{"id":24810122,"url":"https://github.com/ozanani/security","last_synced_at":"2025-03-25T13:12:06.897Z","repository":{"id":268893442,"uuid":"84679603","full_name":"ozanani/security","owner":"ozanani","description":"A growing repository of basic security techniques for learning purposes","archived":false,"fork":false,"pushed_at":"2017-03-15T17:09:36.000Z","size":8,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-30T11:46:35.788Z","etag":null,"topics":["dll-injection","hook","hooking","iat-hooking","inline-hook","security"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ozanani.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-03-11T21:01:20.000Z","updated_at":"2019-01-06T14:39:11.000Z","dependencies_parsed_at":"2024-12-19T15:35:10.958Z","dependency_job_id":null,"html_url":"https://github.com/ozanani/security","commit_stats":null,"previous_names":["ozanani/security"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ozanani%2Fsecurity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ozanani%2Fsecurity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ozanani%2Fsecurity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ozanani%2Fsecurity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ozanani","download_url":"https://codeload.github.com/ozanani/security/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245467627,"owners_count":20620216,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dll-injection","hook","hooking","iat-hooking","inline-hook","security"],"created_at":"2025-01-30T11:46:37.633Z","updated_at":"2025-03-25T13:12:06.848Z","avatar_url":"https://github.com/ozanani.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# security\nA growing repository of basic security techniques for learning purposes.\n\n## DLL-injection-inline-hooking\nAn example of using **remote DLL injection** and **inline hooking** to modify the behaviour of another process. In particular, the victim process requires password to proceed execution. After injecting the malicious DLL, any password can be entered.\n\n### Usage:\n1. Compile and run the **Victim**.\n2. Compile the **MalicousDLL**.\n3. Compile and run the **Injector**.\n4. Enter any password you like to the Victim.\n\n### How It Works:  \n**Note:** this is a high-level description. The code consists with more detailed information.\n\n- The victim process calls **lstrcmpA** function (*Win32API*) to compare the user-entered password with a hardcoded password.  \n\n- The injector injects the malicious DLL to the victim process, using **VirtualAllocEx** and **CreateRemoteThread** (see *Further Reading* section).\n\n- The malicious DLL performs an **inline hook** (see *Further Reading* section) to **lstrcmpA** function, and simply replaces any user-entered password with the hardcoded password.\n\n\n### Further Reading:  \n  - [Using CreateRemoteThread for DLL Injection on Windows](http://resources.infosecinstitute.com/using-createremotethread-for-dll-injection-on-windows/)\n  - [Inline Hooking for Programmers](https://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-1.html)\n  - [Userland Hooking in Windows - High-Tech Bridge](https://www.htbridge.com/whitepaper/Userland%20Hooking%20in%20Windows.pdf)\n  - [An In-Depth Look into the Win32 Portable Executable File Format](http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part1)\n  - [x86 Disassembly/Windows Executable Files](https://en.wikibooks.org/wiki/X86_Disassembly/Windows_Executable_Files)\n  - [MSDN](https://developer.microsoft.com/en-us/windows/desktop/develop)\n\n## IAT-hooking\nA simple implementation of local IAT hooking, resulting in running **MessageBoxA** when calling to **Sleep** (both are Win32API functions).  \n\n### Steps:  \n**Note:** this is a high-level description. The code consists with more detailed information.\n\n1. Parsing the local process' PE header, finding the **import directory** and the **IAT**.\n2. Iterating the **imported modules** and the **imported functions** of each module. (also printing them)\n3. Finding the IAT entries of **MessageBoxA** and **Sleep** Win32API functions.\n4. Overwriting **Sleep** function address in the **IAT** to **MessageBoxA** function address.\n5. Calling **Sleep** from code - and the called function is **MessageBoxA**.\n\n### Example Output:\n\u003e**The imported modules are**:\n\u003e\n\u003eKERNEL32.dll  \n\u003e\n\u003e**Imported functions for this module**:  \n\u003e\n\u003e\n\u003e\n\u003eVirtualProtect at 0x76a5a3d0  \n\u003eGetModuleFileNameW at 0x76a5cea0  \n\u003eGetModuleHandleA at 0x76a5cd90  \n\u003eSleep at 0x76a5a310  \n\u003e...  \n\n### Further Reading:  \n- [Userland Hooking in Windows - High-Tech Bridge](https://www.htbridge.com/whitepaper/Userland%20Hooking%20in%20Windows.pdf)\n- [An In-Depth Look into the Win32 Portable Executable File Format](http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part1)\n- [x86 Disassembly/Windows Executable Files](https://en.wikibooks.org/wiki/X86_Disassembly/Windows_Executable_Files)\n- [MSDN](https://developer.microsoft.com/en-us/windows/desktop/develop)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fozanani%2Fsecurity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fozanani%2Fsecurity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fozanani%2Fsecurity/lists"}