Databases
StackOverflow2013
Postsdbo
POInjecting 64 Bit DLL using code cave
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POInjecting 64 Bit DLL using code cave
    text
    copied!<p>I'm trying to inject a 64 Bit DLL into 64 Bit Process (explorer for the matter).<br> I've tried using Remote-thread\Window Hooks techniques but some Anti-Viruses detects my loader as a false positive.<br> After reading this article : <a href="http://www.blizzhackers.cc/viewtopic.php?p=2483118" rel="nofollow">Dll Injection by Darawk</a>, I decided to use code caves.<br> It worked great for 32bit but because VS doesn't support inline assembly for 64 Bit I had to write the op-codes and operands explicitly.<br> I looked at this article : <a href="http://www.codeproject.com/Tips/211962/64-Bit-Injection-Cave" rel="nofollow">64Bit injection using code cave</a>, as the article states, there are some differences: </p> <blockquote> <p>There are several differences that had to be incorporated here:</p> <ol> <li>MASM64 uses fastcall, so the function's argument has to be passed in a register and not on the stack. </li> <li>The length of the addresses - 32 vs. 64 bit - must be taken into account. </li> <li>MASM64 has no instruction that pushes all registers on the stack (like pushad in 32bit) so this had to be done by pushing all the registers explicitly. </li> </ol> </blockquote> <p>I followed those guidelines and ran the article's example but none of what I did worked.<br> The target process just crashed at the moment I resumed the main thread and I don't know how to really look into it because ollydbg has no 64 bit support. </p> <p>This is how the code looks before I injected it: </p> <pre><code> codeToInject: 000000013FACD000 push 7741933Ah 000000013FACD005 pushfq 000000013FACD006 push rax 000000013FACD007 push rcx 000000013FACD008 push rdx 000000013FACD009 push rbx 000000013FACD00A push rbp 000000013FACD00B push rsi 000000013FACD00C push rdi 000000013FACD00D push r8 000000013FACD00F push r9 000000013FACD011 push r10 000000013FACD013 push r11 000000013FACD015 push r12 000000013FACD017 push r13 000000013FACD019 push r14 000000013FACD01B push r15 000000013FACD01D mov rcx,2CA0000h 000000013FACD027 mov rax,76E36F80h 000000013FACD031 call rax 000000013FACD033 pop r15 000000013FACD035 pop r14 000000013FACD037 pop r13 000000013FACD039 pop r12 000000013FACD03B pop r11 000000013FACD03D pop r10 000000013FACD03F pop r9 000000013FACD041 pop r8 000000013FACD043 pop rdi 000000013FACD044 pop rsi 000000013FACD045 pop rbp 000000013FACD046 pop rbx 000000013FACD047 pop rdx 000000013FACD048 pop rcx 000000013FACD049 pop rax 000000013FACD04A popfq 000000013FACD04B ret </code></pre> <p>Seems fine to me but I guess I'm missing something.<br> My complete code can be found here : <a href="http://pastebin.com/3xqdur1f" rel="nofollow">Source code</a></p> <p>Any ideas\suggestions\alternatives?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload