Load a dll from memory

[piccaso]

On my way of learning more about the windows modules and api's i recently discovered a nice and easy way of

detouring api's. This is what came out.

But in some point of view its a bad joke because it requires a dll to be FileInstall()ed in order to load a dll from memory.

And it has other drawbacks.

For example DllMain() never gets called for DLL_THREAD_* stuff.

And you cant use upx to compress the compiled exe because it doesn't preserve the import table, mabe

there is an option for this - i dont know - but PackMan with 'Retain Header' option checked works

Anyway the dll's (both - the inline one and the one which needs to be FileInstalled) can be compressed with upx w/o problems.

Here is a example of how it could be done:

#compiler_useupx = n
#include "DllCallHack.h.au3"
#include "Stupid.au3"   ; _Stupid() is in there

; Like DllOpen() but it expects a Binary or DllStruct
$hStupid = _DllOpenBinary(_Stupid())

; 'dummy' Forwards the string to MessageBoxA and retruns the Length of it
$aTmp = DllCall($hStupid,"int:cdecl","dummy","str","It Works :)")
ConsoleWrite("dummy returns: " & $aTmp[0] & @CRLF)

; Bye bye Library...
DllClose($hStupid)

Tested with the current release (3.2.4.0) and WinXP, Win2k & Wine 0.9.17

You decide if its usefull or just a bad hack, but ...

be warned: As of now this is just an experiment, use it at your own risk

DllCallHack_v0.3.zip

Edited May 18, 2007 by piccaso

[faldo]

Seems you did some great research...

Why would you need to load a dll from the memory? is it to access functions of a program that otherwise you couldn't access or what? please explain more

[zatorg]

Nice work piccaso (it would be very nice to see the sources of the DLL if possible). This is the hack of the month...

Anyway although I can't seem to find a way of using this, I know another thing that might be really useful (unfortunately, mostly for malicious soft coders): loading a Windows PE executable into memory. I know it's different but it too has exportable symbols (hence ntoskrnl.exe which is used by many ring0 programs). It has a large PE header that would have to be parsed. Yet this would be very interesting... If you're into this stuff, consider writing a dynamic EXE loader, this would blow everyone's mind (at least mine's)

Edited May 16, 2007 by zatorg

[WolfWorld]

Great now i know what in that dll

[piccaso]

Seems you did some great research...

Why would you need to load a dll from the memory? is it to access functions of a program that otherwise you couldn't access or what? please explain more

to make it possible to bundle a dll with a compiled script and load it without additional disk i/o

Nice work piccaso (it would be very nice to see the sources of the DLL if possible). This is the hack of the month...

Anyway although I can't seem to find a way of using this, I know another thing that might be really useful (unfortunately, mostly for malicious soft coders): loading a Windows PE executable into memory. I know it's different but it too has exportable symbols (hence ntoskrnl.exe which is used by many ring0 programs). It has a large PE header that would have to be parsed. Yet this would be very interesting... If you're into this stuff, consider writing a dynamic EXE loader, this would blow everyone's mind (at least mine's)

I restructured the source for easier understanding, it will be included in the next update.

but be warned, the base it written in freebasic and there is a c part and a c++ part... so you need at least gcc and fbc to compile it

Maybe if i threat the entry point like Main() instead of DllMain() it works with exe's too.

But the exe will behave like chained and resources which are not explicitly freed will remain used because it doesent happen in a seperate process...

This Probably leads into trouble but i'll try it

Great now i know what in that dll

it never ment to keep it secret

you probably mean something different right ?

[zatorg]

Thank you for the sources... Eagerly waiting Wow, nice, mixed languages.. A c and a c++ seperate part? Wow

You mean that despite i.e. .text section which wouldn't work (unless you parse that too?) and lack of memory dealloc it would work with an EXE? That is very interesting indeed... Look forward to new stuff... Thanks for giving it a try.

Edited May 17, 2007 by zatorg

[piccaso]

Its mixed because i dont want to spend much time in translating between languages.

The c++ api interception routine is just copy and paste from an example,

the c 'dll in memory' thing is a slightly modified library from Joachim Baum.

My Freebasic part only wraps it together

I was able to load and execute an exe from memory but only for exe's i built myself.

i found a masm example on how to do it but i have no idea what to do with resources and its

near to impossible if the header was modified by a packer...

So i ripped out the half working exe func's for now.

source is now included in first post.

[zatorg]

Thank you for the sources very much!

Understood... Yeah imagine a program which loads a string from .text section... And you have to parse all this... No thanks! Well at least it's potentially doable with uncompressed EXEs

Edited May 18, 2007 by zatorg