|
I wrote such piece of code and its surprisingly short. It has many drawbacks you might not spot at first sight but here is a list that came to my mind from the time I played with this: some module related features won't work because your DLL doesn't have a valid windows HMODULE/HINSTANCE handle, so you can't easily use for example resources, your library wont receive DLL_THREAD_ATTACH/DETACH events, you have to write your own GetProcAddress(). You can also use Resources (for examaple dialogs) if you write your own FindResource() and you use CreateDialogIndirect() instead of CreateDialog(), lot of resources have an "indirect" version fortunately. To sum it up: its pain in the ass to load your library "manually" but its fun to experiment with it, and it can hide a "hack" very well in the process space. With this load method you can skip loading the DLL PE header that makes thing harder to detect even for memory sweeps, thats why we used it.
|
|
|
|
|
I'm honored to meet someone who actually implemented this. I once looked into it and I was totally intimidated.
Your list of features that won't work is precisely why I didn't pursue it.
But maybe when I have more time I would experiment with it......
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Just looked up my sources and Iam thinking about posting up the sources here. I have a similar module hacking related short tip/trick whose rating is almost a 5. For this reason I think that some people might be interested in this stuff but Iam lazy to write a full fledged article. What about posting up a few tips with short intro + sources? For example one for the FindResource, and another with the Dll loading.
|
|
|
|
|
pasztorpisti wrote: What about posting up a few tips with short intro + sources?
I would vote that a 5 many times over.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
OK, then I post the sources as tips, it will serve well for PE divers at least as a tutorial or reference. Its easier to find out things even by debugging this code then starting from zero.
|
|
|
|
|
|
Thanks! Unfortunately I'm not one of the chosen ones. I'll have to wait til it's approved, I'm afraid.
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
OK, will repost it when its done!
|
|
|
|
|
|
Great!
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
Falconapollo wrote: Some companies ask the other ways to load Dynamic-Link Libraries(besieds explict and implict) in their interview.
But I wonder whether exists other ways to load the Dynamic-Link Libraries?
Excluding evidence to the contrary I would say that you covered all of the possibilities.
Have you considered the possibility that those "companies" (presumably actually certain individuals) are wrong? Did they explain their answer to you so perhaps you could paraphrase what they said?
|
|
|
|
|
Maybe you are right.
How about the DLL Injection and API Hooking which is mentioned in Chapter 22,
Windows via C/C++, Fifth Edition by Jeffrey Richter and Christophe Nasarre?
It seems another way to use dll.
But I'm not sure.
|
|
|
|
|
DLL Injection is simply a way to invoke explicit linking (calling LoadLibrary).
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
I have an app that has worked for YEARS. Flawlessly. <insert demons="" here="">
It does a lot of file processing. On my laptop, it fails to open certain files. I catch the exception, and the reason is 0 (no error). My laptop - W7 Pro.
My laptop Xp Pro VM: fail.
On the "golden" laptop, it works fine. Xp Pro.
Assorted other machines - fail.
I copied the source from the golden machine, built it, FAIL.
Copied the binary off the golden machine to mine: FAIL.
-----
The only wildcard I can think of is that some update has broken something, but that is surely digging deep.
------
Any wild ass ideas or random thoughts?
Charlie Gilley
<italic>You're going to tell me what I want to know, or I'm going to beat you to death in your own house.
"Where liberty dwells, there is my country." B. Franklin, 1783
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
|
|
|
|
|
charlieg wrote: Any wild ass ideas or random thoughts? Yes, something is going wrong somewhere.
You really need to do some debugging and provide some more specific technical information for anyone to be able offer any suggestions.
One of these days I'm going to think of a really clever signature.
|
|
|
|
|
Understood.
Charlie Gilley
<italic>You're going to tell me what I want to know, or I'm going to beat you to death in your own house.
"Where liberty dwells, there is my country." B. Franklin, 1783
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
|
|
|
|
|
charlieg wrote: fail
doesn't mean anything except to you that can see the system, code and the error messages.
Why is common sense not common?
Never argue with an idiot. They will drag you down to their level where they are an expert.
Sometimes it takes a lot of work to be lazy
Please stand in front of my pistol, smile and wait for the flash - JSOP 2012
|
|
|
|
|
Wes - sorry, the context of the "fail" is simply opening a new file. The open fails, but no error data is returned.
Charlie Gilley
<italic>You're going to tell me what I want to know, or I'm going to beat you to death in your own house.
"Where liberty dwells, there is my country." B. Franklin, 1783
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
|
|
|
|
|
Does GetLastError return anything?
Why is common sense not common?
Never argue with an idiot. They will drag you down to their level where they are an expert.
Sometimes it takes a lot of work to be lazy
Please stand in front of my pistol, smile and wait for the flash - JSOP 2012
|
|
|
|
|
Yep. 0 (or no problem). Real bizarre.
Charlie Gilley
<italic>You're going to tell me what I want to know, or I'm going to beat you to death in your own house.
"Where liberty dwells, there is my country." B. Franklin, 1783
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
|
|
|
|
|
are those files in restricted areas? does your account have access to them?
|
|
|
|
|
The files are in an area that I'll call the release area - the same place they have been for 5+ years. It's a specific folder in our development tree on my C drive.
Charlie Gilley
<italic>You're going to tell me what I want to know, or I'm going to beat you to death in your own house.
"Where liberty dwells, there is my country." B. Franklin, 1783
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
|
|
|
|
|
File access is the first thing I checked.
The app uses CFile, and I catch the exception when the open fails - the error code is a 0 (no problems). An article I read suggested that MFC was doing something deep down inside and resetting the error code before the exception processing (also within mfc) could grab it. So, I stepped through mfc, caught the file open failure - status is 0.
It's just not making any sense.
As far as providing more information, that's the hard part - I'm not getting anything back from the OS (W7 or Xp).
Since the application used to work flawlessly, I'm wondering if some Windows update nuked something. But I have a hard time going there. Has anyone had that happen to them - an update killing an application?
Charlie Gilley
<italic>You're going to tell me what I want to know, or I'm going to beat you to death in your own house.
"Where liberty dwells, there is my country." B. Franklin, 1783
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
|
|
|
|
|
charlieg wrote: Has anyone had that happen to them - an update killing an application?
Yes! MS update nuked the synaptics touchpad driver for the missus' netbook. Was working just fine. Went to sleep, woke up to discover an update had been applied and the machine had been reset to complete installation. After that, the touchpad was non-responsive. (win XP)
Hmm, must fix that - thanks for the reminder.
|
|
|
|
|
lol, glad I could help
Charlie Gilley
<italic>You're going to tell me what I want to know, or I'm going to beat you to death in your own house.
"Where liberty dwells, there is my country." B. Franklin, 1783
“They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759
|
|
|
|