473,320 Members | 1,854 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Managed EXE DLL Injection

Hi,

I am writing some kind of an encryptor for.NET assemblies, This require me:
A. To encrypt the IL code ( done successfully )
B. To enable transparent means of decrypting the IL code on run-time in a
way that the encrypted DLL will stay independent.

Concerning the latter issue, to achieve custom functionality upon EXE
startup I am trying to inject a DLL to an existing PE image, this is done by
adding an additional DLL import dependency to the existing PE ( e.g. editing
the already existing PE sections ), to achieve what was just described I am
reconstructing the IMPORT, IAT and RELOC tables: adding custom DLL import
dependency ( in addition to mscoree.dll )… BUT it doesn’t seem to work, the
loader produce STATUS_INVALID_IMAGE_FORMAT (0xC000007B) error, when
reconstructing the tables only with a dependency for ‘mscoree.dll‘ everything
works fine, at the minute I add an additional DLL, the loader fails… doing
some research I have stumbled upon peverify.exe of the sscli, assuming the
loader do the same verification done by ‘peverifier.exe’ I have tried the
following things:
I have used peverify.exe on my injected EXE ( with a debugger attached ) I
got the same results: ‘[IL]: Error: Unverifiable PE Header/native stub.’,
when breaking with the debugger I get to the following line:
Peverifier.cpp:
// There should be only one entry in this table.
if (IMAGE_IMPORT_DESC_FIELD(pID[1], Characteristics) != 0)
{
Log("IMAGE_IMPORT_DESCRIPTOR[1] should be NULL\n");
return FALSE;
}
Peverifier.exe ‘verifies’ that there is no more then one file dependency,
SOoo… adding an additional import dependency causes it to report error
preventing addition of functionality this way… there are some other ‘strange’
verifications such as:
// Check if mscoree.dll is the import dll name.
static const CHAR s_szDllName[] = "mscoree.dll";
…
if (CompareStringAtRVA(VAL32(pID[0].Name),
(CHAR*)s_szDllName,
LENGTH_OF_DLL_NAME) == FALSE)
{
…
}
The imported DLL can be no other then ‘mscoree.dll’…
And there is much more… code segment is mixed with the AIT table: share a
common address in the PE that is being used for execution as-well as for
relocation… and there is even more…

Anyhow I am really desperate, I need my encrypted EXE to be independent and
this require me to add some unmanaged functionality to the existing managed
PE… any advice remark or some insight on the process I have described would
be appreciated…

Thanks in advance,
Nadav,
http://www.ddevel.com
Nov 17 '05 #1
0 1217

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

11
by: Bã§TãRÐ | last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I...
8
by: stirrell | last post by:
Hello, One problem that I had been having is stopping email injections on contact forms. I did some research, read up on it and felt like I had created a working solution. I hadn't gotten any...
7
by: | last post by:
There are assorted "SQL Injection vulnerability assessment tools" out there. They scan your site and send your report. They also take your money. We don't have the money so I was wondering if I...
2
by: Sudhakar | last post by:
A) validating username in php as part of a registration form a user fills there desired username and this is stored in a mysql. there are certain conditions for the username. a) the username...
12
by: shank | last post by:
I've been hit again using DW, parameterized queries and stored procedures. I'm guessing I was not strict enough with character counts and allowing to long of a string to pass. Aside from that,...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.