loadlibrary
loadlibrary copied to clipboard
taviso
Unable to load multiple dll images
Hi, I am trying to use loadlibrary to load a dll image which uses windows Component Object Model internally but some error happens. Seems like loadlibrary links multiple PE image incorrectly.
Since the function in my target PE image utilize COM, it is insufficient to load single PE image. Following is how I try to load both my target PE image and COM related symbols from ole32.dll.
int main() {
struct pe_image images[2] = {
{.entry = NULL, .name = "/path/to/my/taget.dll", },
{.entry = NULL, .name = "ole32.dll"}
};
for (int i = 0; i < 2; i++) {
pe_load_library(images[i].name, &images[i].image, &images[0].size);
}
link_pe_images(images, 2); // <- SegFault happens here.
}
I wonder if I link the images wrong. If so, how should I link multiple images?
I'm also trying to load multiple DLLs, and adapting code to setup struct to save info for dedicated DLL, instead of global varibles such as pe_exports and num_pe_exports.
At last, I'm trapped by a global struct pe_image image, required by Exception.c of x64 branch but not in x86.
@cube0x8 Could you please kindly clarify that why this struct is required in x64 implementation and how to fix this issue? And, if I have two dlls(target1.dll and target2.dll), is it possible to load these dlls in one process?
Thanks and looking forward your reply!
Hello @juju812 and @posutsai.
I've just noticed that this issue has never been addressed. Sorry for this.
-
I am reasonably sure that loadlibrary is not meant to allow the loading of multiple DLLs. Despite the
link_pe_imagesAPI was originally designed for this purpose (that's why it takes, as arguments, an array of images and the number of images to link), actually it's not providing this capability now. As @juju812 correctly stated, the exports of a library are stored in thepe_exportsglobal variable, which gets overwritten at each iteration if you're linking multiple libraries (see here). In the end you will get anum_pe_exportswhich will sum up all the exports in all the DLLs, but thepe_exportsvariable will be inconsistent. All of this will subsequently leads to the SIGSEGV @posutsai reported. -
In the x64 version of loadlibrary, the SEH support is completely changed from its original x86 version. I won't get too much in detail here, but long story short: there are functions in the
Exception.cfile of thepeloaderlibrary that will need the base address of the loaded library to work correctly, that's why I moved that struct as global in the x86_64 version.
I'm also trying to load multiple DLLs, and adapting code to setup struct to save info for dedicated DLL, instead of global varibles such as pe_exports and num_pe_exports.
I don't want to jump on conclusions for this, since I am not the owner of the project and this is not my call, but to be able to load and link multiple DLLs you will need to make radical changes to the framework, which I guess are out of the scope of the project itself, since loadlibrary provides a set of API to load a single self-contained DLL mostly for fuzzing purposes.
Hi, I commented out SEH functions in Exception.c and finally I can load two simple DLLs in one executable. Demo can be found here.
What I've done is just to introduce the pe_handle struct, save pe_exports of each DLL seperately, and adapt APIs affected.
I believe there's potential problems, for my demo is so simple that there's no dependency of any kernel32 API. @cube0x8 @taviso, could you please help to figure out if this approach is feasible and how much further work is needed?
Thanks and looking forward your reply!
Hi,
It sounds like a good approach to me.
I guess you will need to modify some of the peloader APIs, but that should be quite simple and straightforward.
For example, if you are using the x86_64 version, you will have to modify the exception handling routine to look for the RUNTIME_FUNCTION entries in each of the loaded DLLs. A quick solution that comes to my mind is to store the pe_handle structures in a global list and then call RtlPcToFileHeader on all of them.
