Shulou(Shulou.com)06/02 Report--

This article mainly explains "how to load DLL from memory in windows". The content in the article is simple and clear, easy to learn and understand. Please follow the editor's train of thought to study and learn "how to load DLL from memory in windows".

Windows executable file-PE format

First, let's look at the structure of pe.

DOS headerDOS stubPE headerSection headerSection 1Section 2.. .Section n

All the structures given below can be found in the header file winnt.h.

DOS header

DOS header is only used for backward compatibility. It comes before DOS stub.

The Microsoft defines the DOS header as follows:

Typedef struct _ IMAGE_DOS_HEADER {/ / DOS .EXE header WORD estrangmical; / / Magic number word estrangcblp; / / byte word estrangcblp on the last page of the file; / / page in the file WORD estrangcrlc; / / Relocations word efolcparhdrr; / / the size of the header in the paragraph e_maxalloc; / / the minimum additional paragraph words required / / the maximum number of additional segments required WORD eSyss; / / the initial (relative) SS value WORD eigenspp; / / the initial SP value WORD eSum; / / the checksum WORD eSum; / / the initial IP value WORD eSum; / / the initial (relative) CS value word estranglfarlc; / / the file address of the relocation table, WORD esigovno; / / the number of overwrites, WORD e_res [4]. / / reserved word WORD estrangoemid; / / OEM identifier (for e_oeminfo) WORD estrango eminence; / / OEM information Specific to the e_oemid word e_res2 [10]; / / the reserved word LONG estranglfanew; / / the file address of the new exe header} IMAGE_DOS_HEADER,* PIMAGE_DOS_HEADER;PE header

The PE header contains information about different parts of the executable file that are used to store code and data or to define imports from other libraries or exports provided by this library.

It is defined as follows:

Typedef struct _ IMAGE_NT_HEADERS {DWORD signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER32 optional title;} IMAGE_NT_HEADERS32,* PIMAGE_NT_HEADERS32

The format of the physical file described in the FileHeader, such as directory symbols and other information:

Typedef struct _ IMAGE_FILE_HEADER {WORD Machine; WORD NumberOfSections; DWORD TimeDateSt DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader; WORD Characteristics;} IMAGE_FILE_HEADER,* PIMAGE_FILE_HEADER

The format of the information logic library contained in the OptionalHeader, including the required operating system version, memory requirements and pointcuts:

Typedef struct _ IMAGE_OPTIONAL_HEADER {/ standard field. / / WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; / other fields of NT. / / DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes IMAGE_DATA_DIRECTORY DataDirection [image _ NUMBEROF_DIRECTORY_ENTRIES];} IMAGE_OPTIONAL_HEADER32,* PIMAGE_OPTIONAL_HEADER32

The DataDirectory directory contains 16 (logical components of the IMAGE_NUMBEROF_DIRECTORY_ENTRIES definition library) entries:

Index description 0 Export function 1 Import function 2 Resource Resources 3 exception Information 4 Security Information 5 Base relocation Table 6 Debug Information 7 Architecture-specific data 8 Global pointers 9 Thread Local Storage configuration 11 bind Import 12 Import address Table 13 delay load Import 14COM Runtime descriptor

For importing DLL, we only need entries that describe the import and basic relocation table. In order to provide access to the export function, you need to export entries.

Section header

The segment header is stored after the OptionalHeader structure in the PE header. Microsoft provides macro image _ FIRST_SECTION to obtain the starting address based on the PE header.

In fact, the section header is a list of information for each section in the file:

Typedef struct _ IMAGE_SECTION_HEADER {BYTE name [image _ SIZEOF_SHORT_NAME]; union {DWORD PhysicalAddress; DWORD VirtualSize;} Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics;} IMAGE_SECTION_HEADER, * PIMAGE_SECTION_HEADER

A section can contain code, data, relocation information, resources, export or import definitions, etc.

Load library

To simulate the PE loader, we must first understand that it is necessary to load files into memory and prepare the structure to invoke them from other programs.

When issuing an API call to LoadLibrary, Windows basically performs the following tasks:

1. Open the given file and check the DOS and PE headers.

two。 Try to allocate a block of memory with PEHeader.OptionalHeader.SizeOfImage bytes at the location PEHeader.OptionalHeader.ImageBase.

3. Parse the section title and copy the section to its address. The destination address of each section relative to the base address of the allocated memory block is stored in the VirtualAddress attribute of the IMAGE_SECTION_HEADER structure.

4. If you allocate a different block of memory than ImageBase, you must adjust the various references in the code and / or data sections. This is called Base relocation.

5. The required library import must be resolved by loading the appropriate library.

6. Different parts of the storage area must be protected according to the characteristics of the parts. Some parts are marked as discarable, so they can be safely released at this time. These sections usually contain temporary data that is needed only during import, such as basic relocation information.

7. The library is now fully loaded. This must be notified by invoking the entry point with the flag DLL_PROCESS_ATTACH.

Each step is described in the following paragraphs.

Allocate memory

All memory required by the library must be reserved / allocated using VirtualAlloc because Windows provides the ability to protect these memory blocks. This is necessary to restrict access to memory, such as blocking write access to code or constant data.

The OptionalHeader structure defines the size of the memory blocks required by the library. If possible, you must keep it at the address specified by ImageBase:

Memory = VirtualAlloc ((LPVOID) (PEHeader- > OptionalHeader.ImageBase), PEHeader- > OptionalHeader.SizeOfImage, MEM_RESERVE, PAGE_READWRITE)

If the reserved memory is different from the address specified in ImageBase, you must perform the following basic relocation.

Copy sections

After the memory is reserved, the contents of the file can be copied to the system. The section header must be evaluated to determine the location in the file and the target area in memory.

Before you can copy data, you must commit the memory block:

Dest = VirtualAlloc (baseAddress + section- > VirtualAddress, section- > SizeOfRawData, MEM_COMMIT, PAGE_READWRITE); Base relocation

All memory addresses in the code / data section of the library are stored relative to the address defined by ImageBase in OptionalHeader. If the library cannot be imported to this memory address, the reference must be adjusted = > relocated. The file format helps to do this by storing information about all these references in the basic relocation table, which can be found in directory entry 5 of DataDirectory in OptionalHeader.

The table consists of a series of such structures

Typedef struct _ IMAGE_BASE_RELOCATION {DWORD VirtualAddress; DWORD SizeOfBlock;} IMAGE_BASE_RELOCATION

It contains (SizeOfBlock-IMAGE_SIZEOF_BASE_RELOCATION) / 2 entries, each with 16 bits. The higher 4 bits define the type of relocation, and the lower 12 bits define the offset relative to the VirtualAddress.

It seems that the only type used in DLL is

IMAGE_REL_BASED_ABSOLUTE

Used to fill.

IMAGE_REL_BASED_HIGHLOW

The increment between the ImageBase and the allocated memory block is added to the 32-bit found at the offset.

Resolve the import part

Directory entry 1 of DataDirectory in OptionalHeader specifies the list of libraries from which to import symbols. Each entry in this list is defined as follows:

Typedef struct _ IMAGE_IMPORT_DESCRIPTOR {union {DWORD Characteristics; / / 0 for terminating null import descriptor DWORD OriginalFirstThunk; / / RVA to original unbound IAT (PIMAGE_THUNK_DATA)}; DWORD TimeDateStamp / / 0 if not bound, / /-1 if bound And real date\ time stamp / / in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND) / / O.W. Date/time stamp of DLL bound to (Old BIND) DWORD ForwarderChain / /-1 if no forwarders DWORD Name; DWORD FirstThunk; / / RVA to IAT (if bound this IAT has actual addresses)} IMAGE_IMPORT_DESCRIPTOR

This entry describes the name that is offset to the library (for example, the null termination string KERNEL32.DLL). The reference list of the function names that the OriginalFirstThunk entry points to is imported from the external library. FirstThunk points to an address list that contains pointers to import symbols.

When we solve the import problem, we browse through two lists, import the function defined by the name into the first list, and store the pointer to the symbol in the second list:

NameRef = (DWORD *) (baseAddress + importDesc- > OriginalFirstThunk); symbolRef = (DWORD *) (baseAddress + importDesc- > FirstThunk); for (; * nameRef; nameRef++, symbolRef++) {PIMAGE_IMPORT_BY_NAME thunkData = (PIMAGE_IMPORT_BY_NAME) (codeBase + * nameRef); * symbolRef = (DWORD) GetProcAddress (handle, (LPCSTR) & thunkData- > Name); if (* funcRef = = 0) {handleImportError (); return;}} memory protection

Permission flags are specified in the characteristics entry for each section. These signs can be one or a combination of the following

IMAGE_SCN_MEM_EXECUTE

This section contains data that can be executed.

IMAGE_SCN_MEM_READ

This section contains readable data.

IMAGE_SCN_MEM_WRITE

This section contains writable data.

These flags must be mapped to protection flags

PAGE_NOACCESS

PAGE_WRITECOPY

PAGE_READONLY

PAGE_READWRITE

PAGE_EXECUTE

PAGE_EXECUTE_WRITECOPY

PAGE_EXECUTE_READ

PAGE_EXECUTE_READWRITE

Now, you can use the function VirtualProtect to restrict access to memory. Windows throws an exception if the program attempts to access it in an unauthorized manner.

In addition to some of the flags above, you can add the following:

IMAGE_SCN_MEM_DISCARDABLE

You can release the data in this section after import. Typically, this is specified for relocation data.

IMAGE_SCN_MEM_NOT_CACHED

Windows must not cache the data in this section. Add the bit flag PAGE_NOCACHE to the protection flag above.

Notify library

The last thing to do is to call the DLL entry point (defined by AddressOfEntryPoint) and therefore notify the library about the information attached to the process.

The function of the entry point is defined as

Typedef BOOL (WINAPI * DllEntryProc) (HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)

So the last code we need to execute is

DllEntryProc entry = (DllEntryProc) (baseAddress + PEHeader- > OptionalHeader.AddressOfEntryPoint); (* entry) ((HINSTANCE) baseAddress, DLL_PROCESS_ATTACH, 0)

After that, we can use the exported function as we would any ordinary library.

Export function

If you want to access the function exported by the library, you need to find the entry point of the symbol, that is, the name of the function to be called.

Directory entry 0 of DataDirectory in OptionalHeader contains information about the export function. It is defined as follows:

Typedef struct _ IMAGE_EXPORT_DIRECTORY {DWORD Characteristics; DWORD TimeDateSt WORD MajorVersion; WORD MinorVersion; DWORD Name; DWORD Base; DWORD NumberOfFunctions; DWORD NumberOfNames; DWORD AddressOfFunctions; / / RVA from base of image DWORD AddressOfNames; / / RVA from base of image DWORD AddressOfNameOrdinals; / / RVA from base of image} IMAGE_EXPORT_DIRECTORY, * PIMAGE_EXPORT_DIRECTORY

The first thing to do is to map the function name to the sequence number of the export symbol. Therefore, you only need to traverse the array defined by AddressOfNames and AddressOfNameOrdinals in parallel until you find the desired name.

You can now use ordinal numbers to read the address by evaluating the nth element of the AddressOfFunctions array.

Release

To release custom loaded libraries, perform the following steps

Invokes the entry point to inform the library about the separation:

DllEntryProc entry = (DllEntryProc) (baseAddress + PEHeader- > OptionalHeader.AddressOfEntryPoint); (* entry) ((HINSTANCE) baseAddress, DLL_PROCESS_ATTACH, 0)

A free external library for parsing imports.

Free the allocated memory.

Memory module

MemoryModule is a C library that can be used to load DLL from memory.

This interface is very similar to the standard method of loading libraries:

Typedef void * HMEMORYMODULE;HMEMORYMODULE MemoryLoadLibrary (const void *); FARPROC MemoryGetProcAddress (HMEMORYMODULE, const char *); void MemoryFreeLibrary (HMEMORYMODULE); Thank you for reading, these are the contents of "how to load DLL from memory in windows". After the study of this article, I believe you have a deeper understanding of how to load DLL from memory in windows. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.