Sign in to follow this  
Followers 0
Ascend4nt

File + Process Imports and Exports - DLL, EXE etc

17 posts in this topic

#1 ·  Posted (edited)

File + Process Imports/Exports Information UDFs

Posted ImagePosted Image

Forwarder String Support, C++ Name Undecorating Added!!

(Extreme case of string forwarding from wsock32.dll example in this post)

This UDF gets Function Imports and Exports for any Windows PE file (.DLL, .EXE), both 32-bit and 64-bit (unlike most programs out there), and from either a 32-bit or 64-bit Process.

I created this due to my frustration with other programs either working only *some* of the time, or having a common inability to read PE32+ (x64) file format tables properly.

There's just two functions in the main UDF - _FileGetWinPEImports or _FileGetWinPEExports. The bundled TestImportExportsList program lets you explore files on your system.

*Newly included are: _ProcessGetWinPEImports, _ProcessGetWinPEExports and TestProcessImportExportsList program (requires my Process Functions UDF).

NOTE: *Compressed* executable files will only give the Import information for the 'decompressor'. The only way to get the compressed executable's Import information is to decompress the executable.

Anyway, enjoy my hard work. Either read on for more information about some of the features, or see below for the License agreement and Download link.

Information on 'Virtual Offset of Thunk':

These address offsets you see are offsets from the base of the .DLL or .EXE file (uncompressed only!), where the actual function location of an 'Import' gets placed. All calls to these functions load addresses from these Thunk locations in order to correctly place a call to the right DLL function. (This is totally different than the old Import fixup location lists of earlier pre-NT systems). Technically, you could overwrite these Thunks with addresses to your own functions, but this is a dangerous thing to do. Its a neat tool to have though.

Forwarder functions? An explanation:

The whole 'DLLNAME.Functionname' string might be confusing to you, but here's an explanation of why an address can not and should not be returned. To better understand all this, grab a copy of DLL Export Viewer, (which doesn't report Relative/Function addresses correctly for Forwarded functions) and then follow along: *update: as of v1.50, DLL Export Viewer now reports forwarder string info (I was the one that reported the bug heh)

Okay, open up DLL Export Viewer and look at (for this example) KERNEL32.DLL - lets pick 'HeapFree', a known Forwarded function. DLL Export Viewer reports the following (on XP SP3):Relative Address: 0x0000910c, 'Loaded' address: 0x7c80910c. *Neither* is the case, though - 0x0000910c is in fact just the virtual address of the forwarder string!

Now, with my Exports function, you'll find that 'HeapFree' is reported (correctly) as a Forwarder string. What you'll see then is 'NTDLL.RtlFreeHeap'. What does that mean? It means that:

  • HeapFree is not a part of KERNEL32.DLL (and hasn't been for a while),
  • When that function is called or the address retrieved via 'GetProcAddress', the function 'RtlFreeHeap' in NTDLL.DLL is the function that's actually called (or returned as an address). Hopefully the 'DLLNAME.FunctionName' structure of a Forwarder string is starting to make sense now?
  • The address you get when you do 'GetProcAddress' does *not* correspond to what you see in DLL Export Viewer - in fact, 'HeapFree's reported address lies entirely OUTSIDE of kernel32.dll's memory space - pointing instead inside of NTDLL.DLL, at (guess what?): RtlFreeHeap.
So, on XP SP3, looking up 'HeapFree' with GetProcAddress, you get: 0x7C90FF2D. Doesn't match what was reported with DLL Export Viewer AT ALL. However - go back, and now look at NTDLL.DLL with DLL Export Viewer, and at function 'RtlFreeHeap' (following the logic of the Forwarder Function string). What is reported for RtlFreeHeap? Relative Address: 0x0000ff2d, 'Loaded' address: 0x7c90ff2d. See now how it lines up with what was reported via GetProcAddress for 'HeapFree' in KERNEL32.DLL?

So, there you have it in a nutshell - Forwarder functions are functions 'rerouted' to another DLL. The DLL's that are being rerouted to are either:

  • A.) Pre-loaded by the system (Important DLL's like NTDLL.DLL, KERNEL32.DLL, USER32.DLL, GDI32.DLL, etc - are all permanently loaded)
  • B.) Loaded upon a program's execution if the function is in its 'Imports' list, or
  • C.) Loaded upon a call to GetProcAddress. To see how this works clearly, list the modules that are loaded (my Process Functions UDF GUI can do this for you), then call GetProcAddress for 'GetServiceW' from WSOCK32.DLL, and then re-list the modules again. You'll see a new module loaded up - MSWSOCK.DLL (the location of the forwarder function). Wa-la, forwarder is set up.
Ascend4nt's AutoIT Code License agreement:

While I provide this source code freely, if you do use the code in your projects, all I ask is that:

  • If you provide source, keep the header as I have put it, OR, if you expand it, then at least acknowledge me as the original author, and any other authors I credit
  • If the program is released, acknowledge me in your credits (it doesn't have to state which functions came from me, though again if the source is provided - see #1)
  • The source on it's own (as opposed to part of a project) can not be posted unless a link to the page(s) where the code were retrieved from is provided and a message stating that the latest updates will be available on the page(s) linked to.
  • Pieces of the code can however be discussed on the threads where Ascend4nt has posted the code without worrying about further linking.

Download the ZIPs from my Site

UPDATES:

7-21-2010:

Added:

  • C++ Function Name Undecorating/Unmangling option. For an example of what this causes function name results to be, check out something like 'msvcrt.dll'. It will report alot more than just a function name! If you choose to do the Undecorating yourself, just call the included function _WinAPI_UndecorateName().

    Example: "??3@YAXPAX@Z" becomes "void __cdecl operator delete(void *)" unmanged/undecorated

  • New _ProcessGetWinPEImportExports module (with Test program) as a separate download - requires use of my Process Functions UDF. The biggest benefits, besides looking into loaded DLL's that might not be on the disk? Addresses reported are real, and Imported function addresses are reported (as pulled from Thunk locations).
7-12-2010:

Fixed:

  • Oops, Big-time logic errors in mapping Export function names to addresses and using ordinals to look them up from pointer tables. Now everything points to where it should!
  • Ordinal #'s are now correctly calculated with the 'Base' # part of the EXPORT DIRECTORY TABLE.
Added:
  • 'Forwarder' string lookup & reporting! Not even DLL Export Viewer does this! Basically, certain function 'pointers' aren't really code offsets, but offsets to Forwarder strings. My function looks those strings up and puts them in the list instead of a phoney address.
7-11-2010:

Fixed:

  • Executables linked with Borland's TLINK32.exe do not set the 'ImportLookupTableRVA' element correctly. This was easy to work around, as the 'Thunks' list also contains pointers to the same information (until an executable/DLL is loaded by the O/S, at least)
Added:
  • Imports: Extra column: Virtual Offset of Thunk ( [3] ). When an .EXE or .DLL is loaded, this is the Offset from the base of the .EXE or .DLL which will hold the actual function address. This could be used for redirection of calls (dangerous though!).

    ...

    An important note on this: Compressed executables are a completely different beast, and in fact the whole Import section is for the Decompressor itself, which disappears once the executable is loaded! The only way to get the actual Imports for Compressed Executables is to Decompress them first.

Edited by Ascend4nt
1 person likes this

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

Nicely done.

To ease your frustration though, you should check out DLL Export Viewer from NirSoft.

Edited by wraithdu

Share this post


Link to post
Share on other sites

Thanks. I've been using DLL Export Viewer actually - But it doesn't report on Imports, and I'd rather not have to rely on using another program just for Exports.

Share this post


Link to post
Share on other sites

Fascinating work.

This is really going to come in handy.


[Not using this account any more. Using "iShafayet" instead]

Share this post


Link to post
Share on other sites

This is a very useful UDF.


Determined -- Devoted -- Delivered Make your mind up -- to seriously apply yourself -- accomplishing the desired results. **** A soft answer turneth away wrath: but grievous words stir up anger. Proverbs 15:1 KJB ****

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

Thanks everyone for the compliments.

I've updated the UDF after reading about Borland's TLINK32 issue. All files should report the right Import information now, though I still have yet to figure out the 'forwarding' thing with certain Exports (that return an Offset of 0).

UPDATES:

7-11-2010:

Fixed:

  • Executables linked with Borland's TLINK32.exe do not set the 'ImportLookupTableRVA' element correctly. This was easy to work around, as the 'Thunks' list also contains pointers to the same information (until an executable/DLL is loaded by the O/S, at least)
Added:

  • Imports: Extra column: Virtual Offset of Thunk ( [3] ). When an .EXE or .DLL is loaded, this is the Offset from the base of the .EXE or .DLL which will hold the actual function address. This could be used for redirection of calls (dangerous though!).

    ...

    An important note on this: Compressed executables are a completely different beast, and in fact the whole Import section is for the Decompressor itself, which disappears once the executable is loaded! The only way to get the actual Imports for Compressed Executables is to Decompress them first.

Edited by Ascend4nt

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

Sorry for the short time between updates, but I found a major issue with my code, and at the same time added something new - not even DLL Export Viewer has Forwarder-String information :blink:

Check out these examples of Forwarder strings inside DLL's (2nd example is an extreme case!)

Posted Image..Posted Image

Onto the updates:

UPDATES:

7-12-2010:

Fixed:

  • Oops, Big-time logic errors in mapping Export function names to addresses and using ordinals to look them up from pointer tables. Now everything points to where it should!
  • Ordinal #'s are now correctly calculated with the 'Base' # part of the EXPORT DIRECTORY TABLE.
Added:

  • 'Forwarder' string lookup & reporting! Not even DLL Export Viewer does this! Basically, certain function 'pointers' aren't really code offsets, but offsets to Forwarder strings. My function looks those strings up and puts them in the list instead of a phoney address.
Edited by Ascend4nt

Share this post


Link to post
Share on other sites

Really Awesome work!

Thxs for share!


[size="5"] [/size]

Share this post


Link to post
Share on other sites

Updated!

7-21-2010:

Added:

  • C++ Function Name Undecorating/Unmangling option. For an example of what this causes function name results to be, check out something like 'msvcrt.dll'. It will report alot more than just a function name! If you choose to do the Undecorating yourself, just call the included function _WinAPI_UndecorateName().

    Example: "??3@YAXPAX@Z" becomes "void __cdecl operator delete(void *)" unmanged/undecorated

  • New _ProcessGetWinPEImportExports module (with Test program) as a separate download - requires use of my Process Functions UDF. The biggest benefits, besides looking into loaded DLL's that might not be on the disk? Addresses reported are real, and Imported function addresses are reported (as pulled from Thunk locations).

Share this post


Link to post
Share on other sites

Would it be possible to use parts of this library to validate that exports of a system DLL have not been dynamically remapped within the process where my script is running?

D.

Share this post


Link to post
Share on other sites

I'm not sure I understand. Do you mean that imports in your process (which are mapped to exports from DLL's) are being redirected to a different address than they should be? Theoretically it would be possible to check them, if the LoadLibrary/GetProcAddress API functions needed by DLLCall() were not themselves remapped to something that prevents them from working correctly.

Probably the best thing for you to do is to use UPX or some other compression utility which makes it more difficult for someone to get and remap the imports for your app.

I would also say that its possible to do using compiled machine code that goes through the PEB and module lists, but machine code still requires a DLLCall() to use from AutoIt..

Share this post


Link to post
Share on other sites

I'm actually trying to detect when aclayers.dll might be redirecting registry writes.

Share this post


Link to post
Share on other sites

Not sure what aclayers is, but sounds easy enough. Use DLLCall to call 'GetProcAddress' for the different registry API calls, and compare those returned values to the process's loaded addresses for those API calls. If there's a difference, then they are being redirected. You can even go further to see where the module address is located by comparing it against the loaded modules' start and 'end' (start+size) addresses.

Share this post


Link to post
Share on other sites

First off, you mean 33.4KB uncompressed (for the File Import/Exports info).

Secondly, NirSoft's DLL Export Viewer incorrectly reports the code address, because that function doesn't actually exist in kernel32.dll. In the PE, it gives an offset that points to a 'forwarder' string. That means that "NTDLL.RtlAddVectoredExceptionHandler" tells you where the function really exists - in NTDLL.DLL, as the function name RtlAddVectoredExceptionHandler. Read my first post, hopefully that will help you understand what forwarding is, and why NirSoft's program reports bad information.

Share this post


Link to post
Share on other sites

How about that - Nirsoft actually listened to feedback :huh2:

DLL Export Viewer finally has forwarder string information reported correctly as of v1.50.

On another note.. I've noticed some .EXE files are putting Imports all over - inside different sections of the PE. wth? Anyway.. causes the program to crash currently, so if anyone sees a crash, this is most likely whats happening. I'd call it non-standard, but Windows handles it fine, as do some other PE viewers (some crash though). That was a very annoying bugger to track down.

What this means is that I need to search for the right section and recalculate RVA Offsets for each and every Import. What a pain.. Anyhoo.. that's on my to-do list for the next version. Just thought I'd at least log the problem here in the meantime and tell y'all to update your copy of DLL Export Viewer as well ;)

Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

Any sample code how you use export functions of a dll to my own script would appreciated?

Thanks

Edited by mailro

Share this post


Link to post
Share on other sites

You'd need to figure that out for yourself. If you are planning on calling a function in a DLL, you need to know what parameters it takes, as well as the return value. If its a standard Microsoft DLL, you can find the documentation for the function on MSDN. Any other DLL's, you need to know who made it and then check their website for info on calling the functions. I think WinAPIOverride32 lets you explore how certain DLL functions are called, though the program seems to crash more than anything for me.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Similar Content

    • ur
      By ur
      With  ProcessList ( ["name"] )  we are able to get the running process list from the local machine.
       
      Is there anyway to get the list from Remote machine, more precisely to get to know the status whether a particular application is running or not on remote machine using AutoIT?
       
      We can implement through PSList.exe, but again we need to parse the text of it to read the output.
      Is there any direct UDF in AutoIT?
    • Luigi
      By Luigi
      Greetings, someone can give a exemple, how send a error from a C#'s dll to AutoIt?
      I use this line, to send an error... but, I want get a error code In AutoIt with macro @error, it's possible?
       
      throw new ArgumentException("arquivo map não existe", "value" ); In this way, work, I know ther are error, but, @errror always is zero.
      I don't want this, I want a number as error code.
      Can you help me?
       
      Best regards
    • nss
      By nss
      Hi all,
       
      I am making a program in which I use Bass audio library (with the wrapper for autoit that I found here on forums I think) because of its support for dx effects.
      My problem, though, is that when effects as reverb or echo/delay are added, the channel length is not extended as to fit the tail of the effect, so if the file was really short, you wouldn't even hear the reverb at all.
      I've tried setting the  buffer parameter even to 60k ms, updating the channel length to 60k ms, but nothing makes it so that the effects aren't being cut off.
      I've heard that I could add silence manually to wave files by adding the chr(0) characters, but haven't had any luck doing that, either.
      What I'm doing:
      initialize bass use streamCreateFile to load the wave file with the fx flag and length parameter set to 60000 set the config buffer to 60000 use channel set fx to add dx8 reverb use channel play to play the sound use bass update to update the length to 60000  
      I even tried having only silence in one wave file and tried joining two wave files together, but that didn't work either.
       
      Any help would be very much appreciated.
    • usmiv4o
      By usmiv4o
      #cs ---------------------------------------------------------------------------- AutoIt Version: 3.2.4.3 Author: usmiv4o Script Function: AutoIt script to check if files in directory are changed. It is usefull for security contra-inteligense measures. Function Name: LoadTripwireDB() Description: Loads database (text file tripwire.txt) and compare files in /test folder for changes. compares Hash (MD5) checksums. If they are not the same starts Initial() Function Name: Initial() Description: Checks directory and makes index of files and their MD5 checksums in text file (tripwire.txt) Function Name: Hush() Description: Checks file and returns its MD5 checksum. Requirement(s): Windows XP Return Value(s): On Success - Returns true. Files are the same as before. On Failure - return false. Example: LoadTripwireDB() #ce ---------------------------------------------------------------------------- #include <Crypt.au3> #include <File.au3> #include <Array.au3> $sDir = @ScriptDir & "\Test" $sFilePath = @ScriptDir & "\tripwire.txt" Func Hush(ByRef $sFile) $sRead = FileOpen( $sFile) $dHash = _Crypt_HashData($sRead, $CALG_MD5) ; Create a hash of the text entered. ConsoleWrite("Hash of file " & $sFile & " is " & $dHash & @CRLF) EndFunc ;ConsoleWrite("Files in Dir are " & $aScriptDir[0] & @CRLF) ;$sFilePath = @ScriptDir & "\Examples.txt" ;_FileWriteFromArray($sFilePath, $aScriptDir, 1) ;_ArrayDisplay($aScriptDir, "1D display") Func Initial() $aScriptDir = _FileListToArray($sDir) for $i = 1 To UBound($aScriptDir) - 1 $dHash = _Crypt_HashData($i, $CALG_MD5) ;ConsoleWrite("File " & $aScriptDir[$i] & " is " & $dHash & @CRLF) ConsoleWrite($aScriptDir[$i] & ":" & $dHash & @CRLF) ;Hush($aScriptDir[$i]) ;FileWrite $hFileOpen = FileOpen($sFilePath, $FO_APPEND) If $hFileOpen = -1 Then MsgBox($MB_SYSTEMMODAL, "", "An error occurred when reading the file.") EndIf FileWrite($hFileOpen, $aScriptDir[$i] & ":" & $dHash & @CRLF) Next EndFunc Func Monitor() $aScriptDir = _FileListToArray($sDir) for $i = 1 To UBound($aScriptDir) - 1 Next EndFunc Func LoadTripwireDB() $comparison_ok = false $dArray = _FileListToArray($sDir) ;directory $dArray0 = UBound($dArray) - 1 $fArray = FileReadToArray($sFilePath) ;file $fArray0 = UBound($fArray) ;_ArrayDisplay($dArray, "files array") if $dArray0 = $fArray0 Then ; are file same as recorded in txt file? ;ConsoleWrite("files in monitoring dir: " & $dArray[0] & " = file recorded: " & $fArray0 & @CRLF & $fArray[0]& @CRLF) for $i = 1 To UBound($dArray) - 1 ;ConsoleWrite("i = " & $i & @CRLF) $dHash = _Crypt_HashData($i, $CALG_MD5) ;binary ;$dHash = BinaryToString($dHash) $ffhash = StringSplit( $fArray[$i-1],":") $fhash = $ffhash[2] ;ConsoleWrite("IsBinary $dHash " & IsBinary($dHash) & @CRLF) if $dHash = $fhash Then ;if compared hashes are equal ;ConsoleWrite($fhash & ":" & $dHash & " equal" & @CRLF) ;ConsoleWrite("File: " & $fhash & @CRLF & "Directory: " & $dHash & @CRLF & "equal: yes " & @CRLF) Else ;if compared hashes are not equal ;ConsoleWrite("File: " & $fhash & @CRLF & "Directory: " & $dHash & @CRLF & "equal: not " & @CRLF) ;MsgBox(0,"hash md5",$fhash & ":" & $dHash & " not equal") EndIf Next ;ConsoleWrite("hashes are equal" & @CRLF) $comparison_ok = true Else ConsoleWrite("number of files in monitoring dir are not same as recorded" & @CRLF) ConsoleWrite("directory: " & $dArray[0] &":"& "files: " & UBound($fArray) - 1 & @CRLF) EndIf Return $comparison_ok EndFunc #main if LoadTripwireDB() = true Then ConsoleWrite(" hashes are equal " & @CRLF) ElseIf LoadTripwireDB() <> true Then ConsoleWrite(" hashes are not equal " & @CRLF) ConsoleWrite(" hashes are not equal " & @CRLF) Initial() EndIf  
      tripwire.au3
      tripwire.txt
    • Nareshm
      By Nareshm
      If Process exits then end process and ;Some code here {1}
       
      If Process does not exits then ; My {1} Code