DLLs & Processes

Oct 1, 2012 at 8:40am
Overview:
DLL attached to Main Processes (MP) and External Process (EP)
MP tells DLL to write value 0x10 (example) to address 0x100 (example) of EP
MP tells DLL to read value from address 0x120 of EP

Basically I'd like to know how the communication would work and how the DLL would access the address space of the EP after being attached by the MP.

If you can give example code for me to learn from as well then I would be grateful.
Oct 8, 2012 at 2:36am
I don't have an example at hand, but this is how I would attempt it:

1. DLL is loaded in MP. I guess the DLL knows how to distinguish it from other processes. DLL can make an object available to this thread to control the thread in the external process.
2. DLL is loaded in EP. The DLL detects is the EP and starts a worker thread that waits on a named autoreset event.
3. MP obtains a reference to the controller object (may be a singleton) and calls one of its methods to instruct the (currently-sleeping) worker thread in EP to do a read or write. This method accepts all needed data.
4. Method of controller object acquires a synchronization object before setting data in a shared data segment and proceeds to write the specifics of the method to perform, then releases this sync object and signals the named event mentioned on #2.
5. Method of controller object waits for the worker thread to signal it has finished by means of another named autoreset event.
6. Method of controller object returns the result of the operation, if any, to the caller.
Oct 8, 2012 at 9:56am
Thanx, that however explains only the communication side of things, unfortunately it does not explain how to read / write to a specific address of the EP, I suppose I could use a unsigned char pointer with reinterpret_cast to read/write to variable addresses but as far as I'm aware that would only affect the DLLs memory. If I were to use the Read/WriteProcessMemory() then there would be no point in the DLL. But the reason I need the DLL is deal with circumstances where access to the EP is not allowed for those functions - This is a general purpose hacking tool so the EP is known only to the user and must be dealt with in whatever way is available and selected by user.
Oct 8, 2012 at 2:16pm
As you say it should work OK. DLL's share the address space with the process. Isolation is not per-module, it is per-process.
Oct 8, 2012 at 3:59pm
If I were to use the Read/WriteProcessMemory() then there would be no point in the DLL. But the reason I need the DLL is deal with circumstances where access to the EP is not allowed for those functions


There is no way that you can successfully inject a DLL in an elevated process if your process is not elevated.
Oct 8, 2012 at 10:44pm
Thanx, I planed for such a scenario too but that wasn't 100% what I meant, e.g. the EP somehow detects the MP attaching itself and removes it immediately or manages to re-direct the read/write actions.

Aside from that the MP will use imported functions to communicate to the DLL so will the pointer/cast stuff still work? I need to provide this functionality before I start on the rest of HackerEX 2. I've already decided on an upgraded codelist format that has no need of manual upgrade from old format.
Last edited on Oct 9, 2012 at 10:00pm
Oct 9, 2012 at 10:00pm
I meant wasn't 100%
Oct 10, 2012 at 1:32am
Clearing define by you.... thanks...
Oct 10, 2012 at 9:51am
... not sure what to make of that reply but you're welcome?
Topic archived. No new replies allowed.