For the past couple of days I've been trying to understand how kernel to usermode APC is used if we want to inject a dll. I've read the article from the guy from Agnitum on RSDN web site but since russian I was able to understand the crude idea. I then went on game deception forum and downloaded a code which has a driver which does exactly this and from what I saw that the guy from agnitum and the guy from GD do 2 similar (but not entirely things). As far as I understood from the GD code:
What they do is allocate MDL (physical memory pages) to store the APC routine to be executed which would do the actual dll loading. Then, those pages are locked and are subsequently mapped to the user space program via KeStackAttachProcess and execute the MmMapLockedPagesSpecifyCache to map the location of where the the usermode APC is located and the location of the DLL to be executed? (not sure about this) and then the KeInitializeAPC and KeInsertQueueAPC are used to prepare the KAPC struct and queue in the target thread. Of course the address of LdrLoadDll in the target process is obtained by the user space components.
Now, on the other hand - the guy in the russian article is doing something different and because he has given just excerpts from the code I cannot fully follow his idea but I think it goes something like:
Load a dll in memory via ZwCreateSection probably do a KeStackAttachProcess and execute ZwMapViewOfSection to map it in the address space of the target process(thread) he then acquires the address of LdrLoadLibrary copies it in the memory of the target process and goes on to use the APC routines as described above?
Are my assumption correct and if not I'd be glad if someone can explain in a little more details.
Another question: Why are there so many function which are probably identical - LdrLoadDll, LdrLoadLibrary ?
And my final question (for now at least :D) - Is there an IRC channel or some other way in which I can communicate in real time with members?
What they do is allocate MDL (physical memory pages) to store the APC routine to be executed which would do the actual dll loading. Then, those pages are locked and are subsequently mapped to the user space program via KeStackAttachProcess and execute the MmMapLockedPagesSpecifyCache to map the location of where the the usermode APC is located and the location of the DLL to be executed? (not sure about this) and then the KeInitializeAPC and KeInsertQueueAPC are used to prepare the KAPC struct and queue in the target thread. Of course the address of LdrLoadDll in the target process is obtained by the user space components.
Now, on the other hand - the guy in the russian article is doing something different and because he has given just excerpts from the code I cannot fully follow his idea but I think it goes something like:
Load a dll in memory via ZwCreateSection probably do a KeStackAttachProcess and execute ZwMapViewOfSection to map it in the address space of the target process(thread) he then acquires the address of LdrLoadLibrary copies it in the memory of the target process and goes on to use the APC routines as described above?
Are my assumption correct and if not I'd be glad if someone can explain in a little more details.
Another question: Why are there so many function which are probably identical - LdrLoadDll, LdrLoadLibrary ?
And my final question (for now at least :D) - Is there an IRC channel or some other way in which I can communicate in real time with members?
