Compressing the to inject dll

Davita · Post by **Davita** » Fri Sep 23, 2005 3:51 pm

Hello

anyone knows what would happen if I compress the to inject dll with tools like UPX or Aspack?

Post by **madshi** » Fri Sep 23, 2005 4:14 pm

It might result in problems. I'd strongly recommend to not do that. See hooking rule 2:

http://help.madshi.net/HookingRules.htm

2. Only do what is absolutely necessary.

When UPXing the hook dll, it will have to be uncompressed again and again in every single running process on the OS. That can't be good for performance. Also doing unUPXing in memory in system processes doesn't seem like a good idea to me.

Hook dlls should try to be as invisible as possible. So they should avoid to do any unnecessary work like uncompressing themselves.

linden · Post by **linden** » Fri Sep 23, 2005 7:43 pm

Well, I have a software (it's a program by a Korean AV maker)in my PC that uses madCodeHook; its hooker dll is compressed, and it also has some anti-dissasembly tricks in it....and it hooks system wide! Pretty nasty, but it is working. So, I believe there won't be much problem compressing the hooking dll...

Post by **madshi** » Sat Sep 24, 2005 7:16 am

Ok, well, probably it will work, if the uncompression routine doesn't do any nasty stuff like using GUI functions, but still I don't really recommend it. But if you want to use it and it works fine for you, that's ok for me. Good luck!

Sirmabus · Post by **Sirmabus** » Thu Sep 29, 2005 11:05 pm

I've used some compressors and some cause problems for sure.
You'll probably have to experiment, as different compressors do different low level things, and depending on what anti-debugger, anti-dumping features you have turned on.
Experiment and do a good amount of statability testing..

uall · Post by **uall** » Fri Sep 30, 2005 9:11 am

@linden: link to the Korean AV maker?

linden · Post by **linden** » Fri Sep 30, 2005 12:51 pm

uall wrote:@linden: link to the Korean AV maker?

I think I should avoid pointing it out explicitly, because Madshi might get upset. But if you are interested, search for "HackShield", and you will get there soon. This product uses madCodeHook. It also uses many kinds of nasty rootkit techniques such as service table hooking, page fault handler hooking, and memory cloaking stuff; it does a complete take over of the user PC in order to achieve its goal... Really barbaric!!

Post by **madshi** » Fri Sep 30, 2005 2:21 pm

I dot not mind at all if you find out yourself which product is using madCodeHook. The only thing is that I can't tell it, because I don't know whether my customers would like that. But if you find it out yourself, that's just fine for me.

linden · Post by **linden** » Fri Sep 30, 2005 2:53 pm

Well, then, this is it!

http://info.ahnlab.com/english/product/01_1_15.html