Menu
▾
▴
[Mingw-users] [mingw - Windows API] executable with no imports
|
From: SourceForge.net <no...@so...> - 2004-10-09 17:37:32
|
Read and respond to this message at: https://sourceforge.net/forum/message.php?msg_id=2796594 By: mingwlinder Hi everybody, I made last night a program that use CreateRemoteThread to inject a DLL in processes, to hook some APIs. And now, I search how to protect against these technique, and wrote the following code after I notice that kernel32.dll was automatically mapped with my process (even with no imports on it), so I can use hard-coded proc values to call APIs : #define UNICODE #define WIN32_LEAN_AND_MEAN #include <windows.h> typedef HANDLE (*PGETSTDHANDLE)(DWORD); typedef DWORD (*PFORMATMESSAGE)(DWORD, LPCVOID, DWORD, DWORD, LPTSTR, DWORD, va_list*); typedef VOID (*PWRITECONSOLE)(HANDLE, LPCVOID, DWORD, LPDWORD, LPVOID); typedef VOID (*PEXITPROCESS)(UINT); static HANDLE hConsole = INVALID_HANDLE_VALUE; static HINSTANCE hKernel = NULL; static PGETSTDHANDLE pGetStdHandle = NULL; static PFORMATMESSAGE pFormatMessage = NULL; static PWRITECONSOLE pWriteConsole = NULL; static PEXITPROCESS pExitProcess = NULL; VOID print(LPCTSTR lpFormat, ...) { va_list lpValues; va_start(lpValues, lpFormat); LPTSTR lpMessage; DWORD n = pFormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_STRING, lpFormat, 0, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPTSTR) &lpMessage, 0, &lpValues); va_end(lpValues); pWriteConsole(hConsole, lpMessage, n, &n, NULL); } VOID mainCRTStartup(VOID) { // this is just to avoid MSVCRT dependancies hKernel = GetModuleHandle(TEXT("kernel32.dll")); pGetStdHandle = GetProcAddress(hKernel, "GetStdHandle"); pFormatMessage = GetProcAddress(hKernel, "FormatMessageW"); pWriteConsole = GetProcAddress(hKernel, "WriteConsoleW"); pExitProcess = GetProcAddress(hKernel, "ExitProcess"); hConsole = pGetStdHandle(STD_OUTPUT_HANDLE); print(TEXT("hKernel = 0x%1!08x!%n" "hConsole = 0x%2!08x!%n" "pGetStdHandle = 0x%3!08x!%n" "pFormatMessage = 0x%4!08x!%n" "pWriteConsole = 0x%5!08x!%n" "pExitProcess = 0x%6!08x!%n" ), hKernel, hConsole, pGetStdHandle, pFormatMessage, pWriteConsole, pExitProcess); print(TEXT("Hello World !%n")); print(TEXT("Hallo World !%n")); print(TEXT("Hi World !%n")); pExitProcess(0); } Compiled with: gcc -g -O2 -march=i686 -Wall -Wextra -finput-charset=latin1 main.c -mconsole -nostdlib -lkernel32 -o tiny.exe Only GetModuleHandleW et GetProcAddress are imported (they are hex values in my original program, but this is more generalist for a testcase). At runtime, only the fisrt print() is displayed : hKernel = 0x7c800000 hConsole = 0x00000007 pGetStdHandle = 0x7c812ca9 pFormatMessage = 0x7c829047 pWriteConsole = 0x7c839882 pExitProcess = 0x7c81caa2 After what, the program crash : Program received signal SIGSEGV, Segmentation fault. 0x00000000 in ?? () With DrMinGW, I get : tiny.exe caused an Access Violation at location 00000000 Reading from location 00000000. Registers: eax=00000001 ebx=7ffde000 ecx=7c81cbcb edx=00350608 esi=00000000 edi=00000010 eip=00000000 esp=0022ff9c ebp=0022ff88 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 Call stack: AddrPC AddrReturn AddrFrame AddrStack Params 00000000 00403050 0022FF98 0022FF9C 7C800000 00000007 7C812CA9 7C829047 00000000 00403050 00000001 0022FF88 0022FF9C 7C829037 003D0000 00000000 00403050 00403050 tiny.exe:00403050 mainCRTStartup main.c:44 void mainCRTStartup() ... print(TEXT("Hallo World !%n")); print(TEXT("Hi World !%n")); > pExitProcess(0); } I tried to watch the pointers with GDB, but they have correct values even after the crash. Compiling with MSVC give the same results. Does anyone know what I am making wrong ? :-/ ______________________________________________________________________ You are receiving this email because you elected to monitor this forum. To stop monitoring this forum, login to SourceForge.net and visit: https://sourceforge.net/forum/unmonitor.php?forum_id=286641 |
