type
status
date
slug
summary
tags
category
icon
password
When a Windows program starts, the PE loader looks at its import table. This table tells the loader what DLL files need to be loaded along with the program. Each item in the import table, or
IMAGE_IMPORT_DESCRIPTOR
, represents a DLL used by the program.Now, if we want to add our own DLL into a Windows PE file so that it will be loaded at program startup together with all the other DLLs used by the executable, we can do this by adding a new entry in the import table. This new entry will point to our DLL.
The
IMAGE_IMPORT_DESCRIPTOR
has some important fields. One is ThunkData
. This is the address that points to the IAT table of the DLL. We've discussed this table in a previous blog. Another is OriginalThunkData
, which is just a copy of the IAT table before the program runs.When we add a new entry in the import table, we also need to make some room for the IAT and INT table. The program doesn't use any functions in our DLL, so we can just fill the IAT and INT table with whatever values we want. But it's important that the new IAT and INT table has at least one entry. Otherwise, the PE loader will simply ignore it. Moreover, any function name or function ordinal number we put in the IAT and INT table has to match an entry in the DLL’s export table, so that the PE loader can replace the value in the IAT table with the actual function address during runtime.
This is probably the easiest way to inject a DLL into a program. However, it has some downsides: One is that it only works for new processes. It doesn't work for a process that's already running because the import descriptor list is only read when the process first starts.
For this guide, we used a DLL that has a
DLLMain
function. This function automatically runs a call to the Windows MessageBox
API when the DLL is attached or detached from the process. This lets us show a message box when the DLL is loaded or unloaded. Finally, because we specified in the new IAT/INT table that we want to use the function exported by ordinal number 1, we must ensure at least one function is exported in our DLL. This is because the ordinal numbering of exported functions starts at 1 by default.- 作者:Zack Yang
- 链接:https://zackyang.blog/article/dll-injection-with-import-table
- 声明:本文采用 CC BY-NC-SA 4.0 许可协议,转载请注明出处。
相关文章