Detecting DLL Code Splicing_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-02-25 17:51 出处：网络

I\'m trying to write some functions to detect DLL code splicing. I take dll code splicing to mean modifying the bytes at the start of functions in loaded dll\'s, so that instead of jumping to the full

I'm trying to write some functions to detect DLL code splicing. I take dll code splicing to mean modifying the bytes at the start of functions in loaded dll's, so that instead of jumping to the full function implementation within the dll, it will jump to some other location.

My approach so far has been:

Firstly - loaded dll information (eg. image base of loaded dll, etc.) I get from using Toolhelp32 libraries.

For each loaded dll:

get each funct开发者_运维百科ion address (rva) by reading export table, in memory, of the dll
read in 8 bytes at this address in memory
get function rva from version of dll on disk
parse PE header of dll-on-disk, to convert rva to file-offset - read 8 bytes here too
compare these 8 bytes

Now I know I'm not doing something quite right, and I may be making a conceptual blunder.

I've been testing with notepad.exe, 32bit. The comparisons succeed for the majority of the functions in the loaded DLL's but it tends to find some differences.

For example:

ntdll.dll: ordinal=00000059, rva=0007e098, fileoffs=0007d498, function VA: 7c97e098

disk: 00 00 00 00 00 00 00 00

mem: e4 04 00 00 00 00 00 00

and:

ntdll.dll: ordinal=0000003d, rva=0009d0d8, fileoffs=0009c4d8 function VA: 77a9d0d8

disk: a1 5c 81 f9 77 c3 90 90

mem: a1 5c 81 ad 77 c3 90 90

Someone mentioned to me that it has something to do with relocations. I can't figure this out, however, and I haven't found any documentation on how this applies here.

Does anyone have some info, or links on this? Or does anyone know where I am failing? Many thanks in advance.

EDIT: The DLL's are being loaded at their preferred image base (when comparing the OptionalHeader.ImageBase to the base address of the loaded module in memory).

Therefore I'm stuck trying to figure out why there could be a difference - eg. above: why 1312 functions in ntdll seemed to match, but the 1313'th one doesnt.

Relocations are a list of virtual offsets which contains absolute addresses. If an image isn't loaded at its preferred image base, all offsets listed in the relocation table needs to be adjusted. If you'r preferred image base is 0x400000 and the DLL loads at 0x500000, you simply need to adjust the data at the offsets mentioned in the relocation list with 0x100000.

See e.g. the "PE File Base Relocations" section in Peering inside the PE for the format.