Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/alsch092/modifyexports

Research of modifying exported function names at runtime (C/C++, Windows)
https://github.com/alsch092/modifyexports

injection malware malware-analysis malware-evasion mitre-attack reverse-engineering windows-programming

Last synced: 3 months ago
JSON representation

Research of modifying exported function names at runtime (C/C++, Windows)

Host: GitHub
URL: https://github.com/alsch092/modifyexports
Owner: AlSch092
License: gpl-3.0
Created: 2023-04-17T20:51:31.000Z (almost 2 years ago)
Default Branch: main
Last Pushed: 2024-05-28T18:00:17.000Z (8 months ago)
Last Synced: 2024-05-29T08:40:48.884Z (8 months ago)
Topics: injection, malware, malware-analysis, malware-evasion, mitre-attack, reverse-engineering, windows-programming
Language: C++
Homepage:
Size: 671 KB
Stars: 12
Watchers: 2
Forks: 4
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

## ModifyExports
Proof-of-concept written in C for modifying the current process' export table names at runtime. This technique can be seen as "invasive" because it can sometimes pop up error messages to the end user, and can interrupt normal program flow due to `GetProcAddress` returning atypical results. This technique can also potentially be leveraged by malware to redirect program flow.

# How it works:

We can use the routines provided by `ImageHlp.h` and `dbghelp.h` to write over the string names of exported functions within any module, which can change the results returned from `GetProcAddress`. First we map an image of a DLL our program has loaded using the `MapAndLoad` routine, and then fetch the image's export directory. We then grab the list of exported function names from the export directory by using `ImageRvaToVa` routine with `ImageExportDirectory->AddressOfNames` as the third parameter. Exported name strings can now be iterated over and modified.

Additionally, we can stop DLL injection by writing over the export names for `LoadLibrary` routines. When trying to inject we will get an error saying 'The symbol for LoadLibrary could not be found'. An example of this can be seen in the third screencap.

# Screenshot examples:
The screencap following shows what it looks like to modify a function name at runtime: We can see that the disassembler thinks `MessageBoxA` is located at both 0x7FFBE37B90D0 and 0x7FFBE37B9750.

The second screencap shows renaming `NtQueryObject` to `MyQueryObject`. Processes that try to query the address of `NtQueryObject` using `GetProcAddress` will now fail.

The third screencap shows an example of stopping basic DLL injection through the use of this technique (invasive to the end user).

![Alt text](MessageBoxA_Duplicate.PNG?raw=true "Two Addresses for MessageBoxA")
![Alt text](MyQueryObject.PNG?raw=true "MyQueryObject vs. NtQueryObject")
![Alt text](anti-DLL.PNG?raw=true "anti-dll")

## Considerations
If you're writing a larger string name over the space of an export name, you'll need to shift all memory contents in the structure after that name by the delta number of bytes. For example, if you write `MessageBoxAGood` over `MessageBoxA`, you'll need to shift any following names by +4 bytes to maintain memory.

Thank you for reading and happy coding, I hope you learned something new!