Академический Документы
Профессиональный Документы
Культура Документы
• Injection: • Patching:
VirtualAllocEx() Neuter Winsock LSP hooks
allocate memory in remote process
addr = GetProcAddres(“DBFP_*”)
VirtualProtectEx() VirtualProtect(addr)
make remote memory writeable memcpy(addr, NOP)
VirtualProtect(addr)
WriteProcessMemory() FlushInstructionCache(addr)
inject our code
Disable API hooks / SetWindowsHookEx
LoadLibrary(“damburst.dll”)
burst = GetProcAddress(“Burst”) GetModuleHandle(“InjLib32.dll”)
Call burst GetProcessAddress(“InjectLibrary”)
InjectLibrary(FALSE) // HA!
VirtualProtectEx()
restore memory protection Unload Green Dam
CreateRemoteThread() FreeLibrary(“Handler.dll”)
execute injected code FreeLibrary(“InjLib32.dll”)