Changes between Version 2 and Version 3 of Ticket #62


Ignore:
Timestamp:
12/07/2009 05:17:41 PM (15 years ago)
Author:
Sam Hocevar
Comment:

Better status description.

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #62 – Description

    v2 v3  
     1== Strategies ==
    12There is no such thing as `LD_PRELOAD` on Win32. Several strategies exist to mimic the Unix functionality:
    23 * Use the `AppInit_DLLs` registry key (not acceptable: it affects all executables and requires a reboot for changes to be taken into account, although there is at least one interesting [http://fy.chalmers.se/~appro/nt/DLL_PRELOAD/ use of this feature])
     
    45 * DLL injection: inject code into the subprocess so that it overwrites the desired function addresses
    56
     7== Code already in zzuf ==
    68The bases for DLL injection are already here:
    79 * libzzuf's [/browser/zzuf/trunk/src/sys.c sys.c] contains the following:
     
    1618   * Code in the `run_process` function that tries to fork a subprocess in paused state, inject the desired code, and resume it
    1719
    18 All these functions seem to be consistent, but their combination does not seem to work. The expected result: any program that calls LoadLibraryA should display a warning message. What happens: nothing. I tested it with a simple program such as this one:
     20All these functions seem to be consistent, but their combination does not seem to work (yet).
     21
     22== Expected workflow ==
     23What should happen in zzuf:
     24 * zzuf enters `run_process()` to call the target binary
     25 * `run_process` calls `get_entry()` to retrieve the target binary's entry point
     26 * `run_process` runs the binary in suspended mode
     27 * `run_process` calls `dll_inject()` to inject our dll-loading code at the target binary's entry point
     28 * `run_process` resumes the binary's execution
     29
     30What should happen in the target binary:
     31 * we get started in suspended mode
     32 * 78 bytes of code containing a DLL loader are allocated in our address space by zzuf
     33 * our entry point is overwritten by zzuf with the DLL loader's address
     34 * our execution is resumed by zzuf
     35
     36== Current behaviour ==
     37The real zzuf diversions are not implemented for Win32. For now, only LoadLibraryA is diverted, for debugging purposes.
     38
     39The expected result: any program that calls LoadLibraryA should display a warning message. What happens: nothing. I tested it with a simple program such as this one:
    1940
    2041{{{