Hi all,

Branching off on the topic of Resource Injection where Blastersoft asked about inserting an OBJ file into an Executable. Well i have a similar question.

Suppose you create a dll and place all of your sensitive code inside and then placing that in as a resource... would that not prove in any sence better? I mean the wrapper exe will load up the dll and your wrapper exe contains all the functional calls. So even if they dissamble your exe the code that is needed will recided inside the dll.

But what i am really askin is when a dll is constructed is only the exported functions are listed? So making calls internally in the dll should cause some trouble for some ppl. I remember a post about some1 trying to dissemble a dll and needed to know about stack returns.

A general plus about this might be the fact that project maintenace is devided nicely into the Visual aspect and the Implementation aspect if you are using an algorythmic approach to resolve a problem.

Thus generally debugging might be a bi*ch but hell if it is difficult for you then it certanly gets difficult for others.

On another note, in C++ there are private and public classes -- so hiding the code again by using these methods will prove even more trouble some, right? (Now where is the asm equavilent method? As i am as of yet not a ASM god @ all).

So yay or nay.... good idea or bad, and if so please say why.

Black iCE
Posted on 2004-09-08 07:29:31 by Black iCE
Ok, i did a search on RE + Dll and didn't find much. This is from a person running a personal project that makes me google with the prospect that my first post here could be a valid idea.

from the FAQ section:

4. Another tool being planned.
It would be nice to take a lib or .dll and be able to watch it being accessed. One way to do this would be to provide a tool that would take a .dll and replace it with a new .dll. This new .dll would be a version of the revenge emulator that would act exactly the same as the original .dll, by running the original .dll in the emulator, but at the same time storing a complete record log of all activity in each .dll call from the calling application.

Link to the site: http://revenge.berlios.de/faq.php

As of yet i havn't found any tutorial on how to RE into a dll. Suppose this is one of the many why windows system is mainly dll's.
Posted on 2004-09-08 08:18:36 by Black iCE
As of yet i havn't found any tutorial on how to RE into a dll. Suppose this is one of the many why windows system is mainly dll's.

That does not mean it is not possible. In fact it is possible and is quite easy.
Posted on 2004-09-08 08:34:56 by roticv
I don't deny that it is not possible, i was grasping so that more towards the fact that if done properly that it should be one of the easiest ways to prevent just above avarage joe from making hell out of your work. You can still compress the resulted exe. Even use some algorythmic (encrypting/checksuming) ways when the dll is accessed by other processes to verify wheter the ATOM class justify access to it or not (internally)... So this idea can be expanded easily with little re-coding effort. That is if you can fiqure out which process is not your app, and you if you can see whether an attempt had been made to access the dll.

As i have stated before that i am not an asm fundi of note, but hopefully the specific methods availible today will makes things more compilcated for today's attackers.

But then again, i don't really know the internal workings of a dll. I know it is used to load up reusable code. It is desighned so that process can access it. And i suppose that you will be able to trace stright from the exe into the dll... that will be a problem - cause it is your valid exe calling the dll.

Aah hell, i supose i'll just use this method to make my life easier with updating and maintaining an app.

I suppose the above menthod method might be able to help detect if your app has been modified, until the point where that is taken away.
Posted on 2004-09-08 08:42:28 by Black iCE
dlls are absolutely the same as exes, they're both PE, dlls are flagged, to let the peloader know, DLLs are usually mapped around 0x10000, whereas exes normally mapped at 0x400000. an extra field, DllCharacteristics, defines some extended settings for DLL, and all DLLs have relocs. it's all PE.
Posted on 2004-09-08 10:15:10 by Drocon
Then what makes dll patching so much more difficult to make than exe's?
I know it is possible, but why does usually take longer to do?
Posted on 2004-09-08 10:35:58 by Black iCE