flat assembler
Message board for the users of flat assembler.
 Home   FAQ   Search   Register 
 Profile   Log in to check your private messages   Log in 
flat assembler > Heap > Dll names require double-null termination?

Author
Thread Post new topic Reply to topic
Ben321



Joined: 07 Dec 2017
Posts: 20

Dll names require double-null termination?

I was just using a hex editor to look at an import table in an EXE file. I noticed that each name is a string that is not terminated by a single null byte, but rather by a pair of null bytes. In assembly that would look like

Code:

db "mydll1.dll",0,0,"mydll2.dll",0,0,"mydll3.dll",0,0,"mydll4.dll",0,0



instead of what I was expecting, which would have been

Code:

db "mydll1.dll",0,"mydll2.dll",0,"mydll3.dll",0,"mydll4.dll",0




In fact, I found that when I manually created an import table with single-nul l termination of the dll name strings, in an exe file with a hex editor, and then tried to run it, it didn't work. When I then loaded it in OllyDbg it showed that that the Windows loader failed to even load the exe file. But changing all the dll names to be double-null terminated strings fixed it completely.

Why does Windows require a double null termination on the dll names in import tables?
Post 11 Dec 2017, 01:11
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15484
Location: Front row seats, please


Ben321 wrote:
In fact, I found that when I manually created an import table with single-nul l termination of the dll name strings, in an exe file with a hex editor, and then tried to run it, it didn't work. When I then loaded it in OllyDbg it showed that that the Windows loader failed to even load the exe file. But changing all the dll names to be double-null terminated strings fixed it completely.

It is not the double null that you need, it is the even alignment of the DLL name. Try it with "mydll1x.dll" and a single null.

BTW: You don't need a hex editor to make import/library tables, just modify the file "IMPORT32.INC" and assemble with fasm.
Post 11 Dec 2017, 01:18
View user's profile Send private message Visit poster's website Reply with quote
TheRaven



Joined: 22 Apr 2008
Posts: 87
Location: U.S.A.

+1 to revo

Simply editing the strings (in this example) in a compiled system with a hex editor is going to wreak havoc on addressing within the app and the loader will note discrepancy thus not load the file; if the loader cannot reasonably identify or suspect questionable code due to addressing inconsistency it will not load the file into memory --more of a security feature (surprising considering it's M$).
Post 11 Feb 2018, 03:07
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >

Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2005 phpBB Group.

Main index   Download   Documentation   Examples   Message board
Copyright © 2004-2017, Tomasz Grysztar.