Other Projects

Could you please make unicode string support for this method:

void writeIAT(const std::string& dll);

Like this:
void writeIAT(const std::wstring& dll);

ANSI version works with full path just great!
iatModifier.writeIAT( "D:\\SomeDir\\MyLib.dll" );

Would like to use Unicode:
iatModifier.writeIAT( L"D:\\Some Unicode Dir Name\\Unicode Lib Name.dll" );

Thanks in advance.

I am trying to use NInjectLib for injecting a process started by me. While everything works fine on 32 bits, 64 bits fail.

I made 2 changes to the code in order to support 64 bits:

1) Changed the way GetImageBase works -- GetThreadSelectorEntry does not work on x64. Solved by getting the ImageBase using NtQueryInformationProcess.
2) Changed the code around "IMAGE_ORDINAL_FLAG | 1" to support the 64 bit version of IMAGE_ORDINAL_FLAG.

I did not find anything else that is different between the 32 and 64 versions of the PE. however, when I inject a 64 bit process with a 64 bit DLL, I get a C0000005 error "The application failed to start correctly".
Injecting a 32 bit process with a 32 bit version of the same DLL works.

Any thoughts?

Oren

Just want to thank you for your great work on library "N-InjectLIB" !!!

Just want to show you an bug and how to solve it:

If you try compile it on Visual Studio 2010 you should get an error about std::end conflict at every asm code:

"mov e, offset end"
"jmp end"
"end:"

to fix that just change all "end" to anything else, like "endnow".

Hallo,

ich mache zur Zeit eine Ausbildung als Fachinformatiker und interessiere mich sehr für Themen bezüglich Programmierung und den genauen Aufbau/Ablauf von Programmen. Um so interessanter fand ich auch die Themen deiner Talks, von denen ich als vergleichbarer Anfänger leider noch nicht so viel verstehe :(.

Hello, i not speak english. I use IDAStealthRemote plugin, port default 4242.
Out error:
Usage: IDAStealthRemote.exe
Using standard port 4242
Starting server...
Accepted connection from
Error while handling connection: End of file

Help my. Version Ida 6.0

mov e, offset end

On all 3 occurences error C2415 shows up(invalid operand).
Changing the label name helped.

You mention "Two techniques are available to inject a dll: the target process can be started by using the library so the first dll loaded actually is the dll to be injected, or dlls can be injected anytime while the target process is running." You simple example is of the former but I need the latter and I can't find any examples for this.

Can anyone help?

Hello,

I have found some interesting things missing from IDAStealth so you may be interested to look in these procedures, I name OllyStealth the plugin Im designing for OllyDBG mainly based on your plugin and I notice it requires patches to run because OllyDBG is found but I have found the right hooks to apply to bypass winlicense on XP+Win2003+Win7

*** = not in IDAStealth

Under Windows 7 + OllyStealth against Winlicense 2.1.1.0
1 - IsDebuggerPresent (patch peb.beingdebugged)
2 - NtGlobalFlag (patch global heap flags)
3 - Fake parent process (change to explorer.exe)

Tool used:
App: Newsleecher 4.0 beta16 Trial
plugins debuggers: IDA licensed + IDAStealth / Olly + OllyStealth (a temp port of your plugin yet private)
protection: Winlicense (unknown version but I think 2.1.1.0 because I think recently they removed version scanning the memory)

Under IDA:
To successfully bypass all protections this 3 antidebug tricks are required:
-IsDebuggerPresent
-NtGlobalFlags (patch global heap flags)
-Fake parent process (set to explorer.exe)
If I uncheck one of these 3, it no more works around the protections,

Under OllyDBG: