{"id":3099,"date":"2015-06-23T16:51:49","date_gmt":"2015-06-23T16:51:49","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3099"},"modified":"2015-06-23T16:55:51","modified_gmt":"2015-06-23T16:55:51","slug":"lame-tricks-with-ldrregisterdllnotification","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/06\/23\/lame-tricks-with-ldrregisterdllnotification\/","title":{"rendered":"(lame) tricks with LdrRegisterDllNotification"},"content":{"rendered":"

It was Andrew<\/a> (thanks!) who brought LdrRegisterDllNotification<\/a> to my attention by asking on twitter if anyone has seen any malware using it. I couldn’t find any malware, but the function itself triggered my interest.<\/p>\n

I quickly implemented a proof of concept. It shows how the callback that the API is registering could be utilized as a lame anti-* trick by malware that drops DLLs (in a case I am demoing), and maybe to do a few more tricky things (as I discuss below).<\/p>\n

Consider the first .exe – let’s call it ‘good.exe’.<\/p>\n

When executed, it drops a DLL called ‘foo.dll’.<\/p>\n

It then resolves its one and only export ‘Bar’ and executes the function. The function shows a simple message box with a ‘Good’ message:<\/p>\n

\"good\"<\/a>The second .exe is called ‘better.exe’ (obviously \ud83d\ude42 ).<\/p>\n

It drops the very same ‘foo.dll’.<\/p>\n

Functionally, it is almost identical with ‘good.exe’ as it is using the same source code. The only difference is that it registers the callback using a LdrRegisterDllNotification function. From now on, anytime a DLL is loaded the callback function takes control and is free to modify the content of the loaded DLL ‘on the fly’. As such, it can easily patch it and create a complete different memory image from the one we may expect by just looking at a static file ‘dropped’ by the .exe.<\/p>\n

In my case the change is of a ‘visualame’ type. It’s for us to observe it.<\/p>\n

The callback does only one thing – it checks if the string at a hardcoded offset inside the loaded DLL is equal to ‘Good’ and swaps it with a new string ‘Evil’; therefore, running the ‘better.exe’ will produce the following result:<\/p>\n

\"evil\"<\/a><\/p>\n

The example is intentionally simple, but there are many things that could be done here – the callback allows one to f.ex.<\/p>\n