Sign in to follow this  
Followers 0
Ascend4nt

File + Process Imports and Exports - DLL, EXE etc

17 posts in this topic

#1 ·  Posted (edited)

File + Process Imports/Exports Information UDFs

Posted ImagePosted Image

Forwarder String Support, C++ Name Undecorating Added!!

(Extreme case of string forwarding from wsock32.dll example in this post)

This UDF gets Function Imports and Exports for any Windows PE file (.DLL, .EXE), both 32-bit and 64-bit (unlike most programs out there), and from either a 32-bit or 64-bit Process.

I created this due to my frustration with other programs either working only *some* of the time, or having a common inability to read PE32+ (x64) file format tables properly.

There's just two functions in the main UDF - _FileGetWinPEImports or _FileGetWinPEExports. The bundled TestImportExportsList program lets you explore files on your system.

*Newly included are: _ProcessGetWinPEImports, _ProcessGetWinPEExports and TestProcessImportExportsList program (requires my Process Functions UDF).

NOTE: *Compressed* executable files will only give the Import information for the 'decompressor'. The only way to get the compressed executable's Import information is to decompress the executable.

Anyway, enjoy my hard work. Either read on for more information about some of the features, or see below for the License agreement and Download link.

Information on 'Virtual Offset of Thunk':

These address offsets you see are offsets from the base of the .DLL or .EXE file (uncompressed only!), where the actual function location of an 'Import' gets placed. All calls to these functions load addresses from these Thunk locations in order to correctly place a call to the right DLL function. (This is totally different than the old Import fixup location lists of earlier pre-NT systems). Technically, you could overwrite these Thunks with addresses to your own functions, but this is a dangerous thing to do. Its a neat tool to have though.

Forwarder functions? An explanation:

The whole 'DLLNAME.Functionname' string might be confusing to you, but here's an explanation of why an address can not and should not be returned. To better understand all this, grab a copy of DLL Export Viewer, (which doesn't report Relative/Function addresses correctly for Forwarded functions) and then follow along: *update: as of v1.50, DLL Export Viewer now reports forwarder string info (I was the one that reported the bug heh)

Okay, open up DLL Export Viewer and look at (for this example) KERNEL32.DLL - lets pick 'HeapFree', a known Forwarded function. DLL Export Viewer reports the following (on XP SP3):Relative Address: 0x0000910c, 'Loaded' address: 0x7c80910c. *Neither* is the case, though - 0x0000910c is in fact just the virtual address of the forwarder string!

Now, with my Exports function, you'll find that 'HeapFree' is reported (correctly) as a Forwarder string. What you'll see then is 'NTDLL.RtlFreeHeap'. What does that mean? It means that:

  • HeapFree is not a part of KERNEL32.DLL (and hasn't been for a while),
  • When that function is called or the address retrieved via 'GetProcAddress', the function 'RtlFreeHeap' in NTDLL.DLL is the function that's actually called (or returned as an address). Hopefully the 'DLLNAME.FunctionName' structure of a Forwarder string is starting to make sense now?
  • The address you get when you do 'GetProcAddress' does *not* correspond to what you see in DLL Export Viewer - in fact, 'HeapFree's reported address lies entirely OUTSIDE of kernel32.dll's memory space - pointing instead inside of NTDLL.DLL, at (guess what?): RtlFreeHeap.
So, on XP SP3, looking up 'HeapFree' with GetProcAddress, you get: 0x7C90FF2D. Doesn't match what was reported with DLL Export Viewer AT ALL. However - go back, and now look at NTDLL.DLL with DLL Export Viewer, and at function 'RtlFreeHeap' (following the logic of the Forwarder Function string). What is reported for RtlFreeHeap? Relative Address: 0x0000ff2d, 'Loaded' address: 0x7c90ff2d. See now how it lines up with what was reported via GetProcAddress for 'HeapFree' in KERNEL32.DLL?

So, there you have it in a nutshell - Forwarder functions are functions 'rerouted' to another DLL. The DLL's that are being rerouted to are either:

  • A.) Pre-loaded by the system (Important DLL's like NTDLL.DLL, KERNEL32.DLL, USER32.DLL, GDI32.DLL, etc - are all permanently loaded)
  • B.) Loaded upon a program's execution if the function is in its 'Imports' list, or
  • C.) Loaded upon a call to GetProcAddress. To see how this works clearly, list the modules that are loaded (my Process Functions UDF GUI can do this for you), then call GetProcAddress for 'GetServiceW' from WSOCK32.DLL, and then re-list the modules again. You'll see a new module loaded up - MSWSOCK.DLL (the location of the forwarder function). Wa-la, forwarder is set up.
Ascend4nt's AutoIT Code License agreement:

While I provide this source code freely, if you do use the code in your projects, all I ask is that:

  • If you provide source, keep the header as I have put it, OR, if you expand it, then at least acknowledge me as the original author, and any other authors I credit
  • If the program is released, acknowledge me in your credits (it doesn't have to state which functions came from me, though again if the source is provided - see #1)
  • The source on it's own (as opposed to part of a project) can not be posted unless a link to the page(s) where the code were retrieved from is provided and a message stating that the latest updates will be available on the page(s) linked to.
  • Pieces of the code can however be discussed on the threads where Ascend4nt has posted the code without worrying about further linking.

Download the ZIPs from my Site

UPDATES:

7-21-2010:

Added:

  • C++ Function Name Undecorating/Unmangling option. For an example of what this causes function name results to be, check out something like 'msvcrt.dll'. It will report alot more than just a function name! If you choose to do the Undecorating yourself, just call the included function _WinAPI_UndecorateName().

    Example: "??3@YAXPAX@Z" becomes "void __cdecl operator delete(void *)" unmanged/undecorated

  • New _ProcessGetWinPEImportExports module (with Test program) as a separate download - requires use of my Process Functions UDF. The biggest benefits, besides looking into loaded DLL's that might not be on the disk? Addresses reported are real, and Imported function addresses are reported (as pulled from Thunk locations).
7-12-2010:

Fixed:

  • Oops, Big-time logic errors in mapping Export function names to addresses and using ordinals to look them up from pointer tables. Now everything points to where it should!
  • Ordinal #'s are now correctly calculated with the 'Base' # part of the EXPORT DIRECTORY TABLE.
Added:
  • 'Forwarder' string lookup & reporting! Not even DLL Export Viewer does this! Basically, certain function 'pointers' aren't really code offsets, but offsets to Forwarder strings. My function looks those strings up and puts them in the list instead of a phoney address.
7-11-2010:

Fixed:

  • Executables linked with Borland's TLINK32.exe do not set the 'ImportLookupTableRVA' element correctly. This was easy to work around, as the 'Thunks' list also contains pointers to the same information (until an executable/DLL is loaded by the O/S, at least)
Added:
  • Imports: Extra column: Virtual Offset of Thunk ( [3] ). When an .EXE or .DLL is loaded, this is the Offset from the base of the .EXE or .DLL which will hold the actual function address. This could be used for redirection of calls (dangerous though!).

    ...

    An important note on this: Compressed executables are a completely different beast, and in fact the whole Import section is for the Decompressor itself, which disappears once the executable is loaded! The only way to get the actual Imports for Compressed Executables is to Decompress them first.

Edited by Ascend4nt
1 person likes this

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

Nicely done.

To ease your frustration though, you should check out DLL Export Viewer from NirSoft.

Edited by wraithdu

Share this post


Link to post
Share on other sites

Thanks. I've been using DLL Export Viewer actually - But it doesn't report on Imports, and I'd rather not have to rely on using another program just for Exports.

Share this post


Link to post
Share on other sites

Fascinating work.

This is really going to come in handy.


[Not using this account any more. Using "iShafayet" instead]

Share this post


Link to post
Share on other sites

This is a very useful UDF.


Determined -- Devoted -- Delivered Make your mind up -- to seriously apply yourself -- accomplishing the desired results. **** A soft answer turneth away wrath: but grievous words stir up anger. Proverbs 15:1 KJB  *** Learning to write scripts...WMP Resumer [font="'Arial Black';"]|[/font] InstaPro Launcher [font="'Arial Black';"]| [/font]XampLabel Styles [font="'Arial Black';"]|[/font] XampPause - "HotKeySet" [font="'Arial Black';"]|[/font] XampCounter [font="'Arial Black';"]|[/font] XampSpellCheck *** Forum References Remembered... 5 Tips better coder by: Omar AlBadri (AKA - Volly) | AutoIT3/SciTE - USB by: MadSc13ntist | XSkin.au3 GUI by: Valuater AutoIT MVP | Helpful Collection Autoit Scripts: Maintained By: Volly | Windows Help 101 By: beerman & others *** My Website: Frankie-Cooper.com

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

Thanks everyone for the compliments.

I've updated the UDF after reading about Borland's TLINK32 issue. All files should report the right Import information now, though I still have yet to figure out the 'forwarding' thing with certain Exports (that return an Offset of 0).

UPDATES:

7-11-2010:

Fixed:

  • Executables linked with Borland's TLINK32.exe do not set the 'ImportLookupTableRVA' element correctly. This was easy to work around, as the 'Thunks' list also contains pointers to the same information (until an executable/DLL is loaded by the O/S, at least)
Added:

  • Imports: Extra column: Virtual Offset of Thunk ( [3] ). When an .EXE or .DLL is loaded, this is the Offset from the base of the .EXE or .DLL which will hold the actual function address. This could be used for redirection of calls (dangerous though!).

    ...

    An important note on this: Compressed executables are a completely different beast, and in fact the whole Import section is for the Decompressor itself, which disappears once the executable is loaded! The only way to get the actual Imports for Compressed Executables is to Decompress them first.

Edited by Ascend4nt

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

Sorry for the short time between updates, but I found a major issue with my code, and at the same time added something new - not even DLL Export Viewer has Forwarder-String information :blink:

Check out these examples of Forwarder strings inside DLL's (2nd example is an extreme case!)

Posted Image..Posted Image

Onto the updates:

UPDATES:

7-12-2010:

Fixed:

  • Oops, Big-time logic errors in mapping Export function names to addresses and using ordinals to look them up from pointer tables. Now everything points to where it should!
  • Ordinal #'s are now correctly calculated with the 'Base' # part of the EXPORT DIRECTORY TABLE.
Added:

  • 'Forwarder' string lookup & reporting! Not even DLL Export Viewer does this! Basically, certain function 'pointers' aren't really code offsets, but offsets to Forwarder strings. My function looks those strings up and puts them in the list instead of a phoney address.
Edited by Ascend4nt

Share this post


Link to post
Share on other sites

Really Awesome work!

Thxs for share!


[size="5"] [/size]

Share this post


Link to post
Share on other sites

Updated!

7-21-2010:

Added:

  • C++ Function Name Undecorating/Unmangling option. For an example of what this causes function name results to be, check out something like 'msvcrt.dll'. It will report alot more than just a function name! If you choose to do the Undecorating yourself, just call the included function _WinAPI_UndecorateName().

    Example: "??3@YAXPAX@Z" becomes "void __cdecl operator delete(void *)" unmanged/undecorated

  • New _ProcessGetWinPEImportExports module (with Test program) as a separate download - requires use of my Process Functions UDF. The biggest benefits, besides looking into loaded DLL's that might not be on the disk? Addresses reported are real, and Imported function addresses are reported (as pulled from Thunk locations).

Share this post


Link to post
Share on other sites

Would it be possible to use parts of this library to validate that exports of a system DLL have not been dynamically remapped within the process where my script is running?

D.

Share this post


Link to post
Share on other sites

I'm not sure I understand. Do you mean that imports in your process (which are mapped to exports from DLL's) are being redirected to a different address than they should be? Theoretically it would be possible to check them, if the LoadLibrary/GetProcAddress API functions needed by DLLCall() were not themselves remapped to something that prevents them from working correctly.

Probably the best thing for you to do is to use UPX or some other compression utility which makes it more difficult for someone to get and remap the imports for your app.

I would also say that its possible to do using compiled machine code that goes through the PEB and module lists, but machine code still requires a DLLCall() to use from AutoIt..

Share this post


Link to post
Share on other sites

I'm actually trying to detect when aclayers.dll might be redirecting registry writes.

Share this post


Link to post
Share on other sites

Not sure what aclayers is, but sounds easy enough. Use DLLCall to call 'GetProcAddress' for the different registry API calls, and compare those returned values to the process's loaded addresses for those API calls. If there's a difference, then they are being redirected. You can even go further to see where the module address is located by comparing it against the loaded modules' start and 'end' (start+size) addresses.

Share this post


Link to post
Share on other sites

First off, you mean 33.4KB uncompressed (for the File Import/Exports info).

Secondly, NirSoft's DLL Export Viewer incorrectly reports the code address, because that function doesn't actually exist in kernel32.dll. In the PE, it gives an offset that points to a 'forwarder' string. That means that "NTDLL.RtlAddVectoredExceptionHandler" tells you where the function really exists - in NTDLL.DLL, as the function name RtlAddVectoredExceptionHandler. Read my first post, hopefully that will help you understand what forwarding is, and why NirSoft's program reports bad information.

Share this post


Link to post
Share on other sites

How about that - Nirsoft actually listened to feedback :huh2:

DLL Export Viewer finally has forwarder string information reported correctly as of v1.50.

On another note.. I've noticed some .EXE files are putting Imports all over - inside different sections of the PE. wth? Anyway.. causes the program to crash currently, so if anyone sees a crash, this is most likely whats happening. I'd call it non-standard, but Windows handles it fine, as do some other PE viewers (some crash though). That was a very annoying bugger to track down.

What this means is that I need to search for the right section and recalculate RVA Offsets for each and every Import. What a pain.. Anyhoo.. that's on my to-do list for the next version. Just thought I'd at least log the problem here in the meantime and tell y'all to update your copy of DLL Export Viewer as well ;)

Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

Any sample code how you use export functions of a dll to my own script would appreciated?

Thanks

Edited by mailro

Share this post


Link to post
Share on other sites

You'd need to figure that out for yourself. If you are planning on calling a function in a DLL, you need to know what parameters it takes, as well as the return value. If its a standard Microsoft DLL, you can find the documentation for the function on MSDN. Any other DLL's, you need to know who made it and then check their website for info on calling the functions. I think WinAPIOverride32 lets you explore how certain DLL functions are called, though the program seems to crash more than anything for me.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Similar Content

    • Jdr
      More reliable check for file
      By Jdr
      I'm trying to check for the existance of a file, on logon the file is there, then gets deleted and after a while recreated. I'm using this code:
      Sleep(100) If not FileExists($sFile) Then Sleep(150) If FileExists($sFile) Then GUICtrlSendToDummy($iDummy) What happens is this: 
      User logs on, the file is present, or at least it usually is After about 10 seconds the file gets deleted Then after about 50 seconds the file gets created again, this is when I need the check, because now the process is finished. The above code is part of a pretty long do....until false loop running an animation.
      The problem is that sometimes this code fails. Without the sleep statements it didn't work at all so I think this is a timing issue. Pretty primitive code I admit, there must be a better way...
       
    • InternetMonkeyBoy
      AutoIt Tweaker
      By InternetMonkeyBoy
      I'm going to build a new function that I have been unable to find.   PLEASE CORRECT ME.  It will tweak the internal AutoIt functions giving me the ability to trash stuff I do not want to spin around.  Get it?  Please throw me whatever you got and I will put it togeather.  Ship it now.
      My supersleep() will be in here somewhere.   It's on another thread.
    • InternetMonkeyBoy
      Super Idle Down Process
      By InternetMonkeyBoy
      Hello.  I need a trick to make a process idle down less than sleep.  I use onevents for almost everything, but the problem is the project I'm working on has almost 50 processes.
      Even at around 1% idle it adds up and there will be more processes added.  What I'm looking to do is get to a C like idle of .03 to .08 cpu.  Any tricks you have will be great and I will post the final code I use.  I love AutoIt, but is does need a cooler name, lol.  Thx.
    • cherrylatte
      running files in order
      By cherrylatte
      hi
      I'm trying to execute files 
      I want it to run in order.
      for instance, if there's folder like below, I want to run 1.exe > 2.exe > 3.exe
      root folder
        |___folder 1 > 1.exe
        |___folder2 > 2.exe
        |___folder3 > 3.exe
       
      What I did to do the above, was to make a text file that contains the path to each of those files and put those in array form.
      but copying and pasting every path of those files into a text file is very exhausting thing to do when there's like hundreds of files to execute.
      So I was wondering if there is a simple way to run those files.
      I'd be thankful if anybody answers it. 
       
       
    • digitalexpl0it
      Help with Nested For loop
      By digitalexpl0it
      Hello,
       
      I am trying to updated a autoit app that moves files from one location to another. What Ia m trying to do is exclude specified sub directories from being moved/copied or files within the sub-folders
      As of now the code doesn't want to execute the nested for loop 
       
      Global $szDrive, $szDir, $szFName, $szExt Global $File = "*" func File_mover($Src,$File,$Dst) ; GET DIRECTORY EXCLUDES ; ###################### ; Create blank 2 dem array Local $ExArray[0][1] ; load ini file Local Const $sFilePath = "exclude.ini" ; Check to see if ini exists Local $iFileExists = FileExists($sFilePath) ; If the INI file is not found, output error message If not $iFileExists Then msgbox(0,"Oh NO!", $sFilePath & " not found!") endif ; Read ini file Local $aArray = IniReadSection($sFilePath, "test") ; Start the array loop If Not @error Then for $i = 1 to $aArray[0][0] ; Add Ini values into array _ArrayAdd($ExArray, $aArray[$i][1]) next endif ; Display array ;_ArrayDisplay($ExArray, "test Label") ProgressOn("Moving Scanned File(s)", "Moving scans into citrix...", "0%") $aFiles = _FileListToArray3($Src, $File, 1, 1, 0, 0) For $i = 1 To $aFiles[0] call("_PathSplit",$aFiles[$i], $szDrive, $szDir, $szFName, $szExt) $SrcFile = $Src & "\" & $szDrive & $szDir & $szFName & $szExt $DstFile = $Dst & "\" & $szDir & $szFName & $szExt $NumFiles = DirGetSize($Src,1) ; If File Exsists copy and rename file If FileExists($DstFile) Then $DstFile = call("_IfIdenticalIncrement", $SrcFile, $DstFile) If $DstFile <> "" Then For $ii = $NumFiles[1] To 100 Step 10 ProgressSet($ii, $ii & "%","Moving Files...") ; Move Scans ; List Dir in srouce dir $dirEx = _FileListToArray($Src,"*",2) If UBound($dirEx) > 1 Then ; Look in the dir list array For $dir In $dirEx ; Find and compaire dir in exclude array For $exclude In $ExArray If ($dir = $exclude) Then ; if exclude dir found go to top loop and skip ContinueLoop 2 EndIf Next FileMove($SrcFile, $DstFile, 8) Next endif Sleep(100) Next EndIf ; File doesnt exists so copy the file over Else For $ii = $NumFiles[1] To 100 Step 10 ProgressSet($ii, $ii & "%","Moving Files...") ; Move Scans ; List Dir in srouce dir $dirEx = _FileListToArray($Src,"*",2) If UBound($dirEx) > 1 Then ; Look in the dir list array For $dir In $dirEx ; Find and compaire dir in exclude array For $exclude In $ExArray If ($dir = $exclude) Then ; if exclude dir found go to top loop and skip ContinueLoop 2 EndIf Next FileMove($SrcFile, $DstFile, 8) Next endif Sleep(100) next EndIf ProgressSet(100, "Scans Moved...Successfully!", "Done!") sleep(2000) ProgressOff() Next endfunc Func _IfIdenticalIncrement($vSrcFile, $vDstFile) Local $Count = 0 ; Get the modified date of the source file. $ScrVer = FileGetTime($vSrcFile, 0, 1) ; To get all elemnt of the distination file (in plan to add incremental number). call("_PathSplit",$vDstFile, $szDrive, $szDir, $szFName, $szExt) ; Loop to increment the name of the file. While FileExists($vDstFile) $Count += 1 $vDstFile = $szDrive & $szDir & $szFName & "(" & $Count & ")" & $szExt WEnd ; If file(1), it assume that is the first copy. If $Count = 1 Then Return $vDstFile ; If file(x-1) is identical then assume the file is already duplicated. ElseIf $ScrVer = FileGetTime($szDrive & $szDir & $szFName & "(" & $Count - 1 & ")" & $szExt, 0, 1) Then Return "" ; Else assume it is a new version. Else Return $vDstFile EndIf EndFunc ;==>_IfIdenticalIncrement  
       
      This part is skipped and not sure why
       
      For $exclude In $ExArray If ($dir = $exclude) Then ; if exclude dir found go to top loop and skip ContinueLoop 2 EndIf Next INI file is this
       
      [test] EXCLUDE1=test1 EXCLUDE2=test2 EXCLUDE3=test3