IDA Inject pluginThis plugin allows you to inject dlls into a debugged process, either prior to process creation or when the debugger is attached. The injected dll can then do some fancy stuff inside the debugged process.
To realize dll injection before process creation, new import descriptors are added to the image import directory of the debuggee, whereas injection into an already running process is realized via shellcode injection, which in turn loads the dll in question.
In either case, a full path to the dll can be supplied, so it is not necessary for the dll to be in the search path.
To get more info on how this works you can read my blog post or consult the accompanying source code.
DownloadThe plugin along with the source code can be downloaded from here. If you want to compile the plugin by yourself, you will need the boost library.
UsageThe plugin comes with a GUI which lets you easily add dlls to be injected prior to process creation or after the debugger has been attached. The configuration is written to %IDA_DIR%\cfg\IDAInject.cfg, so this location must be writable by the current user for the plugin to work properly.
You can also control the load order of the dlls.
Note that the dlls to be injected have to export one function with ordinal 1. This is because the FirstThunk array must not be empty, otherwise the OS will refuse to load the dll in question.
If you find bugs or have suggestions for improvement just drop me a mail or create a new forum topic.
Changelog07/14/2008 - v1.0.3
Bugfix: Injection failed in some cases (see N-InjectLib)
07/06/2008 - v1.0.2
Bugfix: Injection failed if IMAGE_DIRECTORY_ENTRY_IAT was zero, which is true for most packed PE images
06/28/2008 - v1.0.1
Bugfix: The dll failed to inject on process start if it wasn't in the search path
[复制链接]
发表于 2009-9-8 17:38
