kyleflow 35 Report post Posted July 3, 2023 How To Inject Step 1) 1) Open OllyDbg 2) Drag & Drop an EXE file to OllyDbg (File > Open) 3) Run the program with F9 While attaching in progress you will see Running text on the bottom right corner When attaching completed, you will see Paused text on the bottom right corner Step 2) 1) Now find a free space where you can add the DLL you want to inject. Find NOPS or DB 00 or any Part of .EXE (if that has no important Code) If you are already choose the part where you want to inject the DLL, Copy the Offset of that part to temp list file. Select several consecutive blank lines. Operate the Right Click -> Binary -> Edit (CTRL + E) A MessageBox will appear with title : Edit code at ... and type the name of the your DLL. Press OK button after typing the Name of the DLL After pressing OK button, you will see random characters. Be careful of typing the Name of the DLL in "ASCII", because Assembly code is upper & lower case sensitive. Step 3) 1) Press CTRL + A and the name will appear. 2) Skip few lines after the type name of your DLL and press Space Bar. 3) Type EntryPoint. Copy the first paragraph's first line to clipboard with Right Click -> Copy -> Clipboard ( (1) in list_offests.asm) Copy the second paragraph's first line to clipboard with Right Click -> Copy -> Clipboard ( (2) in list_offests.asm) Step 4) 1) Find a free space somewhere above the codes you wrote. 2) After find a free space, you should select several consecutive blank lines. 3) Operate the Right Click -> Binary -> Fill with NOP's Step 5) 1) Select the first paragraph's first line again. 2) Operate the Right Click -> Assemble 3) Type push 772A3163 ( (1) in list_offests.asm) Step 6) 1) Select same line again and Now after that press CTRL + N and new window will appear. 2) Find and Copy the Offset of the LoadLibraryA 3) Operate the Right Click -> Copy to Clipboard -> Addess ( (3) in list_offests.asm) Please make sure copy the correct Line of LoadLibraryA Offset. Step 7) 1) Type call dword ptr ds:[7501B2D0] ( (3) in list_offests.asm) 2) Type push 750D3C0D ( (2) in list_offests.asm) 3) Type push eax Step 8) 1) Operate the CTRL + N again. 2) Find GETPROCESSADDRESS 3) Operate the Right Click -> Copy to Clipboard -> Address Step 9) 1) Type call dword ptr ds:[7501B980] ( (4) in list_offests.asm) Type push eax Go to origin with Right Click -> Go To -> Origin and Operate Right Click -> Copy -> To Clipboard ( (5) in list_offests.asm) Return the codes again. Type JMP 750308B2 ( (5) in list_offests.asm) Save the file. Operate Right Click -> Copy -> Select All Operate Copy to executable -> All Modifications and copy all Operate Right Click -> Save File Return back to ASCII sample.dll and Right Click -> Copy -> To clipboard Step 10) 1) Open PE Explorer and open the EXE file. Change the Address of Entry Point to new EntryPoint. 2) Type 750D3BAF 3) Click GreenCheckBox and OK, 4) Operate File > Save File As and save the EXE Based on this step, if I run the program with F9, the offset value different when I did without F9. When I used F9, addresses like LoadLibraryA did not available with ctrl+N search. Without F9 the process flow out like intended but the Hooking is not giving the same outcome. For details reference to this step, can refer this github post. https://github.com/Dentrax/DLL-Injection-with-Assembly/tree/master/inject_tutorial Anyone know any better than me can help ? The GS I used is not compatible. Can't simply used CFF. Hope anyone who have knowledge about this can guide. Quote Share this post Link to post Share on other sites