Cheat Engine

Stylo · Posted: Sun Nov 17, 2013 4:45 am Post subject: A wierd dll injection thechnique

I recently encounter an injection method that i'v never seen..
i'll try to explain what i have figured from it
from a kernel mode driver it gets the entry of ntdll, allocates a buffer at 71b00000 and write the loading routine that uses LdrLoadDll there.
now i'm guessing it redirecting the entry of ntdll to it's loading routine?
I'm pretty confused here

I don't have any code to show here, but does any of you familiar with that kind of method?

Dark Byte · Posted: Sun Nov 17, 2013 5:40 am Post subject:

It probably gets the base of ntdll.dll to find the address of LdrLoadDll that the injected dll loader uses

Stylo · Posted: Sun Nov 17, 2013 5:49 am Post subject:

Well.. no
it has the address of LdrLoadDll already
and after it allocates memory for the loading routine it writes it (There's a call to ZwWriteVirtualMemory)
i believe it changes the the entry for ntdll so the loading routine will be called and then return it to it's original offset
does that make any sense?!? >_<

TsTg

Stylo · Posted: Sun Nov 17, 2013 7:04 am Post subject:

No no no..
the loading routine contain a call to LdrLoadDll within it.
the driver copies that loading routine to the virtual memory of the desired process.
it's really wierd

@edit:
it turns out i was right Smile

the driver overwrites the entry point offset field at the PE Header of ntdll
then when ntdll is initialized and the entry point is called, the hook is called where there's a call to the original entry point
and right after that a call to LdrLoadDll.
awesome and sick at the same level Very Happy