Newbie Spellweaver
- Joined
- Sep 7, 2015
- Messages
- 6
- Reaction score
- 8
Injecting a DLL into windows x86 PE on startup without using external injector.
First of all, sorry for my bad english. Russian is not allowed here, so, deal with it. I really hope you can understand this, lol. I do know there are some guides to do this out there. But this is focused on sro, and I do actually give support to people having issues.
1. Purpose
As many of you already know, there are multiple dll injectors out there. Unfortunately, they run as external process (in most cases, it's totally okay, unless you don't want each of your dll users to inject it manually each time he starts your redistributed exe/dll). This guide will explain you the basic idea of manual dll injection.
2. Requirements
OllyDbg 1.10
PE Explorer (trial)
3. Theory
Each Windows executable has so called header. All we have to know for now is that header has the following stucture:
The only thing that interests us is PE Header which contains OEP (Original Entry Point). OEP value is an address from where execution of program will start. This is important because we are going to change it to our own code address, which will load the desired DLL and go back to the original entry point address, so program flow executes as normal after our "dirty job" is done. We can divide dll injection into 7 simple steps.
1. Locate OEP
2. Find free space for your dll loading code
3. Replace OEP with your code address
4. Write DLL name to some place in executable.
5. push dll name address to stack
6. call kernel32.LoadLibraryA
7. return to the original entry point
4. Implementation
What we will do inject a really basic dll into silkroad.exe. First of all, you will need to find the original entry point of silkroad.exe. This can be done by running PE Explorer your previously installed. Simply open silkroad.exe and take a look at "Address of entry point" field.
You will need to copy it somewhere (ex: some text file).
For now, that's all we need from the PE Explorer.
Let's run OllyDbg 1.10 and go to the OEP. This can be done by opening silkroad.exe, pressing CTRL + G and pasting OEP you got from PE Explorer and hitting enter. After you are done, you should see something like this at the left side of OllyDbg window:
Now, we have to find some empty space for our code. Normally you can just scroll down to the buttom until you each the end:
I've selected
Since 0x00497FFE (section end) - 0x00497F7A (our code start address) = 84 bytes, which should be totally enough for both dll name ascii string and dll loading code itself. Now we have to put our dll name somewhere near the code (remember, it will take some space... so move it after or before expected code position for ~ 20 - 30 bytes at least). This can be done by selecting multiple lines (should be enough space for your dll name string) and pressing pressing CTRL + E. Entering your dll name into ASCII field and pressing OK button. I've chosen address starting from 0x0049F96. When we will do push to stack, we will need to specify that one.
Now we do have desired dll name writen into silkroad.exe, and we can use it for LoadLibraryA function call. You should have something like this:
Now what we have to do is to write a little a little codecave which will load our dll.
<dllNameAddr> = 00497F96
<oep> = 004778D0 (see in PE Explorer, or loop at olly EIP register value on the right upper corner).
When you are done, everything should look like this:
Now we have to save our changes made in olly. To do this, right click somewhere on frame you did put your code / dll name in and select Copy to executable -> All Modifications and save your silkroad.exe to any place you want.
There's just one step left now. You have to modify your original OEP to the new one (where you did put your CODE at).
Open the saved exe with PE Explorer, and mofiy OEP (004778D0) to 00497F7A
. Press the green button near OEP text box, and go to File -> Save file as... and save it to some location (most likely, in our case, game client folder).
And you're done. Now just place dll that has DllMain function in same folder as your modified exe, and run it. Dll should load at startup.
Update: Added youtube video.
If you still got any questions, feel free to contact me.
Skype: hedgehock94
First of all, sorry for my bad english. Russian is not allowed here, so, deal with it. I really hope you can understand this, lol. I do know there are some guides to do this out there. But this is focused on sro, and I do actually give support to people having issues.
1. Purpose
As many of you already know, there are multiple dll injectors out there. Unfortunately, they run as external process (in most cases, it's totally okay, unless you don't want each of your dll users to inject it manually each time he starts your redistributed exe/dll). This guide will explain you the basic idea of manual dll injection.
2. Requirements
OllyDbg 1.10
You must be registered to see links
PE Explorer (trial)
You must be registered to see links
3. Theory
Each Windows executable has so called header. All we have to know for now is that header has the following stucture:
The only thing that interests us is PE Header which contains OEP (Original Entry Point). OEP value is an address from where execution of program will start. This is important because we are going to change it to our own code address, which will load the desired DLL and go back to the original entry point address, so program flow executes as normal after our "dirty job" is done. We can divide dll injection into 7 simple steps.
1. Locate OEP
2. Find free space for your dll loading code
3. Replace OEP with your code address
4. Write DLL name to some place in executable.
5. push dll name address to stack
6. call kernel32.LoadLibraryA
7. return to the original entry point
4. Implementation
What we will do inject a really basic dll into silkroad.exe. First of all, you will need to find the original entry point of silkroad.exe. This can be done by running PE Explorer your previously installed. Simply open silkroad.exe and take a look at "Address of entry point" field.
You will need to copy it somewhere (ex: some text file).
For now, that's all we need from the PE Explorer.
Let's run OllyDbg 1.10 and go to the OEP. This can be done by opening silkroad.exe, pressing CTRL + G and pasting OEP you got from PE Explorer and hitting enter. After you are done, you should see something like this at the left side of OllyDbg window:
Now, we have to find some empty space for our code. Normally you can just scroll down to the buttom until you each the end:
I've selected
Code:
00497F7A 0000 ADD BYTE PTR DS:[EAX],ALSince 0x00497FFE (section end) - 0x00497F7A (our code start address) = 84 bytes, which should be totally enough for both dll name ascii string and dll loading code itself. Now we have to put our dll name somewhere near the code (remember, it will take some space... so move it after or before expected code position for ~ 20 - 30 bytes at least). This can be done by selecting multiple lines (should be enough space for your dll name string) and pressing pressing CTRL + E. Entering your dll name into ASCII field and pressing OK button. I've chosen address starting from 0x0049F96. When we will do push to stack, we will need to specify that one.
Now we do have desired dll name writen into silkroad.exe, and we can use it for LoadLibraryA function call. You should have something like this:
Now what we have to do is to write a little a little codecave which will load our dll.
Code:
push <dllNameAddr>
call LoadLibraryA
jmp <oep><dllNameAddr> = 00497F96
<oep> = 004778D0 (see in PE Explorer, or loop at olly EIP register value on the right upper corner).
When you are done, everything should look like this:
Now we have to save our changes made in olly. To do this, right click somewhere on frame you did put your code / dll name in and select Copy to executable -> All Modifications and save your silkroad.exe to any place you want.
There's just one step left now. You have to modify your original OEP to the new one (where you did put your CODE at).
Open the saved exe with PE Explorer, and mofiy OEP (004778D0) to 00497F7A
. Press the green button near OEP text box, and go to File -> Save file as... and save it to some location (most likely, in our case, game client folder).
And you're done. Now just place dll that has DllMain function in same folder as your modified exe, and run it. Dll should load at startup.
Update: Added youtube video.
If you still got any questions, feel free to contact me.
Skype: hedgehock94
Last edited:
