Redirect Execution

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3.  
4. //If a new thread is created in a process, the system makes sure that DllMain's of loaded
5. //DLLs gets called in the context of the new thread. This is accomplished by iterating
6. //through all _LDR_MODULE nodes of the "InMemoryOrderModuleList" doubly-linked list.
7. //The DllMain of a DLL is called if certain conditions are met:
8. // (1) The new thread is not exempted from calling DllMain's. See "SkipThreadAttach" flag of TEB.
9. // (2) The _LDR_MODULE node does not belong to the main executable e.g. "calc.exe".
10. // (3) The _LDR_MODULE node does not have the "LDRP_DONT_CALL_FOR_THREADS"
11. //     flag set. see "DisableThreadLibraryCalls" function.
12. // (4) The LDR_MODULE node has a non-zero entrypoint.
13. //     N.B. ntdll.dll meets all conditions except that its entrypoint is always zero.
14. // (5) The LDR_MODULE node has the "LDRP_PROCESS_ATTACH_CALLED" flag set. i.e. Its DllMain was
15. //     previously called as part of the "DLL_PROCESS_ATTACH" reason.
16. // (6) The LDR_MODULE node has the "LDRP_IMAGE_DLL" flag set. i.e. the image is loaded in an
17. //     executable state. N.B. Dlls loaded via the "LoadLibraryExW" function
18. //     with the "DONT_RESOLVE_DLL_REFERENCES" flag don't have this flag set.
19.  
20. //Given the above knowledge, we can fool ntdll to think that our main executable is a Dll that needs
21. //to have its DllMain called upon threads creation and termination. This gives us a new way to redirect
22. //execution.
23.  
24. //This manipulation may result into certain functions e.g. GetModuleFileNameEx failing to behave,
25. //and this why we should undo the manipulation.
26.  
27. #include "stdafx.h"
28. #include "windows.h"
29. #include "stdio.h"
30.  
31.  
32.  
33.  
34. #define LDRP_IMAGE_DLL                          0x00000004
35. #define LDRP_ENTRY_PROCESSED                    0x00004000
36. #define LDRP_PROCESS_ATTACH_CALLED              0x00080000
37.  
38. extern "C"
39. {
40.     void __stdcall LdrFindEntryForAddress(unsigned long addr,void* pLdrModule);
41. }
42.  
43. __declspec(naked) void dummy()
44. {
45.     __asm ret
46. }
47.  
48. void Restore()
49. {  
50.         //restore original LDR_MODULE
51.         __asm
52.         {
53.             pushad
54.             mov eax,dword ptr fs:[0x30] ;PEB
55.             mov esi,dword ptr[eax+0x8] ;ImageBase
56.             inc esi                    
57.             mov eax,dword ptr[eax+0xC]  ;_PEB->Ldr
58.             lea eax,[eax+0x14]          ;InMemoryOrderModuleList
59.             mov ebx,eax
60. looop:
61.             mov ebx,dword ptr[ebx]
62.             cmp esi,dword ptr[ebx+0x10]
63.             jne skip
64.             dec dword ptr[ebx+0x10]  //Restore original ImageBase
65.             mov dword ptr[ebx+0x34],LDRP_ENTRY_PROCESSED  //Restore original LDRP_** flags
66. skip:
67.             cmp ebx,eax
68.             jnz looop
69.             popad
70.         }
71.         return;
72. }
73. void main()
74. {
75.     static unsigned long i=0;
76.     if(i++==1)
77.     {
78.         Restore();
79.         //Do your own stuff here
80.         MessageBox(0,"Redirected!","waliedassar",0);
81.         ExitProcess(0);
82.     }
83.     unsigned long pLdrModule=0;
84.     LdrFindEntryForAddress((unsigned long)&main,&pLdrModule);
85.     (*(unsigned long*)(pLdrModule+0x18))++; //Change ImageBase
86.     *(unsigned long*)(pLdrModule+0x34)=LDRP_IMAGE_DLL|LDRP_PROCESS_ATTACH_CALLED;
87.     unsigned long tid=0;
88.     CreateThread(0,0x1000,(LPTHREAD_START_ROUTINE)dummy,0,0,&tid);
89.     Sleep(INFINITE);
90.     return;
91. }