Comments (6)
ah, I just noticed right now: you used load_pe_module
- this function doesn't load imports:
/**
Reads PE from the given buffer into memory and maps it into vitual format.
(Automatic raw to virtual conversion).
If the executable flag is true, the PE file is loaded into executable memory.
If the relocate flag is true, applies relocations. Does not load imports.
Automatically allocates buffer of the needed size (the size is returned in outputSize). The buffer can be freed by the function free_pe_buffer.
*/
BYTE* load_pe_module(BYTE* dllRawData, size_t r_size, OUT size_t &v_size, bool executable, bool relocate);
you should use another variant from the API: load_pe_executable
:
/**
Loads full PE from the raw buffer in a way in which it can be directly executed: remaps to virual format, applies relocations, loads imports.
Allows for supplying custom function resolver.
*/
BYTE* load_pe_executable(BYTE* dllRawData, size_t r_size, OUT size_t &v_size, t_function_resolver* import_resolver=NULL);
...and then everything should be fine.
NTDLL is a special case that doesn't have any imports, that's why both ways it will work.
Either way, I strongly recommend you using the template, rather than modifying test cases.
from libpeconv.
hi!
can you share the exact builds of the library that you are using? I will check.
you can drop them here as an attachment.
from libpeconv.
Check if those builds work for you:
DllShellSample_builds.zip
from libpeconv.
hi!
can you share the exact builds of the library that you are using? I will check.
you can drop them here as an attachment.
These are the files that i'm trying to load.
dll.zip
Check if those builds work for you:
DllShellSample_builds.zip
Sadly i'm getting the same results
I also forgot to mention that i had to put some casts at line 11, 22 and 23 in hooks.cpp to make it compile in visual studio.
I ran this snippet from your ntdll test to make sure libpeconv still works after applying those casts.
#include <Windows.h>
#include <peconv.h>
int(_cdecl* ntdll_tolower) (int) = NULL;
int main()
{
size_t v_size = 0;
BYTE* ntdll_module = peconv::load_pe_module("C:\\Windows\\system32\\ntdll.dll", v_size, true, true);
if (!ntdll_module) {
return -1;
}
bool is64 = peconv::is64bit(ntdll_module);
std::cout << "NTDLL loaded" << is64 << std::endl;
FARPROC n_offset = peconv::get_exported_func(ntdll_module, (LPSTR)"tolower");
if (n_offset == NULL) {
return -1;
}
std::cout << "Got tolower: " << n_offset << std::endl;
ntdll_tolower = (int(_cdecl*) (int)) n_offset;
int out = ntdll_tolower('C');
std::cout << "To lower char: " << (char)out << std::endl;
}
And it apears to work correctly
from libpeconv.
Something is odd. I tested the builds that I shared with you ( dll.zip ) and they both loaded fine with libpeconv.
Maybe something is wrong with your loader? Try to use this ready made template: https://github.com/hasherezade/libpeconv_tpl and just change the loaded function prototype...
I will check your builds in the meanwhile.
from libpeconv.
Yay! I got it to work! Thanks for your help. Everything works as expected with load_pe_executable
. Here is the src if you are interested:
#include <Windows.h>
#include <peconv.h>
#include "Payload.h"
//typedef int (*moduleMainProc)();
int(_cdecl* moduleMain) () = NULL;
int main()
{
size_t v_size = 0;
BYTE* payloadModule = peconv::load_pe_executable(
payload,
sizeof(payload),
v_size
);
if (!payloadModule) {
return -1;
}
bool is64 = peconv::is64bit(payloadModule);
FARPROC nOffset = peconv::get_exported_func(payloadModule, (LPSTR)"main");
if (nOffset == nullptr) {
return -1;
}
//int (*loaded_pe_entry)(void) = (int (*)(void)) nOffset;
//int ret = loaded_pe_entry();
//return ret;
moduleMain = (int(_cdecl*) ()) nOffset;
return moduleMain();
}
Too bad bad windows defender flags it as wacatac but i think that's the case with everything that loads a PE. i think turning it into another DLL will fix that haha.
Anyways thanks a lot for the help :)
from libpeconv.
Related Issues (20)
- Import table with empty blocks interpreted as wrong
- Compiling on Linux HOT 6
- pe_unmapper Drag & Drop menu bat wrapper
- Can't use library HOT 2
- A .NET file is invalidly detected as mapped
- Tls Callbacks HOT 2
- Import table with no relaction blocks are seen as "status": -1 HOT 8
- Manual mapping a DLL in another process HOT 1
- initterm crash when loading unreal engine binaries HOT 1
- Process hiving - stripped relocs. HOT 1
- Start windows 7 notepad.exe fail HOT 2
- Enable logs HOT 3
- Greek_To_me.bin? HOT 2
- [Bug] Access Violation bugs & Integer Overflows HOT 3
- Provide builds of pe_unmapper via GitHub releases HOT 3
- Problem loading some built-in Windows PEs HOT 1
- What is the state of the library? HOT 4
- Loading an EXE from a DLL HOT 2
- in tests, the code "Exception captured by the caller" never been trigger。 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from libpeconv.