Git Product home page Git Product logo

dllloadpath's Introduction

DllLoadPath

Showcasing two different techniques for changing DLL load order by using undocumented APIs. These are not novel techniques but I never saw them documented anywhere.

The proper signatures for RtlCreateUserProcess and RtlCreateProcessParameters are:

RtlCreateUserProcess(
 IN PUNICODE_STRING      ImagePath,
 IN ULONG                ObjectAttributes,
 IN OUT PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
 IN PSECURITY_DESCRIPTOR ProcessSecurityDescriptor OPTIONAL,
 IN PSECURITY_DESCRIPTOR ThreadSecurityDescriptor OPTIONAL,
 IN HANDLE               ParentProcess,
 IN BOOLEAN              InheritHandles,
 IN HANDLE               DebugPort OPTIONAL,
 IN HANDLE               ExceptionPort OPTIONAL,
 OUT PRTL_USER_PROCESS_INFORMATION ProcessInformation );
 
RtlCreateProcessParameters(
   _Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
   _In_ PUNICODE_STRING ImagePathName,
   _In_opt_ PUNICODE_STRING DllPath,
   _In_opt_ PUNICODE_STRING CurrentDirectory,
   _In_opt_ PUNICODE_STRING CommandLine,
   _In_opt_ PVOID Environment,
   _In_opt_ PUNICODE_STRING WindowTitle,
   _In_opt_ PUNICODE_STRING DesktopInfo,
   _In_opt_ PUNICODE_STRING ShellInfo,
   _In_opt_ PUNICODE_STRING RuntimeData
   );

By changing some values in RtlCreateProcessParameters we can achieve interesting behavior.

Changing the working DLL load order directory entirely

Writing this one up for people was inspired by this tweet, thank you for reminding me of it :)

image

  const wchar_t Path[] = LR"(C:/Windows/System32/WerFault.exe)";
  const wchar_t CmdLine[] = LR"(C:/ProgramData/WerFault.exe)";
  const wchar_t DllLocation[] = LR"()";
  ...
  status = RtlCreateProcessParameters(&UserProcessParam, &CommandLine, &CommandLine, NULL, &CommandLine, NULL, NULL, NULL, NULL, NULL);

Changing the second search path of the DLL search order

This one will will cause the application to still look into it's own directory before the one you choose, but it may come useful in some cases.

image

  const wchar_t Path[] = LR"(C:/Tools/TestApplication.exe)";
  const wchar_t CmdLine[] = LR"()";
  const wchar_t DllLocation[] = LR"(C:/ProgramData/)";
  ...
  status = RtlCreateProcessParameters(&UserProcessParam, &ImagePathName, &DllPath, NULL, &CommandLine, NULL, NULL, NULL, NULL, NULL);

Many thanks to this post for helping me work out some parts.

dllloadpath's People

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.