Fragility, Hubris and why I am now using Windows Vista.

Posted by Steve Hanna on January 15th, 2008 filed in Technical Tags: coding, hacking, hubris, knoppix, oh so VERY emo, proxy dll, registry hacking, trojan dll, unadulterated idiocy, vista is terrible, windows

I’ve been working on a project lately where I create a trojan or proxy DLL to intercept calls as they are made from a program. This DLL must export all of the same functions as the original and forward the execution path to the actual DLL. This isn’t too hard because one can generate a wrapper for every function automagically and then just use __declspec(naked) or absolute jumps in assembly.

I’ve been hacking away at this for some time and I decided that it was time to test this thing out. I had subverted kernel32.dll so that I could be assured it would be loaded into process space of each program. All of this was done on an XP box and I was ready to at least see some indication that it was working. I put my fake DLL in the same directory as the program I was going to monitor and then launched the application. Nothing happened. After reading a few things, I came to realize that there were a subset of DLLs that the system uses that are always protected. This wasn’t too big of a shock to me, I suspected some sort of protective mechanism was put into place.

Then I thought, hey!, this article says that the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs registry key contains all of the safe DLLs, so I could just remove them and it would work! Or so I thought. Being a good hacker, I decided that I would definitely backup the registry key in case I got into trouble. I decided that a virtual machine wasn’t necessary, after all it was just ONE registry key. Right? Oh no, I was so very wrong.

After I rebooted, Session Manager gave me a nasty BSOD. At the time, it didn’t seem like a big deal. Boot into safe mode or the recover console and fix things. Well, safe mode didn’t work, the recovery console from every single type of Windows media I could find just caused me machine to BSOD with STOP 0×7. At this point, things were getting serious. I could no longer reach my install which has all of my important data on it (it was backed up but still). I couldn’t repair, recover nor reinstall. So I decided to try BartPE and guess what, THAT crashed. I then attemped to restore the registry using Knoppix and anyone who has edited NTFS drives in Linux knows that this is a daunting and dangerous task. After trashing the SECURITY registry hive in Knoppix, I restored it from a backup and inserted the Vista install media. My last ditch effort was to back everything up and attempt to restore the key from inside the Vista recovery console.

and…success, the key was re-merged with the registry! Surely after I reboot the machine everything will work just swimmingly, right, RIGHT?! No. Somehow things were still corrupted and my entire XP install got hosed from changing one apparently incredibly fragile registry key. I explained this situation to Mark who probably hasn’t used a Windows computer on his own free will in his entire life, and he just commented that the whole situation was ludicrous and that Windows must be incredibly fragile.

Well, it is. I wish I could say this is the first time that I’ve made this mistake but for some reason I always convince myself that it’s just one key value, what could it possibly hurt? Well, everything. As a result, I am now the proud owner of a completely worthless Windows Vista box that will surely make all programming and development a complete living hell. After finally leaving Soda Hall at about 4am, having been there since about 12pm, I realize that I would never make this mistake again.

Ugh. If anyone knows how to get a proxy DLL to load, for the love of god, send me an email.

I now own a Windows box that is pretending to be a Mac. What a travesty.