flat assembler
Message board for the users of flat assembler.

Index > Windows > DLL Export Forwarding

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
AE



Joined: 07 Apr 2022
Posts: 29
AE
How to implement in fasm dll export forwarding like this

by name
Code:
#pragma comment(linker, "/export:DllCanUnloadNow=C:\\\\Windows\\\\System32\\\\SHCore.dll.DllCanUnloadNow")    


by ordinal
Code:
#pragma comment(linker, "/export:ord243=C:\\\\Windows\\\\System32\\\\SHCore.dll.#243,@243")    


I couldn't find any examples anywhere on the web.
Post 07 Apr 2022, 18:13
View user's profile Send private message Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 652
Location: Russia
macomics
Code:
library kernel, "kernel32.dll",\
        user, "user32.dll",\
        shcore, "SHCore.dll" ; or 
;       shcore, "C:\Windows\System32\SHCore.dll"

import  shcore,\
\; by name
        DllCanUnloadNow, "DllCanUnloadNow",\
\; by ordinal
        ord243, 243    
Or do you want to achieve something else? Also see this.
Post 07 Apr 2022, 20:45
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 8028
Location: Kraków, Poland
Tomasz Grysztar
Code:
format PE GUI 4.0 DLL
entry DllEntryPoint

include 'win32a.inc'

section '.text' code readable executable

proc DllEntryPoint hinstDLL,fdwReason,lpvReserved
        mov     eax,TRUE
        ret
endp

section '.edata' export data readable

  export 'DEMO.DLL',\
         __forward_MBox,'MBox'

  __forward_MBox db 'C:\Windows\System32\User32.dll.MessageBoxA' ; the string must reside in the export section

section '.reloc' fixups data readable discardable

  if $=$$
    dd 0,8              ; if there are no fixups, generate dummy entry
  end if    
Post 07 Apr 2022, 20:54
View user's profile Send private message Visit poster's website Reply with quote
AE



Joined: 07 Apr 2022
Posts: 29
AE
macomics, I was asking about exporting

Tomasz Grysztar, Thank you!
Post 07 Apr 2022, 21:01
View user's profile Send private message Reply with quote
AE



Joined: 07 Apr 2022
Posts: 29
AE
Tomasz Grysztar
Can this approach cause errors on Windows 7?
Everything works fine on my 10, but when I run VirtualBox with Win7, I get 0xc0000005 error.

Code example:

Code:
format PE64 console
entry start
include 'win64a.inc'
section '.text' code readable executable
start:
        sub     rsp,8
        cinvoke printf, <'%s',13, 10,13, 10>, ' * Function call test'
        add esp, 8
        invoke VerLanguageNameA, 0, buff, 64
        test rax, rax
        jz @wrong
        cinvoke printf, <'%s',13, 10,13, 10>, ' * Function call - OK'
        add esp, 8
        jmp @f
        @wrong:
        cinvoke printf, <'%s', 13,10>, ' * Something goes wrong :('
        add esp, 8
        @@:
        cinvoke getch
        invoke  ExitProcess,0

section '.data' data readable  writeable
buff    db 64 dup (00h)

section '.idata' import data readable writeable
library kernel32,'KERNEL32.DLL', version,'version.dll', msvcrt,   'msvcrt.dll'
import version, VerLanguageNameA, 'VerLanguageNameA'
import msvcrt,   printf, 'printf', getch, '_getch'
import kernel32, ExitProcess, 'ExitProcess'    

Code:
format PE64 GUI 5.0 DLL
entry DllEntryPoint
include 'win64a.inc'

section '.text' code readable executable

proc DllEntryPoint hinstDLL,fdwReason,lpvReserved
        cmp rdx, DLL_PROCESS_ATTACH
        jne @f
    @RT:
        mov rax, TRUE
        ret
    @@:
        cmp rdx, DLL_THREAD_ATTACH
        jne @f
        ret
    @@:
        cmp rdx, DLL_THREAD_DETACH
        jne @f
        ret
    @@:
        cmp rdx, DLL_PROCESS_DETACH
        jne @f
        ret
    @@: ret
endp

section '.edata' export data readable

export 'version.dll',\
    __forward_VerLanguageNameA, 'VerLanguageNameA'
    __forward_VerLanguageNameA db 'C:\Windows\System32\version.dll.VerLanguageNameA',0

section '.reloc' fixups data readable discardable
    if $=$$
        dd 0,8
    end if    
Post 12 Apr 2022, 16:57
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18846
Location: In your JS exploiting you and your system
revolution
AE wrote:
Code:
        add esp, 8    
You shouldn't use manual RSP fixup, the macro does it for you.

But worse, you should only use RSP anyway. It is 64-bit code, all addresses are 64-bit.
Post 12 Apr 2022, 17:49
View user's profile Send private message Visit poster's website Reply with quote
AE



Joined: 07 Apr 2022
Posts: 29
AE
revolution wrote:
You shouldn't use manual RSP fixup, the macro does it for you.

My bad, not cleaned up the source code properly, fixups were added while searching for possible ways to fix the program crashes.
In this configuration error occurs in ntdll.RtlInitAnsiString
Also I can't get the address of the procedure with GetProcAddress. Of course there is a chance that it is a bug in the virtual machine, unfortunately I don't have a possibility to check it on a live Win7.
Post 12 Apr 2022, 18:00
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 18846
Location: In your JS exploiting you and your system
revolution
Note that some of the x64 macros have a flaw that pre-adjust RSP before the entry point is reached. This can cause the crash you see because of an unaligned stack.

To avoid this problem you can use
Code:
and rsp,-16 ; avoid sub rsp, 8    
This makes sure that RSP is correctly aligned in all cases.
Post 12 Apr 2022, 18:20
View user's profile Send private message Visit poster's website Reply with quote
AE



Joined: 07 Apr 2022
Posts: 29
AE
revolution wrote:
you can use

Thx.
Unfortunately this does not solve the problem because it is in a dll, not in a test program (you can ignore it at all, it is presented as an example for quick testing)
If you remove the dll file from the program folder, it runs perfectly correctly, calling the function from the original library in the system32.
I tried to get the address of the procedure by name (from a high-level language application) and GetProcAddress returned zero. I can't understand why this is happening, forwarding should work on Win7.
Post 12 Apr 2022, 19:15
View user's profile Send private message Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 652
Location: Russia
macomics
Here I immediately suggested not to build a vegetable garden, but to create files of lists of static function imports.
Post 12 Apr 2022, 20:55
View user's profile Send private message Reply with quote
AE



Joined: 07 Apr 2022
Posts: 29
AE
macomics wrote:
Here I immediately suggested not to build a vegetable garden, but to create files of lists of static function imports.

Google Translator does not understand Russian phraseology
But even leaving that aside, I didn't get the point Very Happy
Post 12 Apr 2022, 21:03
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 3489
Location: vpcmipstrm
bitRAKE
SHCore.dll, 243 is not defined export in 64-bit? MS isn't reporting a public symbol for this ordinal either. They report the others for SHCore.dll, so probably only exist in some 32-bit (not mine).

_________________
¯\(°_o)/¯ unlicense.org
Post 12 Apr 2022, 21:52
View user's profile Send private message Visit poster's website Reply with quote
AE



Joined: 07 Apr 2022
Posts: 29
AE
bitRAKE wrote:
SHCore.dll, 243 is not defined export in 64-bit? MS isn't reporting a public symbol for this ordinal either. They report the others for SHCore.dll, so probably only exist in some 32-bit (not mine).


Look at source code I've posted there is version.dll not SHCore Smile
Post 12 Apr 2022, 22:11
View user's profile Send private message Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 652
Location: Russia
macomics
AE wrote:
macomics wrote:
Here I immediately suggested not to build a vegetable garden, but to create files of lists of static function imports.

Google Translator does not understand Russian phraseology
But even leaving that aside, I didn't get the point Very Happy
If you did not create a separate DLL with indirect function export, then at least you would not have to look for the place where a pointer to the required function was not received.
Code:
format PE64 GUI 5.0 DLL
entry DllEntryPoint
include 'win64a.inc'

section '.text' code readable executable

proc DllEntryPoint hinstDLL,fdwReason,lpvReserved
        cmp rdx, DLL_PROCESS_ATTACH
        jne @f
    @RT:
        mov rax, TRUE
        ret
    @@:
        cmp rdx, DLL_THREAD_ATTACH
        jne @f
        ret
    @@:
        cmp rdx, DLL_THREAD_DETACH
        jne @f
        ret
    @@:
        cmp rdx, DLL_PROCESS_DETACH
        jne @f
        ret
    @@: ret
endp

; It's much shorter than creating a string for each function.
__forward_VerLanguageNameA:
        jmp [VerLanguageNameA]

section '.edata' export data readable

export 'version.dll',\
    __forward_VerLanguageNameA, 'VerLanguageNameA'
;    __forward_VerLanguageNameA db 'C:\Windows\System32\version.dll.VerLanguageNameA',0

section '.reloc' fixups data readable discardable
    if $=$$
        dd 0,8
    end if        
Only why jmp at all if you can add a static import of the VerLanguageNameA function to the main file. And there 's already invoke ...

After all the experiments are over, you can already create a library.
Post 12 Apr 2022, 22:14
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 3489
Location: vpcmipstrm
bitRAKE
revolution already solved that mystery though, lol.

Please use a debugger.
(Look in the bottom right corner at the stack. Watch as you F8-F8... See the least nibble of RSP - it must be zero before API call.)
Code:
push rax
        cinvoke printf, <'%s',13, 10,13, 10>, ' * Function call test'
;       add esp, 8
        invoke VerLanguageNameA, 0, buff, 64
        test rax, rax
        jz @wrong
        cinvoke printf, <'%s',13, 10,13, 10>, ' * Function call - OK'
;       add esp, 8
        jmp @f
        @wrong:
        cinvoke printf, <'%s', 13,10>, ' * Something goes wrong Sad'
;       add esp, 8
        @@:
        cinvoke getch
        invoke  ExitProcess,0    
Post 12 Apr 2022, 22:14
View user's profile Send private message Visit poster's website Reply with quote
AE



Joined: 07 Apr 2022
Posts: 29
AE
macomics wrote:
It's much shorter than creating a string for each function

Isn't it a short way to infinite loop Very Happy

The whole point of the full path design is to redirect the call directly to the original function without having to dynamically calculate the address of the function and without getting performance loss.


bitRAKE, just a moment, I'll check... nope
Look at this post

You can test it right only if you have a Win7, on Win10 code works as expected!
Post 12 Apr 2022, 22:33
View user's profile Send private message Reply with quote
AE



Joined: 07 Apr 2022
Posts: 29
AE
Maybe it's really virtual machine bug?... Anyone with Win7 here?


Last edited by AE on 17 Apr 2022, 09:11; edited 1 time in total
Post 12 Apr 2022, 23:14
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 3489
Location: vpcmipstrm
bitRAKE
Win7 is the only 64-bit I don't have here, at the moment. But I was able to try it on WinXP and it does not work there either.

Works on Win8! Some change to the loader perhaps.
Post 12 Apr 2022, 23:15
View user's profile Send private message Visit poster's website Reply with quote
AE



Joined: 07 Apr 2022
Posts: 29
AE
I've check double forwarding (in fact VerLanguageNameA in original version.dll also forwaded -> KERNEL32.VerLanguageNameA) and it also not the crashes cause.
We need to go deeper...

Code:
1: rcx 000000000006F238 L"\v\f"
2: rdx 0000000074DE204F 
3: r8  00000000000E3E90 L"version.dll"
4: r9  000000000040305E "version.dll"
5: [rsp+28] 0000000000000001 

0000000077697F80 < | 48:83EC 08                  | sub rsp, 8                                                  | RtlInitAnsiString function
0000000077697F84   | 33C0                        | xor eax, eax                                                |
0000000077697F86   | 48:8951 08                  | mov qword ptr ds:[rcx + 8], rdx                             | [rcx+8]:"version.dll"
0000000077697F8A   | 66:8901                     | mov word ptr ds:[rcx], ax                                   | rcx:L"\v\f"
0000000077697F8D   | 66:8941 02                  | mov word ptr ds:[rcx + 2], ax                               |
0000000077697F91   | 48:85D2                     | test rdx, rdx                                               |
0000000077697F94   | 74 33                       | je ntdll.77697FC9                                           |
0000000077697F96   | 4C:8BC1                     | mov r8, rcx                                                 | r8:L"version.dll", rcx:L"\v\f"
0000000077697F99   | 48:83C9 FF                  | or rcx, FFFFFFFFFFFFFFFF                                    | rcx:L"\v\f"
0000000077697F9D   | 48:893C24                   | mov qword ptr ss:[rsp], rdi                                 |
0000000077697FA1   | 48:8BFA                     | mov rdi, rdx                                                |
0000000077697FA4   | F2:AE                       | repne scasb                                                 | <----- CRASH HERE ON WIN7
0000000077697FA6   | 48:8B3C24                   | mov rdi, qword ptr ss:[rsp]                                 |
0000000077697FAA   | 48:F7D1                     | not rcx                                                     | rcx:L"\v\f"
0000000077697FAD   | 48:FFC9                     | dec rcx                                                     | rcx:L"\v\f"
0000000077697FB0   | 48:81F9 FFFF0000            | cmp rcx, FFFF                                               | rcx:L"\v\f"
0000000077697FB7   | 0F83 D9F10000               | jae ntdll.776A7196                                          |
0000000077697FBD   | 6641:8908                   | mov word ptr ds:[r8], cx                                    | r8:L"version.dll"
0000000077697FC1   | 66:FFC1                     | inc cx                                                      |
0000000077697FC4   | 6641:8948 02                | mov word ptr ds:[r8 + 2], cx                                | r8+2:L"ersion.dll"
0000000077697FC9   | 48:83C4 08                  | add rsp, 8                                                  |
0000000077697FCD   | C3                          | ret                                                         |
0000000077697FCE   | 48:8BB424 18010000          | mov rsi, qword ptr ss:[rsp + 118]                           | [rsp+118]:"ZЂ"
0000000077697FD6   | E9 F7000000                 | jmp ntdll.776980D2                                          |    


Last edited by AE on 13 Apr 2022, 04:42; edited 1 time in total
Post 12 Apr 2022, 23:37
View user's profile Send private message Reply with quote
macomics



Joined: 26 Jan 2021
Posts: 652
Location: Russia
macomics
Quote:
Isn't it a short way to infinite loop
What does an infinite loop have to do with it.
Code:
format PE64 GUI 5.0 DLL
entry DllEntryPoint
include 'MACRO/IMPORT64.INC'
section '.idata' import data readable writeable
library kernel32, 'C:\WinWin\kernel32.dll',\
        kernel, 'kernel32.dll'

import from kernel32,\
        my_func, "my_func_name"

import from kernel,\
        ExitProcess, "ExitProcess"
...
    
You can specify an absolute path in the import section, and not a relative one right away.
Post 13 Apr 2022, 00:51
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.