justasmasiulis / lazy_importer Goto Github PK

I cant find a way to use LI_FN on InternetOpenA, it always crashes or loops forever looking for it, even when giving it the module to search

hi i'm trying to use with DefWindowProcA but i crash
this is the code:
LI_FN( LoadLibraryA )( "User32.dll" ); return LI_FN( DefWindowProcA ).in( LI_MODULE( "User32.dll" ).get( ) )( window, message, wparam, lparam );

Hello,

I've mentioned this before and I am fully aware this is not the scope of the project, however I will ask the question again as I am sure many others face the same issue. It seems that quite a few AV vendors created patterns that detect both lazy_importer and xorstr somehow as "virus".

It really doesn't matter if your .exe is x86 or x64, console or UI, has version/checksum, etc; they will still detect it. Most detected files are .dll's unfortunately. It's a real bummer.

Is there / do you have some ideas on how could one improve on this? Perhaps give the user the option to set some sort of "seed" and created obfuscation based on that? So each build / project would have unique "patterns". Idk.

Many thanks

Is it possible to improve LI_MODULE to allow usage of packers ? Packers allow you to encrypt the strings, and most of them are "const char *".

Tried casting to this, but LI_MODULE does not allow to do so.

Any suggestions/solution ?

Thanks

A nice improvement idea, upon compile time the library could do some extra work and check if function exists in specific dll, if not stop compile. This would prevent crash upon runtime if function does not exist.

Because this would cause some extra time/work when compiling, we could have a list of "common" functions exported in "common" dll's like kernel32.dll, ntdll.dll, etc.

What do you think ?

I use:
DWORD64 ntdllbase = (DWORD64)LI_MODULE_SAFE("ntdll.dll");
returns = 0;
what's wrong?

When i try LI_FN with HeapAlloc i get an exception:

    ULONG cbBuffer = 131072;
    PVOID pBuffer = NULL;
    NTSTATUS Status = STATUS_INFO_LENGTH_MISMATCH;
    HANDLE hHeap = LI_FN(GetProcessHeap)();
    tNTQSI fpQSI = (tNTQSI)GetProcAddress(LI_FN(GetModuleHandleA)("ntdll.dll"), "NtQuerySystemInformation");

    pBuffer = LI_FN(HeapAlloc)(hHeap, HEAP_ZERO_MEMORY, cbBuffer);

Based on #40
I tried this:

    auto Kernel32DLL = LoadLibrary(L"Kernel32.dll");
    //auto Kernel = GetProcAddress(GetModuleHandleA("kernel32.dll"), "HeapAlloc");
    pBuffer = LI_FN(HeapAlloc).in(LI_MODULE("Kernel32.dll").cached())(hHeap, HEAP_ZERO_MEMORY, cbBuffer);

But the program has frozen.

cached indicates that the result is only computed during the first call and later reused.
Non caching functions do not leave anything in data sections.

When should I use the cached version?
When the API is called constantly in a short period of time?

Hi, idk what i am doing wrong but i tried to use printf with Lazy Importer but it crashes is there any other way to print into the console or am i doing something wrong? Thanks.

Exception thrown at 0x00007FF63F531554 in test.exe: 0xC0000005: Access violation reading location 0x000000000000003C.

code:
LI_FN(printf)("%s\n", "Hi Test!");

I use Lazy to hide imports in my dll (which I inject into other process), but not a single line of code is executed after calling LI_FN.

So you have introduced the .safe() method which returns 0 on failed operation, however how could I test this ? I tried different ways, but for example if I rename module I get an exception, if I rename to fake function it will say undefined and so on.

I need to test this for failure and see if it returns 0 upon failure, however I see "static void" template so I cannot understand how it returns 0 ?

Can you please give me an example ?

Hi @JustasMasiulis i encountered a weird issue when I tried out your project.

When I try this, cache doesnt return:

//  cache doesent return, msg box doesent
LI_FN(MessageBoxA).in(LI_MODULE("user32.dll").cached())(nullptr, "Im hidden in imports", "Lazy Importer Test", MB_OK);

However, when I add a second MessageBoxA under it both work all of the sudden:

//  cache returns, both msg boxes work
LI_FN(MessageBoxA).in(LI_MODULE("user32.dll").cached())(nullptr, "Im hidden in imports", "Lazy Importer Test", MB_OK);
MessageBoxA(nullptr, "Im hidden in imports", "Lazy Importer Test", MB_OK); // ofc in imports

I tried other winapi calls and the same problem occured, unless with OutputDebugMessage.
I just keep having the same issue, I tried to use get() but an exception is thrown that base is nullptr (ln 355):

//  crashed because of nullptr base
LI_FN(MessageBoxA).get()(nullptr, "Im hidden in imports", "Lazy Importer Test", MB_OK);

I dont understand what I am doing wrong.

Do i need to do something extra ? This is the only call being made inside the program.
result = LI_FN(SetWindowsHookExW)(3, (HOOKPROC)fn, hModule1, tid);

some dll use another dll export,if get function address,a string address make crash.

with
#define LAZY_IMPORTER_CASE_INSENSITIVE
and
#define LAZY_IMPORTER_RESOLVE_FORWARDED_EXPORTS

Windows 10 + VisualStudio 2019

Hello
How i can use this library for hide CreateDevice?

if (pD3D->CreateDevice(D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, hwnd, D3DCREATE_HARDWARE_VERTEXPROCESSING, &g_d3dpp, &g_pd3dDevice) < 0) { pD3D->Release(); return 0; }

implement newly designed API which would reduce the number of macros to 3.
something along the lines of:

struct placeholder_name {
    T get();
    T safe();
    T cached();
    T cached_safe();
};

Would be used for modules, imports and such.

lol

doing LI_FN(CreateThread)(NULL,0,myThread,0,0,NULL);
causes this:

'decltype(auto)': cannot deduce type for 'auto' from 'HANDLE'

'HANDLE (LPSECURITY_ATTRIBUTES,SIZE_T,LPTHREAD_START_ROUTINE,LPVOID,DWORD,LPDWORD)': cannot convert argument 1 from '_Ty' to 'LPSECURITY_ATTRIBUTES'

'HANDLE (LPSECURITY_ATTRIBUTES,SIZE_T,LPTHREAD_START_ROUTINE,LPVOID,DWORD,LPDWORD)': cannot convert argument 4 from '_Ty' to 'LPVOID'	

'HANDLE (LPSECURITY_ATTRIBUTES,SIZE_T,LPTHREAD_START_ROUTINE,LPVOID,DWORD,LPDWORD)': cannot convert argument 6 from '_Ty' to 'LPDWORD'

'li::detail::lazy_function<1621917241,HANDLE (__stdcall *)(LPSECURITY_ATTRIBUTES,SIZE_T,LPTHREAD_START_ROUTINE,LPVOID,DWORD,LPDWORD)>::operator ()': a function that returns 'decltype(auto)' cannot be used before it is defined

changing it into
LI_FN(CreateThread).in(LI_MODULE("kernel32.dll").cached())(NULL, 0, myThread, 0, 0, NULL);
compiles properly, but it freezes the program upon execution

LI_MODULE("ms-win-core-synch-l1-2-0.dll")
returns 0 when GetModuleHandleW returns valid PTR

Maybe this is due to the fact that the module is loaded using Widechar?
Or GetModuelHandleW somehow loading module, and LazyImporter not?
I tried to LoadLibrary before LI_MODULE, but it didn't help

Screenshot of import table

My code (kernel32 works perfectly):

p.s.

p.s.s.: already tried LazyImporter options like case sensetive

LLVM 16.0.6
C++ 20
line 7 generates a null pointer

#include <Windows.h>
#define LAZY_IMPORTER_HARDENED_MODULE_CHECKS
#define LAZY_IMPORTER_NO_CPP_FORWARD
#include "lazy_importer.hpp"

int WINAPI wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine, int nCmdShow) {
    auto liMessageBoxW = LI_FN(MessageBoxW).safe();
    if (liMessageBoxW == nullptr)
        return 1;
    liMessageBoxW(nullptr, L"Hello World!", L"Hello World!", MB_OK);
}

program freezes on line 7

#include <Windows.h>
#define LAZY_IMPORTER_HARDENED_MODULE_CHECKS
#define LAZY_IMPORTER_NO_CPP_FORWARD
#include "lazy_importer.hpp"

int WINAPI wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine, int nCmdShow) {
    auto user32 = LI_MODULE("user32.dll").cached();
    DebugBreak();
    auto liMessageBoxW = LI_FN(MessageBoxW).in_safe(user32);
    if (liMessageBoxW == nullptr)
        return 1;
    liMessageBoxW(nullptr, L"Hello World!", L"Hello World!", MB_OK);
}

Hello

I'm using Windows 10.
Visual Studio 2017 Ent. I'm using x64
When compiling the project:
http://prntscr.com/ltdurm
I'm getting the error and what may be missing.

I stumbled on this, my app was crashing for no reason. Until I discovered that "StrFormatByteSizeW" was not loading with lazy impoter...

Function is part of Shlwapi.dll.

Any idea why ?

Using this LI_FN(D2D1CreateFactory)(D2D1_FLAGS, FactoryOptions, &d2d_factoryPtr); leads me to this compiler output:
C++ Unable to determine which instance of D2D1CreateFactory is intended.
The Direct2D system library provides 4 overloaded versions for the D2D1CreateFactory function, how can I choose the right one for the LI_FN macro?
Thanks

How to use this project with https://github.com/ITHare/obf ?

The compiler complains about missing intrin.h, needed for the __readgsqword() calls.
intrin.h is available for Windows with msvc and mingw.

If more info is needed I wold be happy to help.

I have a question about the behavior of this library. While testing it, I observed that attempting to 'import' functions from modules not loaded into the current memory space results in failure. This behavior seems aligned with the library's apparent reliance on enumerating modules within the PEB's LDR.

Does this library have the capability to implicitly or explicitly load modules into the process memory space, or if manual usage of LoadLibrary required for this purpose?

https://github.com/JustasMasiulis/lazy_importer/blob/master/include/lazy_importer.hpp#L542

i = export_index ?

I have tried many things(example is memchr):
void* (*memchrPtr)(void*, int, size_t) = memchr;
const char* p = (const char*)LI_FN(memchrPtr)((void*)str, (int)c, str_end - str);

'type cast': cannot convert from 'void' to 'const char *'

it return void (this has nothing to do with void*, all types return void)

const char* p = (const char*)LI_FN_DEF(void* (*)(void*, int, size_t)))((void*)str, (int)c, str_end - str);
this should work, but I can't find document about it
and what if there are functions of the same type in same module

anyway thanks to contributors
LI works well in most cases

Calling LI_FIND(OpenProcessToken) will throw exception at:

LAZY_IMPORTER_FORCEINLINE const win::LDR_DATA_TABLE_ENTRY_T* ldr_data_entry() noexcept
    {
        return reinterpret_cast<const win::LDR_DATA_TABLE_ENTRY_T*>(
            ldr()->InLoadOrderModuleList.Flink);
    }

Any solution for this ? Function in Advapi32.dll

  HWND cant_put_null_sad = 0;
        LI_FN(MessageBoxA)(cant_put_null_sad, "HI", "aaaa", 0);
        LI_FN(MessageBoxA).in(LI_MODULE("user32.dll").cached())(NULL, "HI", "aaa", 0);

i tried both nothing works :(

Hey, can you try out the following project i created for this question: https://github.com/roll-cage/li_module_question
Please run it in Debug and x86.
Why can some dlls not be resolved by LI_MODULE but by GetModuleHandleA?
The output for me is the following:
77190000
00000000
77B80000
77B80000
7BAD0000
7BAD0000
7BA10000
00000000

#include <Windows.h>
#include "lazy_importer.hpp"

int main() {
	const auto shell32 = LI_MODULE("Shell32.dll").cached();
	const auto shellExecute = LI_FN(::ShellExecuteA).in(shell32);
	shellExecute(nullptr, "open", "explorer.exe", nullptr, nullptr, SW_SHOWNORMAL);

	return 0;
}

When i include Windows.h before lazy_importer then i have endless loop in "LI_MODULE" at

template<hash_t::value_type Hash>
struct lazy_module : lazy_base<lazy_module<Hash>> {
    template<class T = void*, class Enum = unsafe_module_enumerator>
    LAZY_IMPORTER_FORCEINLINE static T get() noexcept
    {
        Enum e;
        do { // here
            if (hash(e.value->BaseDllName) == Hash)
                return (T)(e.value->DllBase);
        } while (e.next());
        return {};
    }
};

if i include Windows.h after then it crash with "READ_ACCESS_MEMORY_EXCEPTION" in "LI_FN" at

template<class CharT = char>
LAZY_IMPORTER_FORCEINLINE hash_t::value_type hash(const CharT* str) noexcept
{
    hash_t::value_type value = hash_t::offset;

    for (;;) {            	
        char c = *str++; // here
        if (!c)
            return value;
        value = hash_t::single(value, c);
    }
}

What i do wrong?
I am using last updated VS 2019 at Windows 10 2004

I tried build with VS2019 and it's happens.

Code:
LI_FN(CreateDirectoryA)("NoMercy", NULL);

Full log:
2>CMake does not need to re-run because D:/Workspace/Anti/Current projects/NoMercyV2/_vsproj/Source/Client/PC/Windows/SDK/CXX/CMakeFiles/generate.stamp is up-to-date. 2>main.cpp 2>Utils.cpp 2>D:\Workspace\Anti\Current projects\NoMercyV2\Extern\include\lazy_importer.hpp(496): error C2664: 'BOOL (LPCSTR,LPSECURITY_ATTRIBUTES)': cannot convert argument 2 from '_Ty' to 'LPSECURITY_ATTRIBUTES' 2> with 2> [ 2> _Ty=int 2> ] (compiling source file D:\Workspace\Anti\Current projects\NoMercyV2\Source\Client\PC\Windows\SDK\CXX\src\main.cpp) 2>D:\Workspace\Anti\Current projects\NoMercyV2\Extern\include\lazy_importer.hpp(494): note: Conversion from integral type to pointer type requires reinterpret_cast, C-style cast or function-style cast (compiling source file D:\Workspace\Anti\Current projects\NoMercyV2\Source\Client\PC\Windows\SDK\CXX\src\main.cpp) 2>D:\Workspace\Anti\Current projects\NoMercyV2\Source\Client\PC\Windows\SDK\CXX\src\main.cpp(28): note: see reference to function template instantiation 'decltype(auto) li::detail::lazy_function<2965998675,BOOL (__cdecl *)(LPCSTR,LPSECURITY_ATTRIBUTES)>::operator ()<char*,int>(char *&&,int &&) const' being compiled 2>D:\Workspace\Anti\Current projects\NoMercyV2\Extern\include\lazy_importer.hpp(494): error C3169: 'decltype(auto)': cannot deduce type for 'auto' from 'BOOL' (compiling source file D:\Workspace\Anti\Current projects\NoMercyV2\Source\Client\PC\Windows\SDK\CXX\src\main.cpp) 2>D:\Workspace\Anti\Current projects\NoMercyV2\Source\Client\PC\Windows\SDK\CXX\src\main.cpp(28): error C3779: 'li::detail::lazy_function<2965998675,BOOL (__cdecl *)(LPCSTR,LPSECURITY_ATTRIBUTES)>::operator ()': a function that returns 'decltype(auto)' cannot be used before it is defined 2>D:\Workspace\Anti\Current projects\NoMercyV2\Extern\include\lazy_importer.hpp(493): note: see declaration of 'li::detail::lazy_function<2965998675,BOOL (__cdecl *)(LPCSTR,LPSECURITY_ATTRIBUTES)>::operator ()' 2>Done building project "NoMercy_CXX_SDK_x64.vcxproj" -- FAILED.

about WSASend/WSARecv winsock function.

Like the title said, "LI_MODULE" is doesn't not handle char* or const char* module name in MSVC.

https://godbolt.org/z/ZZbLJc

A lot of us would really like one..

LI needed for VM protection?
With force inline +10-15 sec for execution vm.

Tested on VMProtect.

This might be stupid question, but could we use this in kernel drivers ?

Thanks!

Current import functions crash the process on failure to find the requested data.

Hi, I tried to used LI_FIND in a class constructor but it exits instantly.

Is there anything we could regarding this ?

Thanks

kernel32.dll WIN10

static const char* pass_func[] =
{
"CreateRemoteThreadEx",
"DeleteProcThreadAttributeList",
"GetCurrentThreadStackLimits",
"GetOverlappedResultEx",
"GetProcessDefaultCpuSets",
"GetProcessMitigationPolicy",
"GetSystemCpuSetInformation",
"GetThreadDescription",
"GetThreadSelectedCpuSets",
"InitializeProcThreadAttributeList",
"IsProcessCritical",
"OpenProcessToken",
"OpenThreadToken",
"QueryProtectedPolicy",
"SetProcessDefaultCpuSets",
"SetProcessDynamicEHContinuationTargets",
"SetProcessMitigationPolicy",
"SetProtectedPolicy",
"SetThreadDescription",
"SetThreadSelectedCpuSets",
"SetThreadToken",
"UpdateProcThreadAttribute",
NULL
};

win10 32bit exe

LPWSTR name = NULL;
NETSETUP_JOIN_STATUS    net;
LI_FN(NetGetJoinInformation)((LPCWSTR)NULL, &name, &net);

Hi,

First of all, thank you for such a project.

When I try to use the DsRoleGetPrimaryDomainInformation API in Netapi32.dll I constantly get an Access Violation error.

I've given below the working sample code:

DSROLE_PRIMARY_DOMAIN_INFO_BASIC* inf;
DWORD dw;

dw = DsRoleGetPrimaryDomainInformation(NULL, DsRolePrimaryDomainInfoBasic, (PBYTE*)&inf);

if (dw != ERROR_SUCCESS) {
    std::cout << "NO";
}

I've given below the LI code with which I got the error:

auto mod = LoadLibraryA("Netapi32.dll");
printf("%p \n", mod);

auto func = LI_FN(DsRoleGetPrimaryDomainInformation).in(LI_MODULE("Netapi32.dll").get());

DSROLE_PRIMARY_DOMAIN_INFO_BASIC* inf;
DWORD dw;

dw = func(NULL, DsRolePrimaryDomainInfoBasic, (PBYTE*)&inf); //Error line: Access Violation

if (dw != ERROR_SUCCESS) {
    std::cout << "NO";
}

Do you have any ideas for solving the problem?

Hello,

Could you provide some examples on how to use ntdll imports ?

At the same time, I would like to ask your recommendation regarding "GetProcAddress". Currently I use lazy import for this, cached more specifically.

What would be the best way to prevent reversing/hooking of this function:

1. Just use lazy import
2. Store original address, then check periodically if hooked/detoured

I would really appreciate your advice!

#include <Windows.h>
#include <iostream>

#define LAZY_IMPORTER_CASE_INSENSITIVE
#include "lazy_importer/include/lazy_importer.hpp"

int main()
{
	const HMODULE hModule = LI_MODULE("kernelbase.dll").safe<HMODULE>();

	if (!hModule)
		return FALSE;

	std::wcout << GetProcAddress(hModule, "GetProcAddressForCaller") << std::endl;
	std::wcout << LI_FN("GetProcAddressForCaller").in_safe(hModule) << std::endl;

	system("pause");
	return 0;
}

Result:
00007FFEB4BB1830 (GetProcAddress(hModule, "GetProcAddressForCaller"))
0000000000000000 (LI_FN("GetProcAddressForCaller").in_safe(hModule))

Why?

Amazing library, but it seems "too good to be true"... Does it work on OS starting XP and above ?

I`m asking because many things were added starting VISTA, and it would be nice to know if this library has any dependencies regarding OS.

Hi

The basic hello world test doesn't work, fails with access violation https://i.imgur.com/ocvhP80.png

VS 2017 basic console application

If I call the function (MessageBoxA) normally before, then it works.

There is also this strange thing I noticed: https://i.imgur.com/nEtIF1m.png

Thanks