Giter Club home page Giter Club logo

Comments (6)

hasherezade avatar hasherezade commented on June 2, 2024 1

ah, I just noticed right now: you used load_pe_module - this function doesn't load imports:

    /**
    Reads PE from the given buffer into memory and maps it into vitual format.
    (Automatic raw to virtual conversion).
    If the executable flag is true, the PE file is loaded into executable memory.
    If the relocate flag is true, applies relocations. Does not load imports.
    Automatically allocates buffer of the needed size (the size is returned in outputSize). The buffer can be freed by the function free_pe_buffer.
    */
    BYTE* load_pe_module(BYTE* dllRawData, size_t r_size, OUT size_t &v_size, bool executable, bool relocate);

you should use another variant from the API: load_pe_executable:

    /**
    Loads full PE from the raw buffer in a way in which it can be directly executed: remaps to virual format, applies relocations, loads imports.
    Allows for supplying custom function resolver.
    */
    BYTE* load_pe_executable(BYTE* dllRawData, size_t r_size, OUT size_t &v_size, t_function_resolver* import_resolver=NULL);

...and then everything should be fine.
NTDLL is a special case that doesn't have any imports, that's why both ways it will work.
Either way, I strongly recommend you using the template, rather than modifying test cases.

from libpeconv.

hasherezade avatar hasherezade commented on June 2, 2024

hi!
can you share the exact builds of the library that you are using? I will check.
you can drop them here as an attachment.

from libpeconv.

hasherezade avatar hasherezade commented on June 2, 2024

Check if those builds work for you:
DllShellSample_builds.zip

from libpeconv.

11philip22 avatar 11philip22 commented on June 2, 2024

hi!
can you share the exact builds of the library that you are using? I will check.
you can drop them here as an attachment.

These are the files that i'm trying to load.
dll.zip

Check if those builds work for you:
DllShellSample_builds.zip

Sadly i'm getting the same results
exception2

I also forgot to mention that i had to put some casts at line 11, 22 and 23 in hooks.cpp to make it compile in visual studio.
cast
I ran this snippet from your ntdll test to make sure libpeconv still works after applying those casts.

#include <Windows.h>

#include <peconv.h>

int(_cdecl* ntdll_tolower) (int) = NULL;

int main()
{
    size_t v_size = 0;
    BYTE* ntdll_module = peconv::load_pe_module("C:\\Windows\\system32\\ntdll.dll", v_size, true, true);
    if (!ntdll_module) {
        return -1;
    }

    bool is64 = peconv::is64bit(ntdll_module);
    std::cout << "NTDLL loaded" << is64 << std::endl;
    FARPROC n_offset = peconv::get_exported_func(ntdll_module, (LPSTR)"tolower");
    if (n_offset == NULL) {
        return -1;
    }

    std::cout << "Got tolower: " << n_offset << std::endl;
    ntdll_tolower = (int(_cdecl*) (int)) n_offset;
    int out = ntdll_tolower('C');
    std::cout << "To lower char: " << (char)out << std::endl;
}

result
And it apears to work correctly

from libpeconv.

hasherezade avatar hasherezade commented on June 2, 2024

Something is odd. I tested the builds that I shared with you ( dll.zip ) and they both loaded fine with libpeconv.
Maybe something is wrong with your loader? Try to use this ready made template: https://github.com/hasherezade/libpeconv_tpl and just change the loaded function prototype...
I will check your builds in the meanwhile.

from libpeconv.

11philip22 avatar 11philip22 commented on June 2, 2024

Yay! I got it to work! Thanks for your help. Everything works as expected with load_pe_executable. Here is the src if you are interested:

#include <Windows.h>

#include <peconv.h>
#include "Payload.h"

//typedef int (*moduleMainProc)();
int(_cdecl* moduleMain) () = NULL;

int main()
{
	size_t v_size = 0;
	BYTE* payloadModule = peconv::load_pe_executable(
		payload,
		sizeof(payload),
		v_size
	);
	if (!payloadModule) {
		return -1;
	}

	bool is64 = peconv::is64bit(payloadModule);
	FARPROC nOffset = peconv::get_exported_func(payloadModule, (LPSTR)"main");
	if (nOffset == nullptr) {
		return -1;
	}

	//int (*loaded_pe_entry)(void) = (int (*)(void)) nOffset;
	//int ret = loaded_pe_entry();
	//return ret;
	
	moduleMain = (int(_cdecl*) ()) nOffset;
	return moduleMain();
}

Too bad bad windows defender flags it as wacatac but i think that's the case with everything that loads a PE. i think turning it into another DLL will fix that haha.
Anyways thanks a lot for the help :)

from libpeconv.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.