Pelles C forum
C language => Work in progress => Topic started by: czerny on October 11, 2014, 01:05:34 PM
-
Hallo,
I have in w2k once again the problem that the update of one of my favorite programs don't run, because of not finding (of course) DecodePointer.
So I decided to do the following:
- Rename Kernel32.dll to Kernel32o.dll
- Write a DLL named Kernel32.dll which
- passes all regular w2k functions on to Kernel32o.dll
- implements a replacement of the missing functions
This is a rough concept!!!
So in the first step I am searching for information about this subject.
Any idea is wellcome!
I am also looking for a lightwight virtual machine to test this.
Hope, anybody could help
czerny
-
Seems to be too silly or too difficult
-
It would mean to know, for all Kernel32 functions, the number and size of parameters, and to implement an interface to pass them on. Quite an overkill. Why don't you implement DecodePointer as a macro, and put that into the header file?
-
It would mean to know, for all Kernel32 functions, the number and size of parameters, and to implement an interface to pass them on. Quite an overkill. Why don't you implement DecodePointer as a macro, and put that into the header file?
I would like to run compiled third party software, not my own!
Edit: The pass through should word this way
LIBRARY Kernel32.dll
EXPORTS
MulDiv=KERNEL32ORG.MulDiv
.
.
.
without any knowledge about parameters.
-
I have just made a little research about ordinal values of kernel functions.
Result: They seem to vary between different os versions.
Can someone provide me with the ordinal of LocalAlloc in win7 and win8 resp.?
And an other question:
a statment like : Version 5.1.2600.5781
what is the 5781 here?
-
What you want to do is many times addressed as 'rootkit' and associated to malware or spy software, even if many AV, like kasperky, use that techniqe to intercept and control the whole system.
The job is not trivial, you can found some codes on underground sites (be carefull and keep strong the AV ;D). Anyway expect to be tagged as 'malware' from your AV.
I have just made a little research about ordinal values of kernel functions.
Result: They seem to vary between different os versions.
No you're wrong that'will break compatibility and legacy for some old, and not so old, sw. Any compatible call existing on a previous version should keep the same ordinal for standard 'kernel32.dll', 'user32.dll', etc.
Of course 'ntdll.dll' may change because you are supposed to to never use it directly...
And an other question:
a statment like : Version 5.1.2600.5781
what is the 5781 here?
Not sure, but should be 5.1=OS=XP, 2600=Original Build, 5781=Subversion=Service pack3
Maybe you want consider a different approach hooking the system calls or injecting DLL, have a look here (http://www.codeproject.com/Articles/2082/API-hooking-revealed)... The article give also some hints on 'proxyDll' (rootkit) that, again, is very hard when you are dealing with kernel.dll...
-
I would like to run compiled third party software, not my own!
OK, I misunderstood that. Could a global hook on GetProcAddress work?
-
Any compatible call existing on a previous version should keep the same ordinal for standard 'kernel32.dll', 'user32.dll', etc
Functions exported by name have different ordinals on different OS versions, as you're supposed to import them by name. Things exported by ordinal have static ordinals, otherwise those would break, as you said. For instance, LocalAlloc that czerny asked for goes like this:
LocalAlloc
Ordinal Platform
486 2000 SP0
486 2000 SP1
486 2000 SP2
489 2000 SP3
490 2000 SP4
837 7 SP0
837 7 SP1
970 8 SP0
943 8.1
501 95 RTM
501 95 SP1
503 95 OSR 2
506 95 OSR 2.5
506 95 OSR 2-USB
560 98
560 98 SE
575 ME
314 NT31 SP0
314 NT31 SP3
372 NT35 SP0
372 NT35 SP3
383 NT351 SP0
383 NT351 SP2
386 NT351 SP3
386 NT351 SP4
386 NT351 SP5
407 NT4 SP1
407 NT4 SP2
408 NT4 SP3
408 NT4 SP4
408 NT4 SP5
408 NT4 SP6a
591 Server2003 SP0
601 Server2003 SP1
601 Server2003 SP2
767 Server2008 SP1
767 Server2008 SP2
762 Vista SP0
767 Vista SP1
767 Vista SP2
565 XP SP0
577 XP SP1a
584 XP SP2
587 XP SP3
while MirrorIcon (http://msdn.microsoft.com/en-us/library/windows/desktop/bb775705(v=vs.85).aspx) that's only exported by ordinal goes like this
MirrorIcon
Ordinal Platform
414 2000 SP0
414 2000 SP1
414 2000 SP2
414 2000 SP3
414 2000 SP4
414 7 SP0
414 7 SP1
414 8 SP0
... etc
For the problem, I'd say find an older version of polink or an alternate linker that'll make the def export-forwarding work. It'll be the least painful.
-
I'd say find an older version of polink or an alternate linker that'll make the def export-forwarding work. It'll be the least painful.
Hi Aardvajk,
Czerny needs a Kernel32.dll for a third party application, i.e. no source, that's why I suggested a global hook on GetProcAddress above.
-
No you're wrong that'will break compatibility and legacy for some old, and not so old, sw. Any compatible call existing on a previous version should keep the same ordinal for standard 'kernel32.dll', 'user32.dll', etc.
Of course 'ntdll.dll' may change because you are supposed to to never use it directly...
Hmm, how is the ordinal of LocalAlloc in your os kernel?
They must change! in w2k there is no DecodePointer(), in XPsp3 there is that function. The function have to be in alphabetical order. So the ordinals must change. Think about it!
-
Maybe you want consider a different approach hooking the system calls or injecting DLL, have a look here (http://www.codeproject.com/Articles/2082/API-hooking-revealed)... The article give also some hints on 'proxyDll' (rootkit) that, again, is very hard when you are dealing with kernel.dll...
Thank you! Interesting articel! I must study it first.
Most time there is stuff about hooking an existing function. But I will insert not existing functions.
-
I'd say find an older version of polink or an alternate linker that'll make the def export-forwarding work. It'll be the least painful.
Hi Aardvajk,
Czerny needs a Kernel32.dll for a third party application, i.e. no source, that's why I suggested a global hook on GetProcAddress above.
No, no, he is right!
I need this feature to make the fake-kernel32.dll.
-
I am also looking for a lightwight virtual machine to test this.
Hope, anybody could help
czerny
QEMU ? here (http://qemu.weilnetz.de/)
-
They must change! in w2k there is no DecodePointer(), in XPsp3 there is that function. The function have to be in alphabetical order. So the ordinals must change. Think about it!
Well the export section is a little bit more complicated and allows you to do it.
The export directory points to 3 tables, a table holding an array of string pointers that points to the function names saved in another part of the PE (tipically readonly), a table holding the ordinal for each function and the real address table holding the functions, or variables or absolutes, addresses. The link between the first two tables is direct: for each function the same index points to its ordinal. When you link dynamically a function you search in the names table for your function, than using the index where you have found it peek the corresponding ordinal. From ordinal you have to subtract the 'base ordinal' and you will get the index in the addresses table ;D.
This mechanism allows to order the symbols so you can perform faster binary searches, but each symbol can have whichever ordinal you want ;D. Moreover using the 'base ordinal' your DLL can have ordinals starting from whichever value you want (not necessarily 1). The only constrain is that you cannot have any 'hole' inside the ordinals serie...
I draft a picture to show it.
If you have time and constance you can also edit the DLL adding entries to export table poining to your functions in a foreign DLL ;D But this thread begins to resemble a trojan development... ::)
-
I am also looking for a lightwight virtual machine to test this.
Hope, anybody could help
czerny
QEMU ? here (http://qemu.weilnetz.de/)
Looks promising! I will try it.
-
I have experimented with forwarding a little.
This is my def file:
LIBRARY "mybeep"
EXPORTS
"MyExportFunction"=_SampleFunction@8
"MyBeep"=Kernel32._Beep@8
podump mybeep.dll /EXPORTS
gives me the following result:
ordinal hint address name
1 0 100046FE MyBeep (forwarded to Kernel32._Beep@8)
2 1 10001010 MyExportFunction
which looks good to me!
podump mybeep.lib /EXPORTS
gives me the following result:
mybeep.dll: MyBeep (MyBeep)
mybeep.dll: MyExportFunction (MyExportFunction)
which looks not so good. Nothing to see from forwarding. I further would expect to see the decorated symbols in braces.
The following test program
#include <windows.h>
#include <stdio.h>
//#define INDIRECT
#ifdef INDIRECT
typedef BOOL (CALLBACK* MYBEEP)(DWORD,DWORD);
void printErr(HRESULT hresult)
{
LPTSTR errorText = NULL;
FormatMessage(
// use system message tables to retrieve error text
FORMAT_MESSAGE_FROM_SYSTEM
// allocate buffer on local heap for error text
|FORMAT_MESSAGE_ALLOCATE_BUFFER
// Important! will fail otherwise, since we're not
// (and CANNOT) pass insertion parameters
|FORMAT_MESSAGE_IGNORE_INSERTS,
NULL, // unused with FORMAT_MESSAGE_FROM_SYSTEM
hresult,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR)&errorText, // output
0, // minimum size for output buffer
NULL); // arguments - see note
if (errorText)
{
// ... do something with the string - log it, display it to the user, etc.
printf("Error (%d) : %s\n", hresult, errorText);
// release memory allocated by FormatMessage()
LocalFree(errorText);
errorText = NULL;
}
}
#else
BOOL MyBeep(DWORD, DWORD);
#endif
int main(int argc, char *argv[])
{
#ifdef INDIRECT
HINSTANCE hdll = LoadLibrary("MyBeep.dll");
MYBEEP MyBeep;
if (hdll) {
MyBeep = (MYBEEP)GetProcAddress(hdll, "MyBeep");
if (!MyBeep) {
printErr(GetLastError());
FreeLibrary(hdll);
} else {
MyBeep(1000,1000);
}
}
#else
MyBeep(1000,1000);
#endif
return 0;
}
says
POLINK: error: Unresolved external symbol '_MyBeep'.
see the underscore in front!
If INDIRECT is defined, it says:
Error (127) : Die angegebene Prozedur wurde nicht gefunden.
I do not understand what exactly is the problem!
Here again is the problem with the missing underscore.
If I change my def file to:
LIBRARY "mybeep"
EXPORTS
"_MyExportFunction"=_SampleFunction@8
"_MyBeep"=Kernel32._Beep@8I get the system message
Der Prozedureinsprungpunkt "Kernel32._Beep@8" wurde in der DLL "mybeep.dll" nicht gefundenWhat exactly is the os expecting in the export table of my dll to accept this as a function forwarding?
-
At this moment polink can't help you.
You need MicroSoft's link.exe for forwaring dll.
-
Maybe you want try this (http://www.ntcore.com/exsuite.php) tool?
-
Maybe you want try this (http://www.ntcore.com/exsuite.php) tool?
Oh, yes! This helps a lot.
-
I am fighting with Visual C++ 2010 Express:
typedef BOOL (CALLBACK *MYBEEP)(DWORD,DWORD);error C2143: Syntaxfehler: Es fehlt ')' vor '*'
error C2143: Syntaxfehler: Es fehlt '{' vor '*'
error C2059: Syntaxfehler: ')'
I have renamed my files to *.c extension and I have set the /TC option.
Who knows the switch necessary to let this compile?
-
Is windows.h included ?
Or
typedef int BOOL;
typedef unsigned long DWORD;
#define CALLBACK __stdcall