Hacking : Remote Threads injection in Windows Vista
Recently astalavista.com present the Win Vista DLL Injection where they showed remote threads injection in Windows Vista.Some snip is simply introduced as
An insight on how to inject a dynamic library (DLL) into a 32 bit process in Windows Vista with the use of Remote Threads and taking into consideration the Address Space Layout Randomization (ASLR). The sample code used is written in assembly language (MASM32) using the WinAsm IDE. It should give you a better understanding on how dynamic libraries can be injected.
You need various tools to perform this hack on windows Vista.So before going further download HiEditor and WinAsm Studio IDE.
Some of the insights of the hack is described as follows :
Why Remote Thread?
The idea behind using a remote thread to inject a dynamic library is to create a new thread in a remote process that calls the LoadLibrary API and load our DLL inside the address space of that remote thread. The problem with directly parsing the LoadLibrary offset to CreateRemoteThread is that it resolves to the address in your process import table which unfortunately is not the same as the remote process import table. To overcome this problem we need to find the offset of LoadLibrary inside the address space layout of our process.
ASLR and LoadLibrary
Since at each reboot (or two) the address of kernel32.dll (which contains the LoadLibrary procedure) might change we use GetModuleHandle to retrieve the address of LoadLibraryA which will be the same in the remote thread address space.
How to parse an argument to LoadLibrary
The DLL’s pathname cannot be addressed to since it does not reside within the remote process address space. We therefore have to call VirtualAllocEx to allocate memory in the remote process and therefore patch the pathname of the DLL we intent to inject. We can do that by using WriteProcessMemory API.
Download the pdf file