ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Considerations Infecting 32bits Libraries For Windows ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ by Bumblebee/29a Introduction ÄÄÄÄÄÄÄÄÄÄÄÄ People thinks PE DLL files are the same than PE EXE files, but this is not 100% right. The format it's the same, but not the way the files works. I've noticed that coding DLL infectors ;) This is a little article that shows you some tips you must take into account while infecting this kind of PE files. What is a DLL? ÄÄÄÄÄÄÄÄÄÄÄÄÄÄ In first place don't think DLL are only files with the DLL extension. In your system there are different extensions that hides DLLs: CPL, AX, ACM, ... Let me hack this little description of DLLs from the Win32 SDK: ' In Microsoft Windows, dynamic-link libraries (DLL) are modules that contain functions and data. A DLL is loaded at runtime by its calling modules (.EXE or DLL). When a DLL is loaded, it is mapped into the address space of the calling process. DLLs can define two kinds of functions: exported and internal. The exported functions can be called by other modules. Internal functions can only be called from within the DLL where they are defined. Although DLLs can export data, its data is usually only used by its functions. DLLs provide a way to modularize applications so that functionality can be updated and reused more easilly. They also help reduce memory overhead when several applications use the same functionality at the same time, because although each application gets its own copy of the data, they can share the code. ' This description gives us some points we must analize: . The DLL it's loaded in the address space of the calling process. . Several applications use the same funcionality at the same time. . They can share code. Considerations ÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The first point we get from the description say us the DLL will be relocated very often. We must think this will happen EVER. So we cannot rely in jumps to DLLEP (host entry point) to return control to infected program. We need to relocate this address. Nice way to do it could be: lea esi,virusBegin+ebp sub esi,dword ptr [calculatedVirusBegin+ebp] add dword ptr [DLLEP+ebp],esi virusBegin -> where the virus starts to run calculatedVirusBegin -> EP calculated for the virus in the infection process. DLLEP -> old entry point Let's imagine we infect a DLL with image base 70000000h and the DLLEP 7000d000h (Entry Point+Image Base). We put our virus at the end of the last section and its RVA is 7001e000h. We patch the header and put the entry point 0001e000h. At this point we save our calculated EP and the old DLLEP (7001e000h and 7000d000h). Later when this DLL is executed our virus does it's work and need to return to the original code. But we cannot rely the DLL it's loaded at 70000000h so we cannot jump to 7000d000h (old EP). Now the previous code rules. You get your current EP by the way of the delta offset (into ebp in the example). Then you sub the supposed virus EP (7001e000h) and then you get the displacement of the DLLEP. This is simple and could be done in several ways. But this first point gives us more things to think in. The DLL uses some things from the caller environment: . The work directory: useful to find new files to infect. . The heap and the stack: this is a great problem 'cause you NEED to be very careful with the use of the stack. The heap is not a problem, but the stack could be a nightmare. Suppose a process loads 5 DLL and all are infected. If the virus uses 100h bytes of stack... 500h bytes are used by the process. You must be as light as possible with stack while infecting DLLs. Now let's go into second point. The fact that several applications can use the same DLL requires the DLL has a way to manage that work. The DLLEP has the following spezial structure: BOOL WINAPI DllEntryPoint( HINSTANCE hinstDLL, DWORD fdwReason,LPVOID lpvReserved) HINSTANCE hinstDLL - This is a handle to the DLL. DWORD fdwReason - This is a flag that shows the DLL why DLLEP is called. This is a very important point. Indicates one of the following: . A process is attaching the DLL to it's address space. . The process is creating a new thread. . A thread is exiting cleanly. . A process is detaching the DLL. LPVOID lpvReserved - Indicates some parametres to DLL initialization and cleanup. As you can see fdwReason is very important and show us a very, very important point: the DLLEP could be (and it will be) called more than once. You must take this into account. Your virus will be called more than once and this could be very fucking in encrypted viruses. In non-enc viruses there is no problem in 1st instance. But... what happens if your decrypts twice? hehehe. We could rid of this problem patching the virus to return host if it called more than once or verifing the virus is decrypted to not do it again. Make yourself. At last we have they can share code. No problem. There is not anythin you cannot check in section properties. But experience gave me another points. It's possible a DLL has NO CODE! Imagine what happens if you infect a DLL that only has resurces ;) This is easy to check: just look code base is not equal to zero, as example. Last words ÄÄÄÄÄÄÄÄÄÄ I feel DLL infection very useful and not very complex if you care of some points. And now with this article you can ;) Most programs does all its work by DLLs and the main EXE file it's only for the GUI. So DLL infection with per-process residency it's a great choice. I hope you've found this article interesting. The way of the bee