel-land
- From: "Le Chaud Lapin" <unoriginal_username@xxxxxxxxx>
- Date: 1 Jun 2006 15:38:42 -0700
Arnaud VALLAT wrote:
Hello,
yep it works like a charm. But I would like to remove jumps. It's
working like this:
1- program is waiting for event
2- driver receives notification and sets an event
3- program catches event and asks driver information about process
4- program injects DLL in process
5- DLL walks through PE and patches function addresses
And I thought it would be better if all of this were done directly from
the driver. You see ?
Do the same thing you're doing in user-mode:
1. in kernel, patch the system service table to intercept
CreateProcess.
2. record whether process was created suspended or not.
3. create the process suspended anyway.
4. inject new virtual memory into process
5. write in virtual memory some code that loads the DLL of interest
6. redfine entry point of your function of choice to call code to load
DLL (tricky)
7. Get rid of VM to keep process "clean"
Of course, Patch Guard, will keep this from working.
Personally, I
.
- Follow-Ups:
- Re: DLL Injection from kernel-land
- From: anton bassov
- Re: DLL Injection from kernel-land
- References:
- DLL Injection from kernel-land
- From: Arnaud VALLAT
- Re: DLL Injection from kernel-land
- From: Skywing
- Re: DLL Injection from kernel-land
- From: Arnaud VALLAT
- DLL Injection from kernel-land
- Prev by Date: Re: DLL Injection from kernel-land
- Next by Date: Re: DLL Injection from kernel-land
- Previous by thread: Re: DLL Injection from kernel-land
- Next by thread: Re: DLL Injection from kernel-land
- Index(es):
Relevant Pages
|
