64 bit dll not loaded

Index > High Level Languages > 64 bit dll not loaded

Author

Thread

binary

Joined: 10 Oct 2009
Posts: 29

binary 30 Dec 2017, 15:54

I made a 64 bit dll,when running the program ( loaded with LoadLibrary() ) I get an error:

"asm.dll is either not designed to run on Windows or it contains an error"

Code:

     ; DLL creation example

format PE64 GUI 4.0 DLL
entry DllEntryPoint

include 'win64a.inc'

var DD 1
var2   DQ 123
i DD 0
i2 DD 0
buf DD   4  DUP(?)

section '.code' code readable executable

proc DllEntryPoint hinstDLL,fdwReason,lpvReserved
        mov     eax,123456
        ret
endp




proc asm mode, i
       mov     eax,1
       ret
endp

; VOID ShowErrorMessage(HWND hWnd,DWORD dwError);

proc ShowErrorMessage hWnd,dwError
  local lpBuffer:DWORD
        lea     eax,[lpBuffer]
        invoke  FormatMessage,FORMAT_MESSAGE_ALLOCATE_BUFFER+FORMAT_MESSAGE_FROM_SYSTEM,0,[dwError],LANG_NEUTRAL,eax,0,0
        invoke  MessageBox,[hWnd],[lpBuffer],NULL,MB_ICONERROR+MB_OK
        invoke  LocalFree,[lpBuffer]
        ret
endp

; VOID ShowLastError(HWND hWnd);

proc ShowLastError hWnd
        invoke  GetLastError
        stdcall ShowErrorMessage,[hWnd],eax
        ret
endp

section '.idata' import data readable writeable

  library kernel,'KERNEL32.DLL',\
          user,'USER32.DLL'

  import kernel,\
         GetLastError,'GetLastError',\
         SetLastError,'SetLastError',\
         FormatMessage,'FormatMessageA',\
         LocalFree,'LocalFree'

  import user,\
         MessageBox,'MessageBoxA'

section '.edata' export data readable

  export 'ERRORMSG.DLL',\
         asm,'asm',\
         ShowErrorMessage,'ShowErrorMessage',\
         ShowLastError,'ShowLastError'

section '.reloc' fixups data discardable

30 Dec 2017, 15:54

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20667
Location: In your JS exploiting you and your system

revolution 30 Dec 2017, 16:00

Your DLL is probably malformed because the relocs section will be empty. You might need to create a dummy relocs section, or remove it completely.

Code:

section '.reloc' fixups data readable discardable

    if $=$$
        dd 0,8          ; if there are no fixups, generate dummy entry
    end if

30 Dec 2017, 16:00

binary

Joined: 10 Oct 2009
Posts: 29

binary 30 Dec 2017, 16:33

Thank you

I have one more question, the parameter is not returned when running the code

Code:

proc asm mode, inc
       xor eax,eax
       mov eax,dword [inc]
       ret
endp

it returns a different value

30 Dec 2017, 16:33

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20667
Location: In your JS exploiting you and your system

revolution 30 Dec 2017, 16:58

How are you calling it? Are you calling with a pointer or a plain value?

Your code is 64-bit, but you are only reading 32-bits from the 'inc' parameter. Is that intentional?

30 Dec 2017, 16:58

binary

Joined: 10 Oct 2009
Posts: 29

binary 30 Dec 2017, 17:19

I'm calling it like this:

Code:

#include "App.h"
#include <windows.h>
#include <iostream>
#include "a.h"

using namespace std;

typedef int(__stdcall *f_funci)(unsigned char, unsigned int);

int main(int argc, char **argv) {
    
        HMODULE ll = LoadLibrary(L"asm.dll");

        if (ll == NULL) {
                cout << "asm.dll not loaded. Error code is " << GetLastError() << endl;
        }
        cout << "asm.dll loaded ok\n";



        f_funci assemblerMode = (f_funci)GetProcAddress(ll, "asm");

        if (!assemblerMode) {
                cout << "could not locate the function " << GetLastError() << endl;
        }
        cout << "assemblerMode() returned " << assemblerMode(1,143) << endl;
        
        App app(argc, argv);
    return app.exec();
}

Quote:

Your code is 64-bit, but you are only reading 32-bits from the 'inc' parameter. Is that intentional?

No, I need it to be 64 bit

30 Dec 2017, 17:19

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20667
Location: In your JS exploiting you and your system

revolution 30 Dec 2017, 20:49

So you expect a return value of the plain constant 143 from 'inc'?

The problem here is that the fastcall in Windows doesn't load the stack with the first four parameters. Your value is in register RDX (the second parameter).

If you want all 64-bits of the second parameter (inc) then use this:

Code:

proc asm mode, inc
       mov rax,rdx ;<--- 'inc' is in rdx
       ret
endp

30 Dec 2017, 20:49

binary

Joined: 10 Oct 2009
Posts: 29

binary 31 Dec 2017, 04:25

Thank you

If I add a third parameter now I have

Code:

proc asm mode, inc, val
     ; rcx = mode
     ; rdx = inc
       mov rax,rcx
       ret
endp

where is the third parameter stored?

31 Dec 2017, 04:25

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20667
Location: In your JS exploiting you and your system

revolution 01 Jan 2018, 17:54

When working with integers and pointers the fastcall standard uses the registers in this order:
RCX - RDX - R8 - R9

You can read about it in many places. There are a lot more details than simply the registers I show above because if the values are floating point numbers then different registers are used.

01 Jan 2018, 17:54

binary

Joined: 10 Oct 2009
Posts: 29

binary 02 Jan 2018, 12:26

Thank you

02 Jan 2018, 12:26

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum