Other Projects

You mention "Two techniques are available to inject a dll: the target process can be started by using the library so the first dll loaded actually is the dll to be injected, or dlls can be injected anytime while the target process is running." You simple example is of the former but I need the latter and I can't find any examples for this.

Can anyone help?

Hello,

I have found some interesting things missing from IDAStealth so you may be interested to look in these procedures, I name OllyStealth the plugin Im designing for OllyDBG mainly based on your plugin and I notice it requires patches to run because OllyDBG is found but I have found the right hooks to apply to bypass winlicense on XP+Win2003+Win7

*** = not in IDAStealth

Under Windows 7 + OllyStealth against Winlicense 2.1.1.0
1 - IsDebuggerPresent (patch peb.beingdebugged)
2 - NtGlobalFlag (patch global heap flags)
3 - Fake parent process (change to explorer.exe)

Tool used:
App: Newsleecher 4.0 beta16 Trial
plugins debuggers: IDA licensed + IDAStealth / Olly + OllyStealth (a temp port of your plugin yet private)
protection: Winlicense (unknown version but I think 2.1.1.0 because I think recently they removed version scanning the memory)

Under IDA:
To successfully bypass all protections this 3 antidebug tricks are required:
-IsDebuggerPresent
-NtGlobalFlags (patch global heap flags)
-Fake parent process (set to explorer.exe)
If I uncheck one of these 3, it no more works around the protections,

Under OllyDBG:

Hi Jan

First, thanks for publishing IDAStealth source, it works so well under IDA I have been interested to port it under OllyDbg.
Almost everything is done now but because I compiled it under GCC 4.5.0 I will need the structures you have used to define SYSTEM_PROCESS_INFORMATION

mine show like that but I think it is not perfect because I think the findProcessChunk() function does not return what supposed to return

I have defined my structure that way based from the nt undocumented website:

typedef struct _SYSTEM_THREAD {
LARGE_INTEGER KernelTime;

I'm studying the source code to NCodeHook. It's making for an interesting read!

I'm very new to asm or anything this low level so I was left with a couple of questions when reading the source. I wonder if somebody will be able to help me answer them.

Q1. Why is it necessary to choose between an absolute/indirect jump and a relative jump (ArchitectureCommon::requiresAbsJump)?

Q2. Probably related to Q1: Inside ArchitectureCommon::requiresAbsJump, what is the significance of the 0x7FFF0000 constant?

I spent some hours to make this work , but I giv'it up . The server debugger IDAStealthRemote.exe allways show :

Accepted connection from 192.168.3.100
Error while handling connection: End of file

What I did wrong ?
I've tested with IDA 5.5 and 5.2 , and with stealth plugin v1.2.
Port is setup on 4242 in plugin.

What are the exact steps to do ? I made all the readme file says.

Thanks

Hi, can somebody show an example of how to hook member functions and constructors?

This is what I have tried, but the program crashes.
typedef void (*ConstructorFunc)();
static ConstructorFunc origConstructor;

static void myConstructor()
{
origConstructor(); // how to call the original constructor?
}

progConstructor = mHooks.createHookByName("some.dll", "", &myConstructor);

Thanks for any help!

I want to load a different version of a DLL than is present in the working directory of the application. For this I need to hook the LoadLibrary call so that when the application makes a call to load the DLL I can substitute it with the newer version of that DLL transparently. I tried using NCodeHook and have the following code in my DLL which I inject into the application using NInjectLib but it crashes while loading kernel32.dll. Can anybody please tell me if this is the correct way of injecting the call or are there any other alternatives.

Simple example is appreciated. Right now I am trying to figure out something from IDA Stealth, but what I really want is:
1) create suspended proccess from my application
2) inject dll which has detour function inside of it