piccaso Posted May 16, 2007 Share Posted May 16, 2007 (edited) On my way of learning more about the windows modules and api's i recently discovered a nice and easy way ofdetouring api's. This is what came out.But in some point of view its a bad joke because it requires a dll to be FileInstall()ed in order to load a dll from memory.And it has other drawbacks.For example DllMain() never gets called for DLL_THREAD_* stuff.And you cant use upx to compress the compiled exe because it doesn't preserve the import table, mabethere is an option for this - i dont know - but PackMan with 'Retain Header' option checked worksAnyway the dll's (both - the inline one and the one which needs to be FileInstalled) can be compressed with upx w/o problems.Here is a example of how it could be done:#compiler_useupx = n #include "DllCallHack.h.au3" #include "Stupid.au3" ; _Stupid() is in there ; Like DllOpen() but it expects a Binary or DllStruct $hStupid = _DllOpenBinary(_Stupid()) ; 'dummy' Forwards the string to MessageBoxA and retruns the Length of it $aTmp = DllCall($hStupid,"int:cdecl","dummy","str","It Works :)") ConsoleWrite("dummy returns: " & $aTmp[0] & @CRLF) ; Bye bye Library... DllClose($hStupid)Tested with the current release (3.2.4.0) and WinXP, Win2k & Wine 0.9.17You decide if its usefull or just a bad hack, but ...be warned: As of now this is just an experiment, use it at your own risk DllCallHack_v0.3.zip Edited May 18, 2007 by piccaso CoProc Multi Process Helper libraryTrashBin.nfshost.com store your AutoIt related files here!AutoIt User Map Link to comment Share on other sites More sharing options...
faldo Posted May 16, 2007 Share Posted May 16, 2007 Seems you did some great research... Why would you need to load a dll from the memory? is it to access functions of a program that otherwise you couldn't access or what? please explain more Check out my other scripts: RDP antihammer/blacklist generator | Phemex cryptocurrency exchange API Link to comment Share on other sites More sharing options...
zatorg Posted May 16, 2007 Share Posted May 16, 2007 (edited) Nice work piccaso (it would be very nice to see the sources of the DLL if possible). This is the hack of the month...Anyway although I can't seem to find a way of using this, I know another thing that might be really useful (unfortunately, mostly for malicious soft coders): loading a Windows PE executable into memory. I know it's different but it too has exportable symbols (hence ntoskrnl.exe which is used by many ring0 programs). It has a large PE header that would have to be parsed. Yet this would be very interesting... If you're into this stuff, consider writing a dynamic EXE loader, this would blow everyone's mind (at least mine's) Edited May 16, 2007 by zatorg Link to comment Share on other sites More sharing options...
WolfWorld Posted May 17, 2007 Share Posted May 17, 2007 Great now i know what in that dll Main project - Eat Spaghetti - Obfuscate and Optimize your script. The most advance add-on.Website more of GadGets! Link to comment Share on other sites More sharing options...
piccaso Posted May 17, 2007 Author Share Posted May 17, 2007 Seems you did some great research...Why would you need to load a dll from the memory? is it to access functions of a program that otherwise you couldn't access or what? please explain more to make it possible to bundle a dll with a compiled script and load it without additional disk i/oNice work piccaso (it would be very nice to see the sources of the DLL if possible). This is the hack of the month...Anyway although I can't seem to find a way of using this, I know another thing that might be really useful (unfortunately, mostly for malicious soft coders): loading a Windows PE executable into memory. I know it's different but it too has exportable symbols (hence ntoskrnl.exe which is used by many ring0 programs). It has a large PE header that would have to be parsed. Yet this would be very interesting... If you're into this stuff, consider writing a dynamic EXE loader, this would blow everyone's mind (at least mine's) I restructured the source for easier understanding, it will be included in the next update.but be warned, the base it written in freebasic and there is a c part and a c++ part... so you need at least gcc and fbc to compile it Maybe if i threat the entry point like Main() instead of DllMain() it works with exe's too.But the exe will behave like chained and resources which are not explicitly freed will remain used because it doesent happen in a seperate process...This Probably leads into trouble but i'll try it Great now i know what in that dllit never ment to keep it secret you probably mean something different right ? CoProc Multi Process Helper libraryTrashBin.nfshost.com store your AutoIt related files here!AutoIt User Map Link to comment Share on other sites More sharing options...
zatorg Posted May 17, 2007 Share Posted May 17, 2007 (edited) Thank you for the sources... Eagerly waiting Wow, nice, mixed languages.. A c and a c++ seperate part? Wow You mean that despite i.e. .text section which wouldn't work (unless you parse that too?) and lack of memory dealloc it would work with an EXE? That is very interesting indeed... Look forward to new stuff... Thanks for giving it a try. Edited May 17, 2007 by zatorg Link to comment Share on other sites More sharing options...
piccaso Posted May 18, 2007 Author Share Posted May 18, 2007 Its mixed because i dont want to spend much time in translating between languages. The c++ api interception routine is just copy and paste from an example, the c 'dll in memory' thing is a slightly modified library from Joachim Baum. My Freebasic part only wraps it together I was able to load and execute an exe from memory but only for exe's i built myself. i found a masm example on how to do it but i have no idea what to do with resources and its near to impossible if the header was modified by a packer... So i ripped out the half working exe func's for now. source is now included in first post. CoProc Multi Process Helper libraryTrashBin.nfshost.com store your AutoIt related files here!AutoIt User Map Link to comment Share on other sites More sharing options...
zatorg Posted May 18, 2007 Share Posted May 18, 2007 (edited) Thank you for the sources very much! Understood... Yeah imagine a program which loads a string from .text section... And you have to parse all this... No thanks! Well at least it's potentially doable with uncompressed EXEs Edited May 18, 2007 by zatorg Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now