DLLs & Processes
Overview:
DLL attached to Main Processes (MP) and External Process (EP)
MP tells DLL to write value 0x10 (example) to address 0x100 (example) of EP
MP tells DLL to read value from address 0x120 of EP
Basically I'd like to know how the communication would work and how the DLL would access the address space of the EP after being attached by the MP.
If you can give example code for me to learn from as well then I would be grateful.
DLL attached to Main Processes (MP) and External Process (EP)
MP tells DLL to write value 0x10 (example) to address 0x100 (example) of EP
MP tells DLL to read value from address 0x120 of EP
Basically I'd like to know how the communication would work and how the DLL would access the address space of the EP after being attached by the MP.
If you can give example code for me to learn from as well then I would be grateful.
I don't have an example at hand, but this is how I would attempt it:
1. DLL is loaded in MP. I guess the DLL knows how to distinguish it from other processes. DLL can make an object available to this thread to control the thread in the external process.
2. DLL is loaded in EP. The DLL detects is the EP and starts a worker thread that waits on a named autoreset event.
3. MP obtains a reference to the controller object (may be a singleton) and calls one of its methods to instruct the (currently-sleeping) worker thread in EP to do a read or write. This method accepts all needed data.
4. Method of controller object acquires a synchronization object before setting data in a shared data segment and proceeds to write the specifics of the method to perform, then releases this sync object and signals the named event mentioned on #2.
5. Method of controller object waits for the worker thread to signal it has finished by means of another named autoreset event.
6. Method of controller object returns the result of the operation, if any, to the caller.
1. DLL is loaded in MP. I guess the DLL knows how to distinguish it from other processes. DLL can make an object available to this thread to control the thread in the external process.
2. DLL is loaded in EP. The DLL detects is the EP and starts a worker thread that waits on a named autoreset event.
3. MP obtains a reference to the controller object (may be a singleton) and calls one of its methods to instruct the (currently-sleeping) worker thread in EP to do a read or write. This method accepts all needed data.
4. Method of controller object acquires a synchronization object before setting data in a shared data segment and proceeds to write the specifics of the method to perform, then releases this sync object and signals the named event mentioned on #2.
5. Method of controller object waits for the worker thread to signal it has finished by means of another named autoreset event.
6. Method of controller object returns the result of the operation, if any, to the caller.
Thanx, that however explains only the communication side of things, unfortunately it does not explain how to read / write to a specific address of the EP, I suppose I could use a unsigned char pointer with reinterpret_cast to read/write to variable addresses but as far as I'm aware that would only affect the DLLs memory. If I were to use the Read/WriteProcessMemory() then there would be no point in the DLL. But the reason I need the DLL is deal with circumstances where access to the EP is not allowed for those functions - This is a general purpose hacking tool so the EP is known only to the user and must be dealt with in whatever way is available and selected by user.
As you say it should work OK. DLL's share the address space with the process. Isolation is not per-module, it is per-process.
| If I were to use the Read/WriteProcessMemory() then there would be no point in the DLL. But the reason I need the DLL is deal with circumstances where access to the EP is not allowed for those functions |
There is no way that you can successfully inject a DLL in an elevated process if your process is not elevated.
Thanx, I planed for such a scenario too but that wasn't 100% what I meant, e.g. the EP somehow detects the MP attaching itself and removes it immediately or manages to re-direct the read/write actions.
Aside from that the MP will use imported functions to communicate to the DLL so will the pointer/cast stuff still work? I need to provide this functionality before I start on the rest of HackerEX 2. I've already decided on an upgraded codelist format that has no need of manual upgrade from old format.
Aside from that the MP will use imported functions to communicate to the DLL so will the pointer/cast stuff still work? I need to provide this functionality before I start on the rest of HackerEX 2. I've already decided on an upgraded codelist format that has no need of manual upgrade from old format.
Last edited on
Topic archived. No new replies allowed.