dwtf v1.0

[Nytro]

dwtf v1.0 and its Features

dwtf creates a fake.dll from real.dll

Features:

1- It exports all symbols of real.dll (also Forwarder).

2- It imports all exports of real.dll (also Forwarder).

3- It creates an area code with a JMP DWORD [ADDRESS] for each export.

4- The exports of fake dll is assigned to a JMP area which jumps to original export of real.dll.

Working of dwtf v1.0

If you are making PEB HOOKING, when the APP calls to fake dll export it jumps to original export, everything works fine:

Before PEB HOOKING:

APP -> IAT OF APP -> REAL DLL EXPORT

After PEB HOOKING:

APP -> IAT OF APP -> FAKE DLL EXPORT -> IAT OF FAKE DLL -> REAL DLL EXPORT

You can add or remove payloads with any IAT HOOKING in the IAT of the fake dll:

APP -> IAT OF APP -> FAKE DLL EXPORT -> IAT OF FAKE DLL -> PAYLOAD STACK -> (or never) REAL DLL EXPORT

Syntax: dwtf.exe fake_dll real_dll

Example: dwtf.exe k32.dll c:\windows\system32\kernel32.dll

All .exes are in bin folder:

You can execute the: Generate fake kernel32.bat

This bat executes dwtf creating a fake kernel32.dll called k32.dll from c:\windows\system32\kernel32.dll

After, you can make a pebhooking executing: PEB hooking poc with fake kernel32.bat

IMPORTANT: You need the NETCAT for send commands to the console:

This bat inject a console.dll in the poc.exe process using InjectorDll.exe

This console listen by default in 127.0.0.1 1234, This console is the interface to do

PEB Hooking:

Next, the bat connect to 127.0.0.1 1234 using nc command (netcat)

In the console with netcat you can write:

pebhook kernel32.dll k32.dll

resume

exit

In this moment poc.exe is running and it is waiting a user enter:

poc.exe try creates files with two APIs of kernel32.dll: CreateFileW and CreateFileA

When you press enter all works fine (good lucky) and the process exits creating files.

In this scenario all works by this way:

poc.exe -> IAT of POC.EXE -> k32.dll (fake kernel32.dll) -> IAT of k32.dll -> kernel32.dll

Loading payloads dynamically:

For this scenario:

poc.exe -> IAT of POC.EXE -> k32.dll (fake kernel32.dll) -> IAT of k32.dll -> payload/s

Remember: You can add a payload stack with IAT HOOKING over IAT HOOKING ...

The payloads can calls to original kernel32.dll export.

You need:

Generate fake kernel32.bat

PEB hooking poc with fake kernel32.bat

command: pebhook kernel32.dll k32.dll

Add a payload for CreateFileW, inserting a iat hook in k32.dll:

Inject the dll:

InjectorDll.exe poc_dll.dll -p PID_OF_POC_EXE

In the POC.EXE you can see:

Creating files... press enter

DLL INJECTED! ADDR OF OwnCreateFileA: 0x70651030 < --- For EXAMPLE

It is the time of IAT hooking of CreateFileA of k32.dll to OwnCreateFileA of poc_dll.dll

Example of searching CreateFileA IAT ADDR in k32:

Using peview (google: download peview):

Search the oridinal of CreateFileA like this image:

Search IAT ADDR in k32 of CreateFileA like this image:

In the IMAGE the IAT ADDR is: 0x1000C1A6

Change the IAT to payload addr:

write_process_memory.exe PID_OF_POC_EXE 0x1000C1A6 0x70651030

0x70651030 is the addr of OwnCreateFileA of poc_dll.dll injected in POC.exe

In the console with netcat you can write:

resume

exit

Credits

dwtf 1.0 (MIT License) engine by Dreg, from evil fingers:

- making FULL dll (PEB/file) hooking more easy...

- Greetz: Lacon 2k9 Spain & Hispasec team.

- Note: Use with real DLLs, a lot of bugs in this version

contact me: dreg@fr33project.org

Video:

http://www.youtube.com/watch?v=t7UXEJieliM

Download:

http://rootkitanalytics.com/downloadCounter.php?id=7