I am implementing dll hollowing code by modifying Stephen Fewer's reflective dll injection. First, it loads a system library using LoadLibraryA. Then it sets RWX permissions, and overwrites that dll with the new dll payload. Originally, it uses virtualalloc to allocate memory to write the dll payload to.
The full dll fits in the first page of the hollowed dll with RWX permissions. I have dumped the memory of both the hollowing code, and it is correctly mapped in memory. It correctly enters the entry point, but fails before running the code in dll main. It enters an infinite loop.
Dll hollowing code:
As you can see, the only difference is that it's writing to a prexisting dll location, rather than newly allocated space. So it's confusing why it's not working. Perhaps there is something with the PEB or something? Maybe it's something with loadlibrary?
The full dll fits in the first page of the hollowed dll with RWX permissions. I have dumped the memory of both the hollowing code, and it is correctly mapped in memory. It correctly enters the entry point, but fails before running the code in dll main. It enters an infinite loop.
Dll hollowing code:
Code: Select all
Original reflective dll injection code:
char lib[] = { 'd','p','x','.', 'd', 'l', 'l', 0 };
uiBaseAddress = (ULONG_PTR)pLoadLibraryA((LPCSTR)lib);
pVirtualProtect((LPVOID)uiBaseAddress, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, PAGE_EXECUTE_READWRITE, &prot);Code: Select all
Rest of the code is the same as https://github.com/stephenfewer/Reflect ... veLoader.cuiBaseAddress = (ULONG_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );As you can see, the only difference is that it's writing to a prexisting dll location, rather than newly allocated space. So it's confusing why it's not working. Perhaps there is something with the PEB or something? Maybe it's something with loadlibrary?
