3

I am trying to figure out how I can call a function without having it being exported.

Okay so I have an exe file with "add" defined in it, This exe is a win32 console application and loads a DLL. The DLL also aims to use the add function from the exe file ( without exports )

Here is my main win32 console application file:

#include <windows.h>
#include <stdio.h>

#pragma auto_inline ( off )

int add ( int a, int b )
{
    printf( "Adding some ints\n" );
    return a + b;
}

int main ( )
{
    HMODULE module = NULL;

    if ( (module = LoadLibrary( L"hook.dll" )) == NULL )
    {
        printf( "Could not load library: %ld\n", GetLastError() );
        return 0;
    }

    add( 3, 5 );

    FreeLibrary( module );

    return 0;
}

Here is code for hook.dll:

#include <windows.h>
#include <stdio.h>
#include <detours.h>

static int (*add) ( int a, int b ) = ( int (*)( int a, int b ) ) 0x401000;

int Detoured_add ( int a, int b )
{
    return add( a, b );
}

BOOL WINAPI DllMain ( HINSTANCE hDll, DWORD reason, LPVOID reserved )
{
    if ( reason == DLL_PROCESS_ATTACH )
    {
        DetourTransactionBegin();
        DetourAttach( (PVOID*) &add, Detoured_add );
        DetourTransactionCommit();

    }
    else if ( reason == DLL_PROCESS_DETACH )
    {
        DetourTransactionBegin();
        DetourDetach( (PVOID*) &add, Detoured_add );
        DetourTransactionCommit();
    }

    return TRUE;
}

I disassembled my win32 console application to find the address of the add function

.text:00401000 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00401000
.text:00401000
.text:00401000 sub_401000      proc near               ; CODE XREF: sub_401020:loc_40104Bp
.text:00401000                 push    offset aAddingSomeInts ; "Adding some ints\n"
.text:00401005                 call    ds:printf
.text:0040100B                 add     esp, 4
.text:0040100E                 mov     eax, 8
.text:00401013                 retn
.text:00401013 sub_401000      endp

The problem is when I call LoadLibrary, it returns 998 which I believe is error code access violation. I guess this makes sense though as that memory area is probably protected.

Any tips?

( Also, the disassembler I used is Ida Pro free version, and the detours library is provided by Microsoft. )

peterh
  • 11,875
  • 18
  • 85
  • 108
Tr41n
  • 93
  • 1
  • 7
  • I don't know much about Detours and I'm not sure it can be used in this way. But are you sure the address of add() will actually be 0x401000 at runtime? Can't the module get relocated or something? – Alex Jasmin Aug 01 '10 at 04:28
  • Right, I'm not too sure of the address either, since I'm new to this kind of stuff. – Tr41n Aug 01 '10 at 04:37
  • I'm going to keep working on this and report back my findings. – Tr41n Aug 01 '10 at 05:30
  • 1
    You're causing yourself a lot of trouble and grief. From a practical viewpoint you have two choices: either export the function, or else have your executable pass a pointer to the function that needs to be called. – Jerry Coffin Aug 01 '10 at 17:34

1 Answers1

1

Modules are relocated as they are loaded. You should find the base address of the loaded module and relocate the address yourself. Also, you could use the [DebugHelp][1] library to retrieve the function address by symbolic name instead of hard-coding it.

zvrba
  • 24,186
  • 3
  • 55
  • 65
  • +1 I suppose DebugHelp can be used. You have to compile the module with debug information though. – Alex Jasmin Aug 02 '10 at 01:30
  • I found out that putting in the raw hexcode value from disassembling it as a function pointer can work, but not with win32 console applications. Windows DEP blocks it. so int (*add)( int a, int b ) = ( int (*)(int,int) ) 0x2329381; // some value This seems to work fine if its just from the main executable, however if its from an external module that the main executable uses i think this will work: HMODULE handle = GetModuleHandleA("another.dll"); int (*add)( int a, int b ) = ( int (*)(int,int) )( (DWORD)handle + (DWORD)0x2329381 ); – Tr41n Aug 02 '10 at 03:25