 |
 | InjectDll Loading Sequence |  |
|
wraithdu
| Joined: 29 Jun 2007 |
| Posts: 1410 |
|
|
|
 Posted: Sat Nov 14, 2009 4:31 pm |
|
 |
 |
|
|
I originally PM'd tzuk, but he thought it would make an interesting forum discussion, so here's our first two messages to be continued here:
| wraithdu wrote: |
| I'm curious when exactly InjectDll injects the DLL into the sandboxed process during its startup routine? I'm toying with the idea of moving my sbiextra.dll initialization (all the hooking code) out of DllMain into a thread that waits for DllMain to finish first, in an effort to better obey MS's directives on DllMain best practices. However I don't want to potentially risk 'security' by delaying this process if it really should be done in DllMain. This would of course depend on how you've designed the injection process. What do you think? |
| tzuk wrote: |
| wraithdu wrote: |
| I'm curious when exactly InjectDll injects the DLL into the sandboxed process during its startup routine? |
I did mention this question partially here:
http://www.sandboxie.com/index.php?InjectDll
To answer your question: The instruction at the entry point of the EXE is overwritten to jump to a procedure in SbieDll. That procedure calls InjectDll's. Actually just one InjectDll, at this time Wink. It then restores the original instruction and jumps back to the entry point.
The effect is that your DLL is called after all static DLLs have already initialized in the process.
| wraithdu wrote: |
| I'm toying with the idea of moving my sbiextra.dll initialization (all the hooking code) out of DllMain into a thread that waits for DllMain to finish first, in an effort to better obey MS's directives on DllMain best practices. |
I think the practices basically advise you not to invoke other functionality related to the DLL loader. If you're only concerned about hooking/replacing code, then I would say, don't worry about it.
| wraithdu wrote: |
| However I don't want to potentially risk 'security' by delaying this process if it really should be done in DllMain. This would of course depend on how you've designed the injection process. What do you think? |
I think you have a point, by delaying your hooks, you give more code a chance to execute before your hooks are in place.
There is also a chance the main thread terminating before your thread even starts. If you're looking to synchronize things, you have to take that into account.
I think it would be more fun to discuss these type of things in the forum and maybe get other people interested. For next time perhaps. |
|
|
|
 |
| | |
|
wraithdu
| Joined: 29 Jun 2007 |
| Posts: 1410 |
|
|
|
| Posted: Sat Nov 14, 2009 4:39 pm |
|
|
|
|
|
My two main concerns are that MS says do not call LoadLibrary from DllMain or call any functions not in kernel32. In order to hook everything that one might want too, it is possible that you'd have to load the DLL yourself if the process has not already loaded it (or may load it later at some point). That breaks rule number one. And I do other things during the initialization of my DLL that breaks rule number two. So I'm kinda stuck between following the rules and give the process another microsecond to run its code.
Regarding your comment about the main thread terminating, wouldn't that end the target process anyway? If not, it shouldn't impact the thread I've created to do initialization. It only waits for DllMain to return, then runs.
Perhaps there's a way around this, maybe an optional flag or function call that could make SbieDll wait to restore the process's entry point until the flag is set or the function is called. That way my initialization thread could run, then signal SbieDll that it's OK to continue. That should solve both problems, right?
|
|
|
|
| | |
|
tzuk
| Joined: 22 Jun 2004 |
| Posts: 15027 |
|
|
|
| Posted: Sat Nov 14, 2009 5:11 pm |
|
|
|
|
|
| wraithdu wrote: |
| My two main concerns are that MS says do not call LoadLibrary from DllMain or call any functions not in kernel32. In order to hook everything that one might want too, it is possible that you'd have to load the DLL yourself if the process has not already loaded it (or may load it later at some point). That breaks rule number one. And I do other things during the initialization of my DLL that breaks rule number two. So I'm kinda stuck between following the rules and give the process another microsecond to run its code. |
I see. How about hooking LoadLibrary? That's basically what I do in SbieDll. Maybe I can add an SbieDll_RegisterLoadLibraryHook for "third party DLLs" like what you're doing. That would be instead of the flag mechanism that you proposed later in your post.
| wraithdu wrote: |
| Regarding your comment about the main thread terminating, wouldn't that end the target process anyway? If not, it shouldn't impact the thread I've created to do initialization. It only waits for DllMain to return, then runs. |
No. It seems that way, because most main threads end up calling ExitProcess. But if the main thread calls ExitThread instead, the process goes on. (I'm only pretty sure about this, not absolutey sure.) So your thread should also wait on the thread object that created it. |
|
_________________
tzuk
|
|
| | |
|
tzuk
| Joined: 22 Jun 2004 |
| Posts: 15027 |
|
|
|
| Posted: Sat Nov 14, 2009 5:12 pm |
|
|
|
|
|
| wraithdu wrote: |
| My two main concerns are that MS says do not call LoadLibrary from DllMain or call any functions not in kernel32. In order to hook everything that one might want too, it is possible that you'd have to load the DLL yourself if the process has not already loaded it (or may load it later at some point). That breaks rule number one. And I do other things during the initialization of my DLL that breaks rule number two. So I'm kinda stuck between following the rules and give the process another microsecond to run its code. |
I see. How about hooking LoadLibrary? That's basically what I do in SbieDll. Maybe I can add an SbieDll_RegisterLoadLibraryHook for "third party DLLs" like what you're doing. That would be instead of the flag mechanism that you proposed later in your post.
| wraithdu wrote: |
| Regarding your comment about the main thread terminating, wouldn't that end the target process anyway? If not, it shouldn't impact the thread I've created to do initialization. It only waits for DllMain to return, then runs. |
No. It seems that way, because most main threads end up calling ExitProcess. But if the main thread calls ExitThread instead, the process goes on. (I'm only pretty sure about this, not absolutey sure.) So your thread should also wait on the thread object that created it. |
|
|
|
| | |
|
| | |
|
tzuk
| Joined: 22 Jun 2004 |
| Posts: 15027 |
|
|
|
| Posted: Sat Nov 14, 2009 8:53 pm |
|
|
|
|
|
| tzuk wrote: |
| How about hooking LoadLibrary? That's basically what I do in SbieDll. |
| Mark_ wrote: |
i would rather hook LdrLoadDll  |
Right, which is basically the same thing. If you catch my drift. |
|
|
|
wraithdu
| Joined: 29 Jun 2007 |
| Posts: 1410 |
|
|
|
| Posted: Sun Nov 15, 2009 11:38 pm |
|
|
|
|
|
How would SbieDll_RegisterLoadLibraryHook work and what would it accomplish? I'm missing where you're trying to go with that... Somehow make it 'OK' to use LoadLibrary in DllMain and hook functions from those libraries?
|
|
|
|
Mark_
| Joined: 31 Dec 2008 |
| Posts: 108 |
|
|
|
| Posted: Mon Nov 16, 2009 12:47 am |
|
|
|
|
|
| tzuk wrote: |
| Right, which is basically the same thing. If you catch my drift. |
basically, but not exactly....
loadlib hooks can be circumvented by calling ldrloaddll
@wraithdu:
i assume it allows you to register a callback, that is fired whenever a dll is loaded or about to be loaded |
|
|
|
tzuk
| Joined: 22 Jun 2004 |
| Posts: 15027 |
|
|
|
| Posted: Mon Nov 16, 2009 9:34 am |
|
|
|
|
|
Well, Mark_, it appears you did not catch my drift.
| Mark_ wrote: |
| i assume it allows you to register a callback, that is fired whenever a dll is loaded or about to be loaded |
That's what I meant. A mechanism in SbieDll, which calls some procedure in your DLL, whenever any new DLL has been loaded. That should be useful to you wraithdu, what do you think? |
|
|
|
| | |
|
wraithdu
| Joined: 29 Jun 2007 |
| Posts: 1410 |
|
|
|
| Posted: Mon Nov 16, 2009 3:08 pm |
|
|
|
|
|
| tzuk wrote: |
| That's what I meant. A mechanism in SbieDll, which calls some procedure in your DLL, whenever any new DLL has been loaded. That should be useful to you wraithdu, what do you think? |
Well...I'm sure it would be useful, but I'm not sure it solves all the potential problems. If it's not too difficult to implement, it would open up interesting possibilities, so it would be worth pursuing.
Sticking with the callback idea, I think it would be MUCH more useful (for my intentions anyway) to be able to register a callback procedure with SbieDll that would be called AFTER DllMain returns, but BEFORE SbieDll returns control back to the process entry point. This would lift the DllMain restrictions and maintain 'security' since we'd still be doing the hooking before the target process code gets to run. How's that sound? |
|
|
|
| | |
|
Mark_
| Joined: 31 Dec 2008 |
| Posts: 108 |
|
|
|
| Posted: Mon Nov 16, 2009 10:49 pm |
|
|
|
|
|
| wraithdu wrote: |
Well...I'm sure it would be useful, but I'm not sure it solves all the potential problems. If it's not too difficult to implement, it would open up interesting possibilities, so it would be worth pursuing.
Sticking with the callback idea, I think it would be MUCH more useful (for my intentions anyway) to be able to register a callback procedure with SbieDll that would be called AFTER DllMain returns, but BEFORE SbieDll returns control back to the process entry point. This would lift the DllMain restrictions and maintain 'security' since we'd still be doing the hooking before the target process code gets to run. How's that sound? |
it would also open up a security hole, seeing as most things i have seen either spawn a thread in dllmain that hook stuff, or do it directly in dllmain... |
|
|
|
| | |
|
wraithdu
| Joined: 29 Jun 2007 |
| Posts: 1410 |
|
|
|
| Posted: Mon Nov 16, 2009 11:23 pm |
|
|
|
|
|
Care to elaborate? You're response is pretty vague to the topic at hand.
|
|
|
|
Buster
| Joined: 06 Aug 2007 |
| Posts: 2185 |
|
|
|
| Posted: Mon Nov 16, 2009 11:29 pm |
|
|
|
|
|
Mark_: Those things you talk about would circumvent wraithdu´s DLL but would not circumvent Sandboxie so talking about opening a security hole seems exagerated. Don´t you think so?
|
|
|
|
wraithdu
| Joined: 29 Jun 2007 |
| Posts: 1410 |
|
|
|
| Posted: Tue Nov 17, 2009 12:08 am |
|
|
|
|
|
Also it's worth noting that InjectDll is mostly used to control/modify legit programs. It's purpose is not to contain or sanitize bad software. As we have already said, InjectDll only provides user mode hooks, which are only good against software that is not looking for them.
|
|
|
|
Mark_
| Joined: 31 Dec 2008 |
| Posts: 108 |
|
|
|
| Posted: Tue Nov 17, 2009 4:43 am |
|
|
|
|
|
| wraithdu wrote: |
| Care to elaborate? You're response is pretty vague to the topic at hand. |
say i write a usermode rootkit,
the point where i would hook stuff is in dllmain, so when callback gets fired afterwards you missed the modifications.
@Buster: true, maybe a bit exagerated. |
|
|
You cannot post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
 Use the RSS feed to watch this topic for replies
|
|
|
|
| |
