Re: [s2e-dev] Install hooks in new process (rundll32)
Vitaly Chipounov
Hi,
LibraryCallMonitor only traces processes configured in the
ProcessExecutionDetector plugin. You need to edit s2e-config.lua
to include rundll32.exe so that it is traced. Note that
LibraryCallMonitor works independently of EasyHook, you can use it
to trace calls regardless of whether the process is hooked or not.
Vitaly
I've used https://adrianherrera.github.io/post/malware-s2e/ to successfully hook functions in malware using CreateProcess to run another exe.
However, when CreateProcess uses rundll32.exe example.dll, args, although custom-hook.dll appears to be successfully injected into the new process and all available hooks are successfully hooked to that process, none of the APIs are actually hooked during execution.--
Does anyone know why? Notably, I expected the LibraryCallMonitor to report libraries called from the rundll32 process, but it actually reports calls from the 'example' process (corresponding the name of the dll run above). I suspect this might have something to do with it, i.e., I'm injected into the process belonging to rundll32 and not example.dll. But since they share the same process ID, I'm not sure.
Any help is appreciated.
You received this message because you are subscribed to the Google Groups "S2E Developer Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to s2e-dev+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/s2e-dev/c4089101-060c-4109-aed2-c4fa4d74fe7en%40googlegroups.com.
jon
I used the CreateProcessHook found here https://adrianherrera.github.io/post/malware-s2e/ and also wrote a plugin to update the tracked modules (in the ProcessExecutionDetector). The custom-hook.dll is successfully injected into the new process but I can only hook APIs in the rundll32 process and not the 'malware payload' (passed as an argument to rundll32). Is that expected behavior? They both share the same PID.
Vitaly Chipounov
Which APIs are you trying to hook? If you are using the sample
code from the link, there is a function that looks like this:
LhInstallHook(GetProcAddress(GetModuleHandleA(moduleName),
functionName), hookFunctions[i], NULL, &hooks[i]);
GetModuleHandleA will fail if the DLL is not already loaded in the process, so you need to call LoadLibrary() on all the DLLs that you want to hook (and the the malware might need) to make sure they are loaded beforehand.
Vitaly
To view this discussion on the web visit https://groups.google.com/d/msgid/s2e-dev/da4b3192-c0f5-4387-a3c1-05127036f0c9n%40googlegroups.com.
jon
The last function that I can hook in rundll32.exe is LoadLibraryExA, which loads 'malware.ttf'. At this point, the LibraryCallMonitor transitions from "LibraryCallMonitor: rundll32.exe..." to "LibraryCallMonitor: malware.ttf" and the function can no longer be hooked by my custom-hook.dll.
Vitaly Chipounov
Hi,
Could you run rundll in windbg and trace api calls there? You
should normally see that the first few bytes of a hooked function
are replaced by a jump to the hook, if not then hooking didn't
work.
Vitaly
To view this discussion on the web visit https://groups.google.com/d/msgid/s2e-dev/85f3591d-94e3-4727-b00c-9eddba079529n%40googlegroups.com.