flat assembler
Message board for the users of flat assembler.

Index > Windows > Learning about DLL's

Author
Thread Post new topic Reply to topic
fantasia



Joined: 02 Jul 2012
Posts: 10
fantasia 03 Jul 2012, 09:12
After studying, compiling and running ERRORMSG.asm in the FASM EXAMPLES directory, I thought I understood how to write a bare-bones DLL with FASM.

I clearly do not have a clue, though. The source code for my DLL compiles, as does the source for the program I am using to test it. However, when I run the test program, I get a message box containing the error:

---------------------------
Test.exe - Bad Image
---------------------------
myDLL.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.
---------------------------
OK
---------------------------

Here is the source for myDLL.asm:

Code:
; myDLL.asm

format PE GUI 4.0 DLL
entry DllEntryPoint

include 'win32a.inc'

section '.text' code readable executable

proc DllEntryPoint hinstDLL,fdwReason,lpvReserved
     mov    eax,TRUE
     ret
endp

proc test_function
    mov    eax,TRUE
    ret
endp

section '.edata' export data readable
    export 'myDLL.dll',test_function,'test_function'

section '.reloc' fixups data readable discardable    


And for Test.asm:
Code:
; Test.asm

format PE console 4.0
entry _main

include 'win32a.inc'

section '.text' code readable executable

  proc _main
        call    [test_function]
        ret
  endp

section '.idata' import data readable writeable
  library myDLL,'myDLL.dll'
  import  myDLL,test_function,'test_function'

section '.reloc' fixups data readable discardable     


Please don't hold back if I have done anything stupid!

Thanks
Post 03 Jul 2012, 09:12
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20657
Location: In your JS exploiting you and your system
revolution 03 Jul 2012, 09:24
This depends upon your version of Windows. Some version of Windows allow you to load a program without linking to any APIs and some don't.

It would probably be best to at least link with kernel32.dll and import ExitProcess to give the Windows loader the information to load the standard APIs into the address space.
Post 03 Jul 2012, 09:24
View user's profile Send private message Visit poster's website Reply with quote
fantasia



Joined: 02 Jul 2012
Posts: 10
fantasia 03 Jul 2012, 09:54
I see, so the DLL is too minimal, then?

I tried to follow your advice but I think I probably made a mistake as I am getting the same error despite importing & calling ExitProcess in my Test program, as well as importing it into my DLL (I didn't call ExitProcess from in the DLL, though).

My amended source follows:

myDLL.dll:

Code:
; myDLL.asm

format PE GUI 4.0 DLL
entry DllEntryPoint

include 'win32a.inc'

section '.text' code readable executable

proc DllEntryPoint hinstDLL,fdwReason,lpvReserved
     mov    eax,TRUE
     ret
endp

proc test_function
    mov    eax,TRUE
    ret
endp

section '.idata' import data readable writeable
    library kernel32,'kernel32.dll'
    import  kernel32,\
            ExitProcess,'ExitProcess'


section '.edata' export data readable
    export 'myDLL.dll',test_function,'test_function'

section '.reloc' fixups data readable discardable    


and for the test program:

Code:
; Test.asm

format PE console 4.0
entry _main

include 'win32a.inc'

section '.text' code readable executable

  proc _main
        call    [test_function]
        call    [ExitProcess]
  endp

section '.idata' import data readable writeable
  library kernel32,'kernel32.dll',\
          myDLL,'myDLL.dll'
  import  kernel32,\
          ExitProcess,'ExitProcess'
  import  myDLL,\
          test_function,'test_function'

section '.reloc' fixups data readable discardable    
Post 03 Jul 2012, 09:54
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20657
Location: In your JS exploiting you and your system
revolution 03 Jul 2012, 10:14
You still have an empty import section if you don't reference any of the APIs. Use something like this:
Code:
proc DllEntryPoint hinstDLL,fdwReason,lpvReserved
     mov    eax,TRUE
     ret
     call [ExitProcess] ;dummy to force the macro to import the API
endp    
Or populate the relocs section if you don't want to import any APIs.


Last edited by revolution on 03 Jul 2012, 10:18; edited 1 time in total
Post 03 Jul 2012, 10:14
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20657
Location: In your JS exploiting you and your system
revolution 03 Jul 2012, 10:17
BTW: Your relocs section in the DLL will also be empty when you don't import any of the system APIs in the DLL. A DLL does not need to import any APIs but it must have a non-empty relocs section.
Post 03 Jul 2012, 10:17
View user's profile Send private message Visit poster's website Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1711
Location: Toronto, Canada
AsmGuru62 03 Jul 2012, 13:51
@fantasia:
I think, recently there was a long thread on why some DLLs (built by FASM) fail on a newer Windows versions -- search the forum.
Post 03 Jul 2012, 13:51
View user's profile Send private message Send e-mail Reply with quote
fantasia



Joined: 02 Jul 2012
Posts: 10
fantasia 03 Jul 2012, 15:00
@AsmGuru62

Thanks for the suggestion, but I was ineffective at searching because I didn't really understand what I was doing and hence what might have even gone wrong.

Since Revolution's remarks about initialization routines, I have been reading about the Ldr functions in ntdll.dll.

By the way, you don't know how to catch ntdll.dll in a debugger do you? Wink
Post 03 Jul 2012, 15:00
View user's profile Send private message Reply with quote
AsmGuru62



Joined: 28 Jan 2004
Posts: 1711
Location: Toronto, Canada
AsmGuru62 03 Jul 2012, 16:46
You mean to set a breakpoint at WinMain of NTDLL.DLL?
I do not know how to do it.

Some DLLs are loaded by the OS before loading any other EXEs, like the one you compile. So, it is not possible to break at this time.
Post 03 Jul 2012, 16:46
View user's profile Send private message Send e-mail Reply with quote
fantasia



Joined: 02 Jul 2012
Posts: 10
fantasia 04 Jul 2012, 09:59
I suppose what I really want to do is to be able to debug the (mis)loading of my DLL so that I might be able to figure out where I went wrong on my own.

The trouble is, in this case, that I'm relying on copying templates rather than understansing why the templates contain what they do. Hence, I haven't been able to understand why what I wrote (well, copied) was not being recognised as a DLL by Windows.

I'm a firm believer in trying to figure things out on my own, and I think that using a debugger is the best way to find out why code we write is not working the way we expected. However, I understand that the Ldr API contained within ntdll.dll, is doing the real work and I would like to debug it to see when it decides that my DLL is invalid.

But, I do also know when to ask for help from the community.

So, can anybody point me in the right direction as to how to go about debugging the loading of a DLL, and how to tell why Windows has decided that my DLL is invalid?

Thanks
Post 04 Jul 2012, 09:59
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20657
Location: In your JS exploiting you and your system
revolution 04 Jul 2012, 10:32
fantasia wrote:
... how to tell why Windows has decided that my DLL is invalid?
I mentioned this above:
Quote:
Your relocs section in the DLL will also be empty when you don't import any of the system APIs in the DLL. A DLL does not need to import any APIs but it must have a non-empty relocs section.
You will NEED to have proper relocs section. Three methods are:
  1. create one normally with a functional DLL (not your basic test DLL above that has no requirement for relocs)
  2. fake one with just "dd 8,0", or
  3. make a dummy one with a false dependency upon something else
Post 04 Jul 2012, 10:32
View user's profile Send private message Visit poster's website Reply with quote
fantasia



Joined: 02 Jul 2012
Posts: 10
fantasia 04 Jul 2012, 11:03
@Revolution - I am grateful for, and have accepted your earlier advice.

Perhaps I am not making myself clear: I am trying to learn about DLLs and how they are validated and loaded by Windows. Because it allows fine-grained control of the format of the PE, FASM is the tool I am using to create both valid and invalid DLLs.

If all I ever see are examples of well-written, working DLLs , how am I going to know what's wrong with my rubbish ones?

So I don't want to just add lines to my source code until it works, I want to know:

Is there a way I can get Windows to tell me specifically what it didn't like about my DLL?

Thanks
Post 04 Jul 2012, 11:03
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20657
Location: In your JS exploiting you and your system
revolution 04 Jul 2012, 11:22
It might be possible to debug the loading of an invalid DLL if you delay the loading by using the LoadLibrary API (i.e. remove it from you import table), and use a debugger like OllyDbg. I've not tried it though so let us know if it works.
Post 04 Jul 2012, 11:22
View user's profile Send private message Visit poster's website Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 794
Location: Adelaide
sinsi 04 Jul 2012, 11:28
Doesn't windbg do kernel debugging?

Here's an old reference What Goes On Inside Windows 2000: Solving the Mysteries of the Loader
Post 04 Jul 2012, 11:28
View user's profile Send private message Reply with quote
fantasia



Joined: 02 Jul 2012
Posts: 10
fantasia 04 Jul 2012, 11:28
@Revolution

That's an excellent idea, thank you. I will let you know how I get on.
Post 04 Jul 2012, 11:28
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.