Jump to content
Sign in to follow this  
piccaso

Load a dll from memory

Recommended Posts

piccaso

On my way of learning more about the windows modules and api's i recently discovered a nice and easy way of

detouring api's. This is what came out.

But in some point of view its a bad joke because it requires a dll to be FileInstall()ed in order to load a dll from memory.

And it has other drawbacks.

For example DllMain() never gets called for DLL_THREAD_* stuff.

And you cant use upx to compress the compiled exe because it doesn't preserve the import table, mabe

there is an option for this - i dont know - but PackMan with 'Retain Header' option checked works

Anyway the dll's (both - the inline one and the one which needs to be FileInstalled) can be compressed with upx w/o problems.

Here is a example of how it could be done:

#compiler_useupx = n
#include "DllCallHack.h.au3"
#include "Stupid.au3"   ; _Stupid() is in there

; Like DllOpen() but it expects a Binary or DllStruct
$hStupid = _DllOpenBinary(_Stupid())

; 'dummy' Forwards the string to MessageBoxA and retruns the Length of it
$aTmp = DllCall($hStupid,"int:cdecl","dummy","str","It Works :)")
ConsoleWrite("dummy returns: " & $aTmp[0] & @CRLF)

; Bye bye Library...
DllClose($hStupid)

Tested with the current release (3.2.4.0) and WinXP, Win2k & Wine 0.9.17

You decide if its usefull or just a bad hack, but ...

be warned: As of now this is just an experiment, use it at your own risk :)

DllCallHack_v0.3.zip

Edited by piccaso

CoProc Multi Process Helper libraryTrashBin.nfshost.com store your AutoIt related files here!AutoIt User Map

Share this post


Link to post
Share on other sites
faldo

Seems you did some great research...

Why would you need to load a dll from the memory? is it to access functions of a program that otherwise you couldn't access or what? please explain more :)

Share this post


Link to post
Share on other sites
zatorg

Nice work piccaso :) (it would be very nice to see the sources of the DLL if possible). This is the hack of the month...

Anyway although I can't seem to find a way of using this, I know another thing that might be really useful (unfortunately, mostly for malicious soft coders): loading a Windows PE executable into memory. I know it's different but it too has exportable symbols (hence ntoskrnl.exe which is used by many ring0 programs). It has a large PE header that would have to be parsed. Yet this would be very interesting... If you're into this stuff, consider writing a dynamic EXE loader, this would blow everyone's mind (at least mine's) :D

Edited by zatorg

Share this post


Link to post
Share on other sites
piccaso

Seems you did some great research...

Why would you need to load a dll from the memory? is it to access functions of a program that otherwise you couldn't access or what? please explain more :D

to make it possible to bundle a dll with a compiled script and load it without additional disk i/o

Nice work piccaso :D (it would be very nice to see the sources of the DLL if possible). This is the hack of the month...

Anyway although I can't seem to find a way of using this, I know another thing that might be really useful (unfortunately, mostly for malicious soft coders): loading a Windows PE executable into memory. I know it's different but it too has exportable symbols (hence ntoskrnl.exe which is used by many ring0 programs). It has a large PE header that would have to be parsed. Yet this would be very interesting... If you're into this stuff, consider writing a dynamic EXE loader, this would blow everyone's mind (at least mine's) :D

I restructured the source for easier understanding, it will be included in the next update.

but be warned, the base it written in freebasic and there is a c part and a c++ part... so you need at least gcc and fbc to compile it :D

Maybe if i threat the entry point like Main() instead of DllMain() it works with exe's too.

But the exe will behave like chained and resources which are not explicitly freed will remain used because it doesent happen in a seperate process...

This Probably leads into trouble but i'll try it :ph34r:

Great now i know what in that dll

it never ment to keep it secret :)

you probably mean something different right ?


CoProc Multi Process Helper libraryTrashBin.nfshost.com store your AutoIt related files here!AutoIt User Map

Share this post


Link to post
Share on other sites
zatorg

Thank you for the sources... Eagerly waiting :D Wow, nice, mixed languages.. A c and a c++ seperate part? Wow :D

You mean that despite i.e. .text section which wouldn't work (unless you parse that too?) and lack of memory dealloc it would work with an EXE? That is very interesting indeed... :) Look forward to new stuff... Thanks for giving it a try.

Edited by zatorg

Share this post


Link to post
Share on other sites
piccaso

Its mixed because i dont want to spend much time in translating between languages.

The c++ api interception routine is just copy and paste from an example,

the c 'dll in memory' thing is a slightly modified library from Joachim Baum.

My Freebasic part only wraps it together :)

I was able to load and execute an exe from memory but only for exe's i built myself.

i found a masm example on how to do it but i have no idea what to do with resources and its

near to impossible if the header was modified by a packer...

So i ripped out the half working exe func's for now.

source is now included in first post.


CoProc Multi Process Helper libraryTrashBin.nfshost.com store your AutoIt related files here!AutoIt User Map

Share this post


Link to post
Share on other sites
zatorg

Thank you for the sources very much!

Understood... Yeah imagine a program which loads a string from .text section... And you have to parse all this... No thanks! Well at least it's potentially doable with uncompressed EXEs :)

Edited by zatorg

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×