flat assembler
Message board for the users of flat assembler.

Index > Windows > Load DLL directly from memory (no file)

Author
Thread Post new topic Reply to topic
MUFOS



Joined: 17 Apr 2016
Posts: 47
MUFOS 25 Apr 2016, 21:02
Hello there,

I am wondering if it is possible to load a DLL from memory (for instance from resources, or from a buffer that has been read to from a file), and call its entrypoint. (without using LoadLibrary which requires a physical file, but rather straight from memory).
Post 25 Apr 2016, 21:02
View user's profile Send private message Reply with quote
Trinitek



Joined: 06 Nov 2011
Posts: 257
Trinitek 25 Apr 2016, 22:08
https://www.joachim-bauch.de/tutorials/loading-a-dll-from-memory/

It basically says that you need to write your own PE loader. Seems trivial as far as I can tell.
Post 25 Apr 2016, 22:08
View user's profile Send private message Reply with quote
MUFOS



Joined: 17 Apr 2016
Posts: 47
MUFOS 26 Apr 2016, 07:48
Trinitek wrote:
https://www.joachim-bauch.de/tutorials/loading-a-dll-from-memory/

It basically says that you need to write your own PE loader. Seems trivial as far as I can tell.


In other words; should I just follow that guide and translate the code to fasm?
Post 26 Apr 2016, 07:48
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20409
Location: In your JS exploiting you and your system
revolution 26 Apr 2016, 09:10
Trinitek wrote:
It basically says that you need to write your own PE loader. Seems trivial as far as I can tell.
Loading the PE file is easy. Properly linking to all the required DLLs (if any) is hard. And things like the SxS system will not be available to you.
Post 26 Apr 2016, 09:10
View user's profile Send private message Visit poster's website Reply with quote
MUFOS



Joined: 17 Apr 2016
Posts: 47
MUFOS 26 Apr 2016, 09:39
revolution wrote:
Trinitek wrote:
It basically says that you need to write your own PE loader. Seems trivial as far as I can tell.
Loading the PE file is easy. Properly linking to all the required DLLs (if any) is hard. And things like the SxS system will not be available to you.


So that guide won't work?
Post 26 Apr 2016, 09:39
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20409
Location: In your JS exploiting you and your system
revolution 26 Apr 2016, 09:45
It depends upon your DLL file. Some DLLs are simple and don't load any other resources, some are not. If you have the source to the DLL then it is probably easier to just statically compile it into your exe. Or maybe try statically linking it, but not its dependencies.
Post 26 Apr 2016, 09:45
View user's profile Send private message Visit poster's website Reply with quote
MUFOS



Joined: 17 Apr 2016
Posts: 47
MUFOS 27 Apr 2016, 10:25
What I want is an addon system. Would it be possible to just inject an addon that only contains assembly code (e.g. .bin assembled) without PE? If I am not thinking completely wrong, it's like injecting shellcode?
Post 27 Apr 2016, 10:25
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20409
Location: In your JS exploiting you and your system
revolution 27 Apr 2016, 13:20
MUFOS wrote:
What I want is an addon system. Would it be possible to just inject an addon that only contains assembly code (e.g. .bin assembled) without PE? If I am not thinking completely wrong, it's like injecting shellcode?
It is possible. But what about the links out of and into the the code? Also, does it need some initialisation? All these things are included in DLLs and you would need to replicate them somehow.

You could always just us a DLL, it is designed for the job (:
Post 27 Apr 2016, 13:20
View user's profile Send private message Visit poster's website Reply with quote
MUFOS



Joined: 17 Apr 2016
Posts: 47
MUFOS 27 Apr 2016, 18:11
revolution wrote:
MUFOS wrote:
What I want is an addon system. Would it be possible to just inject an addon that only contains assembly code (e.g. .bin assembled) without PE? If I am not thinking completely wrong, it's like injecting shellcode?
It is possible. But what about the links out of and into the the code? Also, does it need some initialisation? All these things are included in DLLs and you would need to replicate them somehow.

You could always just us a DLL, it is designed for the job (:


What I want to accomplish is a plugin system. For instance I could send the plugin over the internet so that code could remain protected (one usage example). And in addition others could develop further on the program. However, my requirement is that the plugin can be loaded from memory, e.g. never stored on the disk.
Post 27 Apr 2016, 18:11
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 09 May 2016, 15:27
You can define your own file structure then.

Your plugin file's header will contain information about which DLLs to load and where to place the jump/function pointer.

Your main program loads the required DLLs if not already loaded.

Your plugin must use relative jumps to so that way your host application can fill in those function pointer.

plugin.bin
Code:

MAX_NAME equ 0xFF
MAX_FN_NAME equ 0x80

; align to some bit-width boundary here

.ddMagic dd $123 ; some file identifier here
.dwLibs dd 1  ; number of DLLs to load

; Begin import structure
.pzsDllName1 du "user32.dll",....,0 ; <--- Unicode string of length MAX_NAME
.ddFuncs2 dd 1  ; <-- Number of functions

; user32 functions
.pszName db "MessageBoxW",...0 ; MAX_FN_NAME
.dwOrdinal dw $00000
.dwMessageBoxW dd $00000 ; Either ordinal or name
; End import structure

; your data area placed in data section. 
.ddDataSize dd 123456 
.ddDataOffset dd .my_data ; Relative offset from the beginning of the file. Since the whole thing will be in memory
.ddFlags dd $0000000 ;<--- Define access flags here

; your exported code
.ddCodeSize dd 123455
.ddSectionAddress dd .code_section
.ddAccessFlags dd 1234
.ddNumberOfExportedFunctions dd 1

; export function structure
.pszFuncName db "my_function",....,0 ; MAX_FN_NAME
.ddFuncAddress dd my_function

; You code section here
.code_section:

; void __stdcall my_function()
my_function:
push ebp
mov ebp, esp

push 0
push .pszHello
push .pszHello
push 0
call dword ptr[.dwMessageBoxW]

mov esp, ebp
pop ebp
retn

.my_data:
.pszHello du "Hello",0

    


To make it simple, you can just lay it out FLAT in memory so that way resolving function calls will be easier.

Also make sure you align and padd all sections.
Post 09 May 2016, 15:27
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.