flat assembler
Message board for the users of flat assembler.
Index
> Windows > DLL Export Forwarding Goto page 1, 2 Next |
Author |
|
macomics 07 Apr 2022, 20:45
Code: library kernel, "kernel32.dll",\ user, "user32.dll",\ shcore, "SHCore.dll" ; or ; shcore, "C:\Windows\System32\SHCore.dll" import shcore,\ \; by name DllCanUnloadNow, "DllCanUnloadNow",\ \; by ordinal ord243, 243 |
|||
07 Apr 2022, 20:45 |
|
Tomasz Grysztar 07 Apr 2022, 20:54
Code: format PE GUI 4.0 DLL entry DllEntryPoint include 'win32a.inc' section '.text' code readable executable proc DllEntryPoint hinstDLL,fdwReason,lpvReserved mov eax,TRUE ret endp section '.edata' export data readable export 'DEMO.DLL',\ __forward_MBox,'MBox' __forward_MBox db 'C:\Windows\System32\User32.dll.MessageBoxA' ; the string must reside in the export section section '.reloc' fixups data readable discardable if $=$$ dd 0,8 ; if there are no fixups, generate dummy entry end if |
|||
07 Apr 2022, 20:54 |
|
AE 07 Apr 2022, 21:01
|
|||
07 Apr 2022, 21:01 |
|
AE 12 Apr 2022, 16:57
Tomasz Grysztar
Can this approach cause errors on Windows 7? Everything works fine on my 10, but when I run VirtualBox with Win7, I get 0xc0000005 error. Code example: Code: format PE64 console entry start include 'win64a.inc' section '.text' code readable executable start: sub rsp,8 cinvoke printf, <'%s',13, 10,13, 10>, ' * Function call test' add esp, 8 invoke VerLanguageNameA, 0, buff, 64 test rax, rax jz @wrong cinvoke printf, <'%s',13, 10,13, 10>, ' * Function call - OK' add esp, 8 jmp @f @wrong: cinvoke printf, <'%s', 13,10>, ' * Something goes wrong :(' add esp, 8 @@: cinvoke getch invoke ExitProcess,0 section '.data' data readable writeable buff db 64 dup (00h) section '.idata' import data readable writeable library kernel32,'KERNEL32.DLL', version,'version.dll', msvcrt, 'msvcrt.dll' import version, VerLanguageNameA, 'VerLanguageNameA' import msvcrt, printf, 'printf', getch, '_getch' import kernel32, ExitProcess, 'ExitProcess' Code: format PE64 GUI 5.0 DLL entry DllEntryPoint include 'win64a.inc' section '.text' code readable executable proc DllEntryPoint hinstDLL,fdwReason,lpvReserved cmp rdx, DLL_PROCESS_ATTACH jne @f @RT: mov rax, TRUE ret @@: cmp rdx, DLL_THREAD_ATTACH jne @f ret @@: cmp rdx, DLL_THREAD_DETACH jne @f ret @@: cmp rdx, DLL_PROCESS_DETACH jne @f ret @@: ret endp section '.edata' export data readable export 'version.dll',\ __forward_VerLanguageNameA, 'VerLanguageNameA' __forward_VerLanguageNameA db 'C:\Windows\System32\version.dll.VerLanguageNameA',0 section '.reloc' fixups data readable discardable if $=$$ dd 0,8 end if |
|||
12 Apr 2022, 16:57 |
|
revolution 12 Apr 2022, 17:49
AE wrote:
But worse, you should only use RSP anyway. It is 64-bit code, all addresses are 64-bit. |
|||
12 Apr 2022, 17:49 |
|
AE 12 Apr 2022, 18:00
revolution wrote: You shouldn't use manual RSP fixup, the macro does it for you. My bad, not cleaned up the source code properly, fixups were added while searching for possible ways to fix the program crashes. In this configuration error occurs in ntdll.RtlInitAnsiString Also I can't get the address of the procedure with GetProcAddress. Of course there is a chance that it is a bug in the virtual machine, unfortunately I don't have a possibility to check it on a live Win7. |
|||
12 Apr 2022, 18:00 |
|
revolution 12 Apr 2022, 18:20
Note that some of the x64 macros have a flaw that pre-adjust RSP before the entry point is reached. This can cause the crash you see because of an unaligned stack.
To avoid this problem you can use Code: and rsp,-16 ; avoid sub rsp, 8 |
|||
12 Apr 2022, 18:20 |
|
AE 12 Apr 2022, 19:15
revolution wrote: you can use Thx. Unfortunately this does not solve the problem because it is in a dll, not in a test program (you can ignore it at all, it is presented as an example for quick testing) If you remove the dll file from the program folder, it runs perfectly correctly, calling the function from the original library in the system32. I tried to get the address of the procedure by name (from a high-level language application) and GetProcAddress returned zero. I can't understand why this is happening, forwarding should work on Win7. |
|||
12 Apr 2022, 19:15 |
|
macomics 12 Apr 2022, 20:55
Here I immediately suggested not to build a vegetable garden, but to create files of lists of static function imports.
|
|||
12 Apr 2022, 20:55 |
|
AE 12 Apr 2022, 21:03
macomics wrote: Here I immediately suggested not to build a vegetable garden, but to create files of lists of static function imports. Google Translator does not understand Russian phraseology But even leaving that aside, I didn't get the point |
|||
12 Apr 2022, 21:03 |
|
bitRAKE 12 Apr 2022, 21:52
SHCore.dll, 243 is not defined export in 64-bit? MS isn't reporting a public symbol for this ordinal either. They report the others for SHCore.dll, so probably only exist in some 32-bit (not mine).
_________________ ¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup |
|||
12 Apr 2022, 21:52 |
|
AE 12 Apr 2022, 22:11
bitRAKE wrote: SHCore.dll, 243 is not defined export in 64-bit? MS isn't reporting a public symbol for this ordinal either. They report the others for SHCore.dll, so probably only exist in some 32-bit (not mine). Look at source code I've posted there is version.dll not SHCore |
|||
12 Apr 2022, 22:11 |
|
macomics 12 Apr 2022, 22:14
AE wrote:
Code: format PE64 GUI 5.0 DLL entry DllEntryPoint include 'win64a.inc' section '.text' code readable executable proc DllEntryPoint hinstDLL,fdwReason,lpvReserved cmp rdx, DLL_PROCESS_ATTACH jne @f @RT: mov rax, TRUE ret @@: cmp rdx, DLL_THREAD_ATTACH jne @f ret @@: cmp rdx, DLL_THREAD_DETACH jne @f ret @@: cmp rdx, DLL_PROCESS_DETACH jne @f ret @@: ret endp ; It's much shorter than creating a string for each function. __forward_VerLanguageNameA: jmp [VerLanguageNameA] section '.edata' export data readable export 'version.dll',\ __forward_VerLanguageNameA, 'VerLanguageNameA' ; __forward_VerLanguageNameA db 'C:\Windows\System32\version.dll.VerLanguageNameA',0 section '.reloc' fixups data readable discardable if $=$$ dd 0,8 end if After all the experiments are over, you can already create a library. |
|||
12 Apr 2022, 22:14 |
|
bitRAKE 12 Apr 2022, 22:14
revolution already solved that mystery though, lol.
Please use a debugger. (Look in the bottom right corner at the stack. Watch as you F8-F8... See the least nibble of RSP - it must be zero before API call.) Code: push rax cinvoke printf, <'%s',13, 10,13, 10>, ' * Function call test' ; add esp, 8 invoke VerLanguageNameA, 0, buff, 64 test rax, rax jz @wrong cinvoke printf, <'%s',13, 10,13, 10>, ' * Function call - OK' ; add esp, 8 jmp @f @wrong: cinvoke printf, <'%s', 13,10>, ' * Something goes wrong ' ; add esp, 8 @@: cinvoke getch invoke ExitProcess,0 |
|||
12 Apr 2022, 22:14 |
|
AE 12 Apr 2022, 22:33
macomics wrote: It's much shorter than creating a string for each function Isn't it a short way to infinite loop The whole point of the full path design is to redirect the call directly to the original function without having to dynamically calculate the address of the function and without getting performance loss. bitRAKE, just a moment, I'll check... nope Look at this post You can test it right only if you have a Win7, on Win10 code works as expected! |
|||
12 Apr 2022, 22:33 |
|
AE 12 Apr 2022, 23:14
Maybe it's really virtual machine bug?... Anyone with Win7 here?
Last edited by AE on 17 Apr 2022, 09:11; edited 1 time in total |
|||
12 Apr 2022, 23:14 |
|
bitRAKE 12 Apr 2022, 23:15
Win7 is the only 64-bit I don't have here, at the moment. But I was able to try it on WinXP and it does not work there either.
Works on Win8! Some change to the loader perhaps. |
|||
12 Apr 2022, 23:15 |
|
AE 12 Apr 2022, 23:37
I've check double forwarding (in fact VerLanguageNameA in original version.dll also forwaded -> KERNEL32.VerLanguageNameA) and it also not the crashes cause.
We need to go deeper... Code: 1: rcx 000000000006F238 L"\v\f" 2: rdx 0000000074DE204F 3: r8 00000000000E3E90 L"version.dll" 4: r9 000000000040305E "version.dll" 5: [rsp+28] 0000000000000001 0000000077697F80 < | 48:83EC 08 | sub rsp, 8 | RtlInitAnsiString function 0000000077697F84 | 33C0 | xor eax, eax | 0000000077697F86 | 48:8951 08 | mov qword ptr ds:[rcx + 8], rdx | [rcx+8]:"version.dll" 0000000077697F8A | 66:8901 | mov word ptr ds:[rcx], ax | rcx:L"\v\f" 0000000077697F8D | 66:8941 02 | mov word ptr ds:[rcx + 2], ax | 0000000077697F91 | 48:85D2 | test rdx, rdx | 0000000077697F94 | 74 33 | je ntdll.77697FC9 | 0000000077697F96 | 4C:8BC1 | mov r8, rcx | r8:L"version.dll", rcx:L"\v\f" 0000000077697F99 | 48:83C9 FF | or rcx, FFFFFFFFFFFFFFFF | rcx:L"\v\f" 0000000077697F9D | 48:893C24 | mov qword ptr ss:[rsp], rdi | 0000000077697FA1 | 48:8BFA | mov rdi, rdx | 0000000077697FA4 | F2:AE | repne scasb | <----- CRASH HERE ON WIN7 0000000077697FA6 | 48:8B3C24 | mov rdi, qword ptr ss:[rsp] | 0000000077697FAA | 48:F7D1 | not rcx | rcx:L"\v\f" 0000000077697FAD | 48:FFC9 | dec rcx | rcx:L"\v\f" 0000000077697FB0 | 48:81F9 FFFF0000 | cmp rcx, FFFF | rcx:L"\v\f" 0000000077697FB7 | 0F83 D9F10000 | jae ntdll.776A7196 | 0000000077697FBD | 6641:8908 | mov word ptr ds:[r8], cx | r8:L"version.dll" 0000000077697FC1 | 66:FFC1 | inc cx | 0000000077697FC4 | 6641:8948 02 | mov word ptr ds:[r8 + 2], cx | r8+2:L"ersion.dll" 0000000077697FC9 | 48:83C4 08 | add rsp, 8 | 0000000077697FCD | C3 | ret | 0000000077697FCE | 48:8BB424 18010000 | mov rsi, qword ptr ss:[rsp + 118] | [rsp+118]:"ZЂ" 0000000077697FD6 | E9 F7000000 | jmp ntdll.776980D2 | Last edited by AE on 13 Apr 2022, 04:42; edited 1 time in total |
|||
12 Apr 2022, 23:37 |
|
macomics 13 Apr 2022, 00:51
Quote: Isn't it a short way to infinite loop Code: format PE64 GUI 5.0 DLL entry DllEntryPoint include 'MACRO/IMPORT64.INC' section '.idata' import data readable writeable library kernel32, 'C:\WinWin\kernel32.dll',\ kernel, 'kernel32.dll' import from kernel32,\ my_func, "my_func_name" import from kernel,\ ExitProcess, "ExitProcess" ... |
|||
13 Apr 2022, 00:51 |
|
Goto page 1, 2 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.