memory-module-loader
memory-module-loader copied to clipboard
scythe-io
How can i getProcAddress from a dll that exported without function name?
i have a dll which was exported without function name.i can only call it by the ordinal value in C#. the function like this.
so.how can i call it in Memory-module-loader?
I've tried the following way to do that.but it got wrong result. the result is allways zero.
In addition, I have made the following changes.
thanks a lot.
Hi @JerryLiew,
The existing code should work for imports via ordinal numbers. I have verified it just now. I am not familiar how to do it in C#, however.
In C, let's say for the DLL, in the module definition file (.def) we have a function with a ordinal value we set:
DoSomething2 @2
and the implementation of this DoSomething2 function is something like this:
INT DoSomething2()
{
return MessageBoxA(NULL, "Do Something 2!", "sample-dll", MB_OK | MB_ICONINFORMATION);
}
Now, we can perform this in the executable:
typedef INT(*DOSOMETHING2)();
DOSOMETHING2 DoSomething2 = (DOSOMETHING2)_GetProcAddress(pModule, MAKEINTRESOURCE(2));
if (NULL != DoSomething2)
{
DoSomething2();
}
else
{
le = gle();
}
Hi @JerryLiew,
The existing code should work for imports via ordinal numbers. I have verified it just now. I am not familiar how to do it in C#, however.
In C, let's say for the DLL, in the module definition file (.def) we have a function with a ordinal value we set:
DoSomething2 @2and the implementation of this
DoSomething2function is something like this:INT DoSomething2() { return MessageBoxA(NULL, "Do Something 2!", "sample-dll", MB_OK | MB_ICONINFORMATION); }Now, we can perform this in the executable:
typedef INT(*DOSOMETHING2)(); DOSOMETHING2 DoSomething2 = (DOSOMETHING2)_GetProcAddress(pModule, MAKEINTRESOURCE(2)); if (NULL != DoSomething2) { DoSomething2(); } else { le = gle(); }
i have tried that. i dont understand why this method return NULL when the NumberOfFunctions is 45 and the NumberOfNames is 0. Does this mean that if all exported functions of a DLL have no name, NULL will always be returned?
If you are interested, you can download the DLL file here http://lzr7.tpddns.cn:8088/Download/hha.dll thanks a lot
Ahh, good catch. Yes, this case is specific to SCYTHE, where if NumberOfNames == 0 (i.e., DLL does not have any names) it returns ERROR_PROC_NOT_FOUND. In this case you can comment out the first part of the if check. So, Line 466 above should be this:
if (exports->NumberOfFunctions == 0)
Hi @JerryLiew. Were you able to get your code working making the update above?
嗨@JerryLiew。您是否能够使您的代码在进行上述更新时正常工作?
Thank you very much for your help. I did as you said. It can get the function pointer, but when I tried to execute the function, it couldn't work normally. I tried most of the 45 exported functions in the specified DLL, either reporting a memory error or returning an error result (0). However, my own DLL can work normally. So I think that maybe that particular DLL has done something to make it impossible to load from memory( Or some other reason)
I'm preparing for the postgraduate examination recently, so I don't have time to study this problem in depth. After a period of time (about five months later), I will explore this problem in depth. At that time, if you are interested in this issue, I can help as much as possible. In addition, thank you very much for your work. Loading DLL from memory is very useful and cool for me. It significantly improves the security of my program and makes it more difficult for others to reverse engineer