As everyone probably already knows, the Windows 7 release candidate was leaked to the interwebs (build 7100). Because I’m an Australian and our technology infrastructure is 5 years behind the rest of the western world I can’t grab the builds straight away due to caps on internet usage and whatnot.
Thanks to maclone though I don’t have to. He was kind enough to rip the binaries I was interested in from the x64 build and send them to me. I figured they might be of use to other people too (there’s quite a few changes you’ll need to be aware of if you’re doing heavy API hooking like I am) so I’ve mirrored them to a public link. All credits to maclone for actually pulling these out for me.
Download
Included is both the x86 and x64 versions of Kernel32.dll, Ntdll.dll, User32.dll, and KernelBase.dll (new in Windows 7 — along with a handful of other Kernel32 sub-binaries which I did not request).
Anyway, this is just a quick post so people can avoid downloading the entire OS unnecessarily if they’re like me and just need a handful of DLLs.
A more interesting post should be incoming today or tomorrow where I’ll be posting usermode rootkit code.
Figured I’d release the current build of my loader for an internal project I’m working on:
Compiled and working on both IA-32 and AMD64.
Compiled and working with both Unicode and MBCS/ASCII compiler flags. (Defaults to Unicode for obvious reasons.)
Also supports unloading the module.
Code is written in C++ with full exception handling (none of this annoying C-based return value checking crap).
Only tested on MSVC++. Visual Studio 2008 project files supplied.
Note: The AMD64 version can only inject into AMD64 processes, and the IA-32 version can only inject into IA-32 processes. It is possible to inject into IA-32 from AMD64 but I didn’t bother because I needed an IA-32 version anyway and the code is much cleaner if I don’t have to support that.
Furthermore, don’t touch the EH compiler settings, they’re set the way they are for a reason and the code won’t work properly if you change it. If you modify it then you can’t mix SEH and C++ EH and so all the SehGuard code will fail and you won’t be able to proxy SEH to C++ EH. In short: If you don’t know what it does, just leave it alone.
Pretty much all the code should be documented but I might have missed some (I didn’t check). It should be very easy to follow though for any Windows programmer.
Obviously you’ll need to change the module name to the name of your module.
Credits:
Kynox
Greyman
Jeffrey M Richter / Christophe Nasarre
jaredpar
All of GD
Anyone I forgot (let me know)
Download:
Injector v20090421a
Injector v20090421b (Thanks Patrick! <3)