|
The temp link is again valid - thanks.
|
|
|
|
|
http://www.turboirc.com/temp/wrappit2.cpp
|
|
|
|
|
Dear Michael,
I have successfully hooked CreateFile() and ReadFile() with your utility and insights of this wonderful article. The problem is that I cannot replace the output parameters of ReadFile() i.e lpOverlapped, lpNumberOfBytesRead
and lpBuffer.
In this code snippet, when I try this it all works fine:
<br />
extern "C" __stdcall __E__675__(HANDLE hFile, LPVOID lpBuffer, DWORD nNumberOfBytesToRead, LPDWORD lpNumberOfBytesRead, LPOVERLAPPED lpOverlapped)<br />
{<br />
char* myBuffer = "This is not the text file you opened :D The hook worked!"<br />
<br />
ReadFile(hFile,lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead,lpOverlapped);<br />
return 1;<br />
}<br />
By the way, you can notice how I didn't use the __asm function to achieve this... Now when I add this:
lpBuffer = myBuffer;<br />
return 1;<br />
lpBuffer (which contains the information of the file in memory) doesn't change, the file is still loaded in the application whose IAT I altered beforehand.
Any idea? Thanks!
|
|
|
|
|
lpBuffer is a pointer, you probably want to use memcpy(lpBuffer,myBuffer,size); (instead of getting data from ReadFile).
|
|
|
|
|
Thank you very much! it worked flawlessly!
Gosh! I even tried to use __asm() to pop values off the stack, comparing them and trying to find them to replace them. Can't believe the solution was so simple
Thanks again!
|
|
|
|
|
On My System i got en error when i use it like
typedef int (__stdcall *pS)(SOCKET,char*,int,int);
pS pps = (pS)p[63*4];
int rv = pps(x,b,l,pr);
i have to remove the *4, but only in the none asm code!
if i don't do it i got an exception!
But my a other software is not working with this dll, it crashes!
Can it be that a programm uses fixed addresses of functions in dlls and not a function to get the adresses?
So can i also create a dll wich has the same adresses for the functions?
|
|
|
|
|
also, Wrappit genertaes the following code:
#pragma pack(j)
this should be:
#pragma pack(1)
|
|
|
|
|
"Note that the naked attribute is only valid on x86, and is not available on x64 or Itanium"
(source: Microsoft, Visual C++ Language Reference naked (C++) )
can your Wrappit be enhanced to check the HW platform?
Thank you
|
|
|
|
|
Hi
I have an DLL, when I dump it, all fuctions seems like what you did on your example but there are some functions like this :
5598 15DD 00106288 ?ye@RW@@QBEIXZ
5599 15DE 000DE7E0 @VLDll@16
5606 15E1 000CB368 KingReport
5601 15E2 0004BDF1 _Em@20
do you know what that KingReport is ? and how to create a proxy dll for this kind of dll ?
|
|
|
|
|
First, big thx for your tool.
But you wrote:
typedef int (__stdcall *pS)(SOCKET,char*,int,int);
pS pps = (pS)p[63*4];
int rv = pps(x,b,l,pr);
I need to do this:
typedef int (__stdcall *pS)(SOCKET,char*,int,int);
pS pps = (pS)p[63];
int rv = pps(x,b,l,pr);
Then everything works fine.
|
|
|
|
|
First: Great tool/code, really helped me out!
Line 204:
fprintf(fcpp,"\t\tp[%u] = GetProcAddress(hL,(LPCSTR)%u);\r\n",i,v[i].o);
Should be changed (remove quotes around ordinal number), otherwise GetProcAddress will return 0;
Also, in Visual Studio Express 2005 some warnings occur when the dll has one of the following functions exported:
DllCanUnloadNow,DllGetClassObject,DllInstall,DllRegisterServer,DllUnregisterServer
Those functions should always be private (why?) and are never loaded by ordinal value.
In the DEF file replace
DllCanUnloadNow=__E__4__ @163
by
DllCanUnloadNow=__E__4__ PRIVATE
|
|
|
|
|
When i try to make a proxy for ws2_32.dll with your tool, i get the following error:
Entry Point Not Found - The procedure entry point wsagetlasterror could not be located in the dynamic link library wsock32.dll
So i tried to proxy wsock32.dll too but then the program says it could not be initialized.
Any idea about what happening ?
|
|
|
|
|
Check the parameters of the linker (/def)
|
|
|
|
|
"/def" ??
Is that a command i did not see and missed or are you talking about the generated def file? I work with visual C++ 8.
|
|
|
|
|
http://msdn.microsoft.com/en-us/library/28d6s79h.aspx[^]
The /DEF option passes a module-definition file (.def) to the linker. Only one .def file can be specified to LINK. For details about .def files, see Module-Definition Files.
To set this linker option in the Visual Studio development environment
Open the project's Property Pages dialog box. For details, see Setting Visual C++ Project Properties.
Click the Linker folder.
Click the Input property page.
Modify the Module Definition File property.
To specify a .def file from within the development environment, you should add it to the project along with other files and then specify the file to the /DEF option.
|
|
|
|
|
Any idea about this means ?
http://img228.imageshack.us/img228/7624/again.jpg
When the program loads the proxy DLL this error occures.
modified on Wednesday, July 29, 2009 11:15 AM
|
|
|
|
|
Is this the same machine where you installed Visual Studio?
Send me the Project and revised it.
|
|
|
|
|
Hi, I created this application based on the above to remove the dependencies to other tools (dumpbin). It is a test and can be improved.
Regards.
<br />
#include "stdafx.h"<br />
#include "stdafx.h"<br />
#include "windows.h"<br />
#include "winnt.h"<br />
#include <assert.h><br />
#include <stdio.h><br />
#include <stdlib.h><br />
#include "string.h"<br />
<br />
<br />
int main(int argc, char* argv[])<br />
{<br />
char DefFile[255];<br />
char CppFile[255];<br />
<br />
if(argc!=3)<br />
{<br />
printf("\nMissing parameters ex:");<br />
printf("\nExtractDllExports ws2_32.dll ws2_32");<br />
return 2;<br />
}<br />
memset(DefFile,0,sizeof(DefFile));<br />
memset(CppFile,0,sizeof(CppFile));<br />
sprintf(DefFile,"%s.def",argv[2]);<br />
sprintf(CppFile,"%s.cpp",argv[2]);<br />
FILE *fpdef; <br />
FILE *fpcpp;<br />
if((fpdef=fopen(DefFile, "w+"))==NULL) <br />
{<br />
printf("\Error in CreateFile %s",DefFile);<br />
return 1;<br />
}<br />
if((fpcpp=fopen(CppFile, "w+"))==NULL) <br />
{<br />
printf("\Error in CreateFile %s",CppFile);<br />
return 1;<br />
}<br />
<br />
<br />
HMODULE lib = LoadLibraryExA(argv[1], NULL, DONT_RESOLVE_DLL_REFERENCES);<br />
if(lib==NULL)<br />
{<br />
printf("\nError in LoadLibraryExA. Dll:%s",argv[1]);<br />
return 1;<br />
}<br />
assert(((PIMAGE_DOS_HEADER)lib)->e_magic == IMAGE_DOS_SIGNATURE);<br />
PIMAGE_NT_HEADERS header =PIMAGE_NT_HEADERS((BYTE *)lib + ((PIMAGE_DOS_HEADER)lib)->e_lfanew);<br />
assert(header->Signature == IMAGE_NT_SIGNATURE);<br />
assert(header->OptionalHeader.NumberOfRvaAndSizes > 0);<br />
PIMAGE_EXPORT_DIRECTORY exports = PIMAGE_EXPORT_DIRECTORY((BYTE *)lib + header->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);<br />
PVOID names = (BYTE *)lib + exports->AddressOfNames;<br />
WORD *Ordinals = (WORD*)((BYTE *)lib + exports->AddressOfNameOrdinals);<br />
fputs("\n//**** remember to add the /def parameter to linker ****",fpcpp);<br />
fputs("\n#include <windows.h>",fpcpp);<br />
fputs("\n\nHINSTANCE hLThis = 0;",fpcpp);<br />
fputs("\nHINSTANCE hL = 0;",fpcpp);<br />
char Farproc[255];<br />
memset(Farproc,0,sizeof(Farproc));<br />
sprintf(Farproc,"\nFARPROC p[%d] = {0};",exports->NumberOfNames);<br />
fputs(Farproc,fpcpp);<br />
fputs("\nBOOL WINAPI DllMain(HINSTANCE hInst,DWORD reason,LPVOID)",fpcpp);<br />
fputs("\n{",fpcpp);<br />
fputs("\n if (reason == DLL_PROCESS_ATTACH)",fpcpp);<br />
fputs("\n {",fpcpp);<br />
fputs("\n hLThis = hInst;",fpcpp);<br />
char DllName[255];<br />
memset(DllName,0,sizeof(DllName));<br />
sprintf(DllName,"\n hL = LoadLibrary(\"%s\");",argv[1]);<br />
fputs(DllName,fpcpp);<br />
fputs("\n if (!hL) return false;",fpcpp);<br />
<br />
fputs("EXPORTS",fpdef);<br />
for (int i = 0; i < exports->NumberOfNames; i++)<br />
{<br />
char txtFunction[255];<br />
memset(txtFunction,0,sizeof(txtFunction));<br />
WORD w=(WORD )(BYTE *)lib + ((WORD *)Ordinals)[i]+1; <br />
sprintf(txtFunction,"\n%s=__E__%d__ @%d", (BYTE *)lib + ((DWORD *)names)[i],i,w);<br />
fputs(txtFunction,fpdef);<br />
char txtPointer[255];<br />
memset(txtPointer,0,sizeof(txtPointer));<br />
sprintf(txtPointer,"\n p[%d] = GetProcAddress(hL,\"%s\");",i,(BYTE *)lib + ((DWORD *)names)[i]);<br />
fputs(txtPointer,fpcpp);<br />
<br />
}<br />
fputs("\n }",fpcpp);<br />
fputs("\n if (reason == DLL_PROCESS_DETACH)",fpcpp);<br />
fputs("\n {",fpcpp);<br />
fputs("\n FreeLibrary(hL);",fpcpp);<br />
fputs("\n }",fpcpp);<br />
fputs("\n return 1;",fpcpp);<br />
fputs("\n}",fpcpp);<br />
fputs("\n// gethostname",fpcpp);<br />
fputs("\n// Example replace functions ",fpcpp);<br />
fputs("\n//extern \"C\" int __stdcall __E__92__(char *name, int namelen)",fpcpp);<br />
fputs("\n// {",fpcpp);<br />
fputs("\n//call original gethostname",fpcpp);<br />
fputs("\n// typedef int (__stdcall *pS)(char*,int);",fpcpp);<br />
fputs("\n// pS pps = (pS)p[92];",fpcpp);<br />
fputs("\n// int rv = pps(name,namelen);",fpcpp);<br />
fputs("\n// if(rv==0)",fpcpp);<br />
fputs("\n// {",fpcpp);<br />
fputs("\n// memset(name,0,namelen);",fpcpp);<br />
fputs("\n//Manipulate result",fpcpp);<br />
fputs("\n// strcpy(name,\"TestName\");",fpcpp);<br />
fputs("\n// }",fpcpp);<br />
fputs("\n// return rv;",fpcpp);<br />
fputs("\n// }",fpcpp);<br />
fputs("\n//end example;",fpcpp);<br />
for (int i = 0; i < exports->NumberOfNames; i++)<br />
{<br />
char Comentario[255];<br />
char Encabezado[255];<br />
char Salto[255];<br />
memset(Comentario,0,sizeof(Comentario));<br />
memset(Encabezado,0,sizeof(Encabezado));<br />
memset(Salto,0,sizeof(Salto));<br />
sprintf(Comentario,"\n\n//%s",(BYTE *)lib + ((DWORD *)names)[i]);<br />
sprintf(Encabezado,"\nextern \"C\" __declspec(naked) void __stdcall __E__%d__()",i);<br />
sprintf(Salto,"\n jmp p[%u*%u];",i,sizeof(void*));<br />
fputs(Comentario,fpcpp);<br />
fputs(Encabezado,fpcpp);<br />
fputs("\n{",fpcpp);<br />
fputs("\n __asm",fpcpp);<br />
fputs("\n {",fpcpp);<br />
fputs(Salto,fpcpp);<br />
fputs("\n }",fpcpp);<br />
fputs("\n}",fpcpp);<br />
<br />
}<br />
fcloseall();<br />
return 0;<br />
}<br />
<br />
<br />
|
|
|
|
|
There is an error in the last example. It must not be
pS pps = (pS)p[63*4];
but
pS pps = (pS)p[69];
Someone in previous comments got access violation - it is due to this error, not because "(naked)" or something else.
|
|
|
|
|
Hi!
I am new to c++ programming so this question might sound silly.
I am trying to manipulate the parameters and proxy this function:
D3DXMATRIX* WINAPI D3DXMatrixLookAtRH
( D3DXMATRIX *pOut, CONST D3DXVECTOR3 *pEye, CONST D3DXVECTOR3 *pAt,
CONST D3DXVECTOR3 *pUp );
And the code from my proxy dll looks like this:
extern "C" D3DXMATRIX* WINAPI __stdcall __E__205__(D3DXMATRIX *pOut,CONST D3DXVECTOR3 *pEye, CONST D3DXVECTOR3 *pAt, CONST D3DXVECTOR3 *pUp)
{
typedef D3DXMATRIX* (WINAPI __stdcall *pS)(D3DXMATRIX*, CONST D3DXVECTOR3*, CONST D3DXVECTOR3*, CONST D3DXVECTOR3*);
pS pps = (pS)p[205*4];
D3DXMATRIX* rv = pps(pOut,pEye,pAt,pUp);
return rv;
}
I get an unhandled exception. Any idea what am I doing wrong?
|
|
|
|
|
At first glance, I don't see anything wrong. Do ALL functions crash ? If not, then chances are that you calling the function with bad parameters.
1. Is it for a 64-bit dll ? (then you need 205*8!)
2. WINAPI = __stdcall so you do not need both.
3. Check the value of the rv while debugging.
|
|
|
|
|
For the first test I just pass on the parameters on and don't manipulate them. What is interesting if I do this:
(debugging it)
<br />
extern "C" D3DXMATRIX* __stdcall __E__205__(D3DXMATRIX *pOut,CONST D3DXVECTOR3 *pEye, CONST D3DXVECTOR3 *pAt, CONST D3DXVECTOR3 *pUp)<br />
{<br />
<br />
std::ofstream outdata;<br />
outdata.open("C:\\out.txt");<br />
outdata << "Eye:" << pEye->x << " " << pEye->y << " " << pEye->z << std::endl;<br />
outdata.close();<br />
return NULL;<br />
}<br />
The function calls seem to succeed. Because the parameters do have the right values. So I am shore the function is called.
Maybe it has something to do with the first function parameter being the [in, out] parameter? The function out parameter and the returning type are the same. (according to documentation: http://msdn.microsoft.com/en-us/library/bb205343(VS.85).aspx[^])
if I put the rest of the function in I get an unhandled exception at this line of code:
<br />
D3DXMATRIX* rv = pps(pOut,pEye,pAt,pUp);<br />
|
|
|
|
|
When i try to use "proxy2.exe dumpbin /exports wsock32.dll > exports.txt" i get the following written into the exports.txt :
Wrappit. Copyright (C) Chourdakis Michael
Usage: WRAPPIT <dll> <txt> <convention> <new dll="" name=""> <cpp> <def>
==================================================================
I tried diffrent dlls but it didnt work either...
Thanks for answers
Thelod
|
|
|
|
|
Hi there.
Be patient for a few days and I will put wrappit2.cpp which has many bugs fixed.
Michael.
|
|
|
|
|
I 've created a second version which works without inline assembly, by using forwards - and it works with PPC and x64. If anyone interested, mail me , I should update the CP article soon.
|
|
|
|
|