Coder Social home page Coder Social logo

modulespoof's Introduction

Module Spoof

1.1 Introduction:

So recently I thought of a way to spoof the location of a DLL. By doing this you could hide important information from an attacker. And the only way they could find this DLL is by brute-forcing pages or by reversing the application. This project spoofs the DLL location by trapping/ redirecting internal API calls to the spoofed location. To explain this I made a picture:

overview:

So this shows that internal calls to functions like GetModuleHandleW, GetModuleHandleExW, GetProcAddress and GetProcAddressForCaller will return the location of the spoofed location. The outside will still have the illusion that the DLL is at the location that PEB->LDR->protected.dll reports.

1.2 Technical details:

To achieve this I found two alternatives. One way is to hook LoadLibrary and when LoadLibrary is called with the right name we manually map our DLL to another location. This has its drawbacks since we need to make sure the internal application never has access to the non-spoofed DLL because it will crash the application. Making sure the internal application does not have that access is difficult since there might be a lot of win32-API functions reporting the non-spoofed location.

The other way I found is by a public repository[1]. To get more info on how this works I suggest reading the project's code. From what I've heard there are anti-cheats using this solution to break attacker's programs.

1.3 Honeypot:

The non-spoofed DLL is also honeypotted to detect if anyone is trying to access the memory. This is also displayed in the picture. To demonstrate this functionality I recorded a video on accessing this DLL.

"video"

The honeypot catches most attackers but can be easily avoided by checking if the pages are loaded in memory before reading.

1.4 Proof of concept:

I made a simple proof of concept for this idea which can be found here: https://github.com/Oliver-1-1/ModuleSpoof. This is a C++ project that spoofs the location of protected.dll. Protected.dll includes basic tests to showcase that it's working. I also tested this on game DLLs but without success. The most likely reason why it fails is because the manual mapping is faulty or that I forgot to hook a function. I might fix this in the future if I get motivated.

1.5 References:

[1] = https://github.com/changeofpace/Self-Remapping-Code

[2] = https://github.com/Oliver-1-1/ModuleSpoof

Other sources are found in the code.

modulespoof's People

Contributors

oliver-1-1 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.