Replies: 6 comments 11 replies
-
If you would like to understand how native .dll loading works - maybe best way to check documentation in or same via Wine Source codes: LdrLoadDll: https://source.winehq.org/source/dlls/ntdll/loader.c#3169 With Wine - the main problem is that it's Windows emulator for Linux, and not actual windows code. You can check the code, but it does not necessarily reflect on how dll loading works. |
Beta Was this translation helpful? Give feedback.
-
Using minhook library I have intercepted some of loading library function calls, like When .dll loading does occurs - all of these functions gets called. But if we embedd .dll into .exe - where to keep .dll binary ? One approach is just clue it inside So by thinking this through - I've quickly coded tool Then - the next question is how to "load" .dll so it would be seen as separate .dll entry (e.g. in process hacker), but not as main executable ? We need to have some filename to invoke In theory if we just create following copy sequence:
and then:
This however requires Also to avoid .dll loading completely - maybe it makes sense to have load dll from named pipe for example (https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipe-client, A'la My idea was - maybe just copying |
Beta Was this translation helpful? Give feedback.
-
First of all - I've got curious whether I can load .exe as .dll itself. So I just added a call After merging .dll into .exe - first it was just .dll append to end of .exe file - I've noticed that .dll itself does not get loaded by exe. .exe specified in a PE header how bit that one is , and everything I just appended at the end of executable - became just an overlay - garbage data which is ignored. I've decided that maybe with PE files I need to work as PE file - meaning attach .dll to PE as a new data section. I've used See https://github.com/secana/PeNet. That worked out well - in So I've just remapped After that One approach which I have tried as well - is to try to step out from Most of You can just put into watch window And basically after is some sort of conflicting address.
That is as far as I could go. Without having I saw some logging code in |
Beta Was this translation helpful? Give feedback.
-
This is something I have tried to reconsider afterwards - maybe I could just clue By quickly googling for such solutions - I was able to find from here:
https://stackoverflow.com/a/45476609/2338477 Unfortunately that one turned to be quite complex piece of code (involving generation of code) - also supporting only 32-bit executables, but not 64-bit. I've created ticket for this as well: secana/PeNet#243 Which was apparently closed immediately by it's author. I do understand however the complexity behind Btw, similar tool does exists for .net and it's named as |
Beta Was this translation helpful? Give feedback.
-
Referenced documentation: There are multiple sources which I have read through, and some of them sounds more interesting than others - quite often they relate to viruses, vulnerabilities and exploits.
|
Beta Was this translation helpful? Give feedback.
-
Short summary so far: Comparing to managed code (
|
Beta Was this translation helpful? Give feedback.
-
I would like to document so far what I have found, just in case someone else continues this work or invents alternative approach.
Discussion started from this ticket: dotnet/runtime#61073
(Cross posted question to stackoverflow: https://stackoverflow.com/questions/72248319/load-native-c-dll-from-ram-in-debugger-friendly-manner - just to give some hints if there are alternative approaches)
And main problem as I understand it - is to be able to load native (C++) dll's into ram without using file system for this purpose.
Why to avoid file system - I guess there could be several reasons behind it - and one of most commonly known problem is different set of antiviruses making native dll loading more complex. Antivirus might detect any dll as virus itself (false alarm) and prevent whole application from launching.
Like also mentioned in the ticket - there already exists multiple ways to load .dll into ram, but most of them involve PE manual file parsing:
https://www.joachim-bauch.de/tutorials/loading-a-dll-from-memory/
=> https://github.com/fancycode/MemoryModule
https://forum.nim-lang.org/t/7943
That method even thus it would work - is not possible to use with debugging and requires a lot of internal knowledge on PE file format. Even thus Microsoft itself could figure out the details further and add debugging support of such .dll's - loading logic is different than what is happening currently in LoadLibrary and subsequent calls in Windows kernel.
How native .dll loading happens in all details - that is not known to me, but there are various articles, forum messages, tools which are more or less relate to the problem of .dll loading in one way or another. I'll try to collect all relevant links in here as well.
Beta Was this translation helpful? Give feedback.
All reactions