A forum for reverse engineering, OS internals and malware analysis 

 #32651  by j4ck
 Wed Mar 06, 2019 4:17 am
I am implementing dll hollowing code by modifying Stephen Fewer's reflective dll injection. First, it loads a system library using LoadLibraryA. Then it sets RWX permissions, and overwrites that dll with the new dll payload. Originally, it uses virtualalloc to allocate memory to write the dll payload to.

The full dll fits in the first page of the hollowed dll with RWX permissions. I have dumped the memory of both the hollowing code, and it is correctly mapped in memory. It correctly enters the entry point, but fails before running the code in dll main. It enters an infinite loop.

Dll hollowing code:
Code: Select all
char lib[] = { 'd','p','x','.', 'd', 'l', 'l', 0 };
uiBaseAddress = (ULONG_PTR)pLoadLibraryA((LPCSTR)lib);
pVirtualProtect((LPVOID)uiBaseAddress, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, PAGE_EXECUTE_READWRITE, &prot);
Original reflective dll injection code:
Code: Select all
uiBaseAddress = (ULONG_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
Rest of the code is the same as https://github.com/stephenfewer/Reflect ... veLoader.c

As you can see, the only difference is that it's writing to a prexisting dll location, rather than newly allocated space. So it's confusing why it's not working. Perhaps there is something with the PEB or something? Maybe it's something with loadlibrary?