Didier Stevens
Friday 8 September 2017
Quickpost: DIDemo
Filed under: Quickoos! — Didier Stevens @ 0:00
This is a quick demo on loading DLLs with standard Windows tools
1 wrote a DLL for this demo:
include
2
3| extern "c" _declspec(dilexport) void Exportedtunction(void)
4
out putdebugstring("ExportedFunction");
MessageBox(NULL, “Hello fron Exportedfunction, DenoDl1!", "DenoO11", MB_0K);5
7)
8
S| BOOL WINAPY DLINain(HINSTANCE hinstOLL, DWORD fdwReason, LPVOID IpReserved)
16
1 | © seiteh (rateason)
2 €
B ase DLL_PROCESS_ATTACH:
u ‘OutputDebugstring("DLL_PROCESS ATTACH");
15 Messagelox(NULL, "Nell0 from DilMain, Derod ;DemoD11", MB_OK) 5 5
16 breaks
v7
18 case DLL_THREAD_ATTACH:
19 ‘OutputDebugString(*DLL_THREAD_ATTACH");
2 break;
a
2 ‘case OLL_THREAD_DETACH:
23 ‘Out putDebugString("DLL_THREAD_DETACH");
2 breaks
35
26 case DLL_PROCESS_ETAC:
27 ‘OutpurtDebugstring("DLL_PROCESS_DETACH™
28 breaks
2 ?
30
31 return TRUES
32] )
AA message box is displayed when DlIMain the entrypoint for DLL) is called when the DLL is loaded into process, and another message box is
displayed when function ExportedFunction is executed
Funetion ExportedFuncton is prefixed by __declspeo(llexport o export the funetin, and with extern “Ct prevent C++ name mangling
‘One method fo load this DLL into process, isto use the rund32 command (since I'm doing this demo on Windows 10, 'm using the 64-bit version of
ry DLL:
Bl O0isestenes
‘No message box is displayed: the DLL was not loaded. The reason i that rundl32 requires you to specify an exported function that it needs to call
\With dumpbin, we can get an overview af the exported functions of & DLL:
‘We can specify the name ofthe exported function we want to cal ike this:
‘We ean see the message box from the entrypoint, and then the message box from the exported function we calle:
Cx]
This means thatthe DLL was loded into the rundl32 proces, and thatthe called function was executed,
[Exported functions have an ordinal to (a number to identify exported functions), and that number can be usd too to specify the funtion, like this:
Helo om Epetsduncon Demat
ox
fe use rundll32 with afunetion that is not exported by the DLL, then the DLL is loaded:
cama
rundll32 will display an eror because it could not find the exported function
Ming ery abe
oc
But as we could se, the DLL got loaded
Despite the name would make you think (randll32), the version of undIl32 Tued sa 64-bit executable, and that’s why Tused 2 64-bit DLL
32-bit DLLs have tobe loaded into 32-bit processses, and 64-bit DLLs into 64-bit processes
‘owever,runlt32 will str a “proxy” process if you mix bites, so that DLLs will always be loaded
Let's look at the 4 posible combinations
(bit ual 32 with 3
bit DLL:
Demodi
Taking a lok with process explorer, we sce that 64-bit rundI82 started 32-bit runl32 to Toad the 3.
"2 Proce Epo Syinterat ww ysntealcom [DESKTOP-CANORCNese —o x
Fle Options View Process Find OWL User Help
Giainacelexia@ [| Ca
Pree (CPU Pate Bie [NeAnGSa mage Tipe PD. Oncwten ‘anoay Kan
(Seve Hoe Nad nauk 75K $26 706 Node Severe eeSoNadee
(lorhotoe SOK 856K Stet E128 Wei ot Me ao
Tr Seve et 100k 510K ee 72 Seca Ho CLRADS — Seveeti He
1 Seoeh VS0eas AK 28K ee "EBS RCL Seveetia He
Sever Hoe CUR nauk mak Bee 200 Severn HR CLADS — Seveetin He
nak ask Ret 2 Sera Hoe CLAAOS — Seveshib He
on feaek OK et 5175 Mowe Fn Cr Pac. Maar Cope
“10K “SISK ‘tot EE Wraows Cammarata
Tak aa [lee 140 aon om pecs Fin. ems Cs
i apne sik Ret 72 Wraoeshon poco Pan. eae Cano
25k Tomek Det 1S Sertaras Pum euer Sartre
9 Pa *
cient Wrens Cmpatiy DLL Moma Capunton CW ppl net
Jassie Arona Windows 2 Boe API Mest Conon Canora Ga Wows aaron at
Jered fesca Crpatity Oot. Mena Coponinn CW SNOW Cans
cea sone Cypcgeenc Pmtvee Mamet Canaan C Wears SeWOWEt bare
lcneominest Wnsors Capac miner MeostCopmatin Window WOM bpp
Jsonas2a GerigrtinonaeeDul Mert Coponton CWndorn SaWOWe Ry I0.
Neon COlferVindows Moves Caparin_C\Wrdowa\SuWOWEh conan
Fm mptopasie ADL Nowe Camantin Cesena Et eta
loan eos Destop Wosow Manag. Neves Capactin —C\Wrdowe Sn NOWEA danas ct
Jonze Gpiaet OL Ncced Capon CAWinon SNOW CStE
Jsmaa = Goan ou Mewes Copan CAiraorn WON GSA
[escent Wrdors NT image Heber Mast Copaaton —_Callraoea SMD gep
Inna Mavi Wrdore LSEAP\O,. Mews Capentin Whew SeWOWER wea
Jersscecoeal Pepe 2 Hot Newest Conoden __C:Weds SRVOWEC Hand anos a
[eu age 207% Comma Chge 200% Procenes 123 Physical ge 28.77%
(64-bit runall32 with 6¢-bit DLL:
a
BE
In thie case, ther is no need for a “proxy” process
2 Process plore - Sinema voyintraecom (DESKTOP-CANOIRC Yee
Fle Options View Process Find OWL User Help
ai a@imDoeiFexiae
Pree PU Piva Bias PID Desai canoe Nan =
1G Sere Ho Ne Brod 736 Nd: Sarre var Nae
‘S200K £128 Grice indo How Mos Cape
13100K 724 Serves Hot CLASS Sects
ess 8 Sevestih Het CLR ES Set
nauk 2040 Seth Hot CLAAEE Servet Ho
zak 5924 Seve Hot CLAASE — Sevetab Ho
teak 517 Mash Fa CovPae_ Moc Cope
rtd (24 Winns Cond Poser Mowe Cope
cok Fret Canme Wedon let Mowe Cape
vz 00 indore poses Rin. Meee Cope
pak 1st Sprtenos Paces EmiowSprterse
mak 7186 Syren Paces Epi’ Sprtenas-w v
cme [re
a aes
oat” teeacren Sian Senate
ret eer ec
Sank Porteownd
Co ame Seccien
WomnacenanS fess emzan
ident Seana gaia
Widow Speens2 ga
Window SpaenaP mag
done pau?
Widow Speed? ser?
don Seen’? area
Window Speen? act
dent Speen eS
Mews Riine bcwy Mem Capon
Wane NTCRT OL Messe Copowson C'Wndoa Spa vet
Ne Da Mecwet Capoten C:Windon\Syaens2vas
Commi Charge 22.26% Process 122 Physical age 250%
é
€
€
€
52-bit rundll32 with 32-bit DLL:
e
In this case too, there is no need fora “proxy
process
"Proce Epo Synaral wwnyinteralcomn DESKTOP-GENDRC ete - Oo x
Fle Options View Process Find OUL Uses Help
gi @i wBOsls xine
Foose CPU Pra Be | WengS ape Toe ID. Desaten CT
Servet Hoe Nae. BaMk SK SOM TIS Nee: See eer Node
cote om SOOK 364K Gltt 8128 Cone Window Hoa Mowe Cape
Seve ey ssmok 00K RRM 72 Seweeth Hem CLRAS Seren Ho
‘Seve VSD, ek 288K RM GSevestb Hen CLAS Serie Ho
Sever Hot CL mink aK RM 200 Sevestib Hee CLASS Sento He
Seve Stor nimk Task Re 2k Sevestn aR LAAs Sern He
ivghpev ee oo eek 290K Rt 5176 Moonta Co Pc. Monet Cope
Simca “2K 470K let Gud Vingows Camona oer Nowe Cape
Besos GmeK_asit6K Glee 574 Comse Window how ones Cape
Niseaizew | | am unk {Ret 1022 Wndowshon pce in. Mowe Cope
Simeone 252K 100K Det Se Sjrterae cen: Spow Sertenae
reconstne ost sak ZK let TSE Storie Fee ow Stora v
Te Croce 9 Path =
cues st owe Corpatty LL Mont Capantan Cio gph ce at
oae2d © ———AaracndVndona ne 41 Move Cpeaton _C'Windows Sa fONGS aor.
etao a eleaen Conga Chet i. Moves Caperten Cow SHOWS a
eet VinaoeeCypopante nsies Mowe Copesten Clown ONG
rcmmommesa Windows Cyagaghs Prever” Mowct Capasten _C'lindoun aHONGE eyppatee
Joona Contgrtonioge DLL Move Capeaton Windows a BONEs omg.
ore MonehCOM tr Wows Mamet Capoten CW
ence Gasecrpezene APICLL Mast paar le
an at Mout Dekies Window Maes Moos Capen C Window SN ONGE oan
paz Gordes Mount Capeaten Cilndon SHON giz
rman Gia DL Mowe Copeston €linows GaN gad
romeo Windows UT age Hopar_—Mowac Cpoaton Climo aBONES agen
rot Mastin Vraowe MI APICL_ Monet Garten _C \Wndon Sa HOSE en
eretasocoea! fen Pat Mout Copeaten _C:lindowsSeHONSG ae acre R
CPUUige 158% Commit Cage 257% Procenes 122 Physical Usage 2868%
‘And finaly, 32-bit rund32 with 64-bit DLL
Helo fom DtMain, Demet
%
Here we se that 32-bit rundl32 started 64-bit runl32 to load the 64-bit DLL
ccieh Deep Wd nog,
uc Cpr
Civinbwsspeons
agen howe NT mage Her ft Cina Scam 22 mag
fone Aas Wao 2 APL c
lec / (CAinown Spenser
essa ooichCapecson CW Sansa
tot INT Layer OL Mixes Cperion __C Winona Sten dt
‘The following is another method: rundl!32shell32. dl, Control RuDLL C:Deme\DemoDLL-64-bit.dl
You have to provide an absolute path
‘ActiveX objects on machines,
[By default, regsvr32 wil load the DLL snd call exported finetion DllRegisterServer
Since function DllRegisterServer isnot exported by the demo DLL, we get an eror:
‘Themodule "Demet wa loaded bathe ety paint
Dieter was not ound
Make sue tht DemoDI-6 beta valié UL or OOK fle then
But the DLL was loaded. If we export a function named DIR
|} Process Explore - Sysinternals: www: sysinternsl.com [DESKTOP-CHNDIRCRtestuser]) - ao x
Fie options View Process nd DLL Use Hep
2008 Fx ao J n
CPU Pte as MdngS) ap Te PO Demsn copay tan
Gp secet ot nae mak aK 27 Nee eri rN
zee tok tae Git tiaGrecctinem toa Mem Cape
Sctch yt | 001 Ook eK Se Taenenonecinas Somat
iene
Вам также может понравиться
- Never Split the Difference: Negotiating As If Your Life Depended On ItОт EverandNever Split the Difference: Negotiating As If Your Life Depended On ItРейтинг: 4.5 из 5 звезд4.5/5 (838)
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeОт EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeРейтинг: 4 из 5 звезд4/5 (5794)
- The Yellow House: A Memoir (2019 National Book Award Winner)От EverandThe Yellow House: A Memoir (2019 National Book Award Winner)Рейтинг: 4 из 5 звезд4/5 (98)
- Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceОт EverandHidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceРейтинг: 4 из 5 звезд4/5 (894)
- The Little Book of Hygge: Danish Secrets to Happy LivingОт EverandThe Little Book of Hygge: Danish Secrets to Happy LivingРейтинг: 3.5 из 5 звезд3.5/5 (399)
- Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureОт EverandElon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureРейтинг: 4.5 из 5 звезд4.5/5 (474)
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryОт EverandA Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryРейтинг: 3.5 из 5 звезд3.5/5 (231)
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaОт EverandDevil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaРейтинг: 4.5 из 5 звезд4.5/5 (265)
- The Emperor of All Maladies: A Biography of CancerОт EverandThe Emperor of All Maladies: A Biography of CancerРейтинг: 4.5 из 5 звезд4.5/5 (271)
- The Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersОт EverandThe Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersРейтинг: 4.5 из 5 звезд4.5/5 (344)
- The Unwinding: An Inner History of the New AmericaОт EverandThe Unwinding: An Inner History of the New AmericaРейтинг: 4 из 5 звезд4/5 (45)
- Team of Rivals: The Political Genius of Abraham LincolnОт EverandTeam of Rivals: The Political Genius of Abraham LincolnРейтинг: 4.5 из 5 звезд4.5/5 (234)
- The World Is Flat 3.0: A Brief History of the Twenty-first CenturyОт EverandThe World Is Flat 3.0: A Brief History of the Twenty-first CenturyРейтинг: 3.5 из 5 звезд3.5/5 (2219)
- The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreОт EverandThe Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreРейтинг: 4 из 5 звезд4/5 (1090)
- The Sympathizer: A Novel (Pulitzer Prize for Fiction)От EverandThe Sympathizer: A Novel (Pulitzer Prize for Fiction)Рейтинг: 4.5 из 5 звезд4.5/5 (119)
