Author Topic: Export name with 'disallowed' character  (Read 7945 times)

Vortex

  • Member
  • *****
  • Posts: 1996
Re: Export name with 'disallowed' character
« Reply #15 on: September 28, 2013, 04:46:15 AM »
Hi Gunther,

I agree with you. Unfortunately, the name decorations can be very complicated and sharing object modules between different linkers can be difficult because of this.

Gunther

  • Member
  • *****
  • Posts: 3585
  • Forgive your enemies, but never forget their names
Re: Export name with 'disallowed' character
« Reply #16 on: September 28, 2013, 07:42:50 AM »
Hi Erol,

I agree with you. Unfortunately, the name decorations can be very complicated and sharing object modules between different linkers can be difficult because of this.

that's the crucial point. Some schemes doesn't fit together.

Gunther
Get your facts first, and then you can distort them.

Vortex

  • Member
  • *****
  • Posts: 1996
Re: Export name with 'disallowed' character
« Reply #17 on: September 28, 2013, 06:11:18 PM »
An interesting article :

http://wyw.dcweb.cn/stdcall.htm

Gunther

  • Member
  • *****
  • Posts: 3585
  • Forgive your enemies, but never forget their names
Re: Export name with 'disallowed' character
« Reply #18 on: September 28, 2013, 08:18:24 PM »
Erol,

thank you for the information. It could be helpful in some cases.

Gunther
Get your facts first, and then you can distort them.

revolta

  • Regular Member
  • *
  • Posts: 6
Re: Export name with 'disallowed' character
« Reply #19 on: October 08, 2013, 08:28:30 PM »
thx to all. i decided to make some research about this issue.. i found out that it is enough to rename the
name of the exported function in the export pe section (in this case .rdata). it is needed to find the name
of the exported function in the export directory in PE and put to the end of the name string the "="
character ("c3Vja2VkIG15IGNvY2s" -> "c3Vja2VkIG15IGNvY2s="). when this patch is done, the api GetProccAddress
finds the function as "c3Vja2VkIG15IGNvY2s=".

.def
Code: [Select]
LIBRARY Library
EXPORTS c3Vja2VkIG15IGNvY2s

.asm
Code: [Select]
.486p
.model flat, stdcall
option casemap:none


include    \masm32\include\kernel32.inc
include    \masm32\include\windows.inc
includelib \masm32\lib\kernel32.lib


.const
NameOfLibrary db "Library.dll", 0


.code

dllentry proc hInstance:HINSTANCE, reason:DWORD, reserved1:DWORD
mov eax,TRUE

;========================================PATCH========================================
pushad ;save registers onto stack

invoke GetModuleHandleA,offset NameOfLibrary ;get imagebase of Library.dll

movzx edx,word ptr ds:[eax+3ch] ;get offset of PE header to EDX
add edx,eax ;add offset of PE header with imagebase, get VA of PE header
mov edx,dword ptr ds:[edx+78h] ;get offset of Export Table (Export Directory)
add edx,eax ;add offset of Export Table (Export Directory) with imagebase, get VA
mov edx,dword ptr ds:[edx+20h] ;get offset of AddressOfNames
add edx,eax ;add offset of AddressOfNames with imagebase, get VA
mov edx,dword ptr ds:[edx] ;get name of the exported function
add edx,eax ;add offset of name of the exported function with imagebase, get VA
push edx ;start address of exported function name put do EDI
pop edi ;start address of exported function name put do EDI
xor ecx,ecx ;clear ECX - put into ECX the maximal counter (0ffffffffh)
dec ecx ;clear ECX - put into ECX the maximal counter (0ffffffffh)
xor eax,eax ;clear EAX - we have to have the AL cleared, the AL will be searched
repne scasb ;find AL (00h) from the starting address of the exported function name - i.e. find the first zero byte at the end of the name of the exported function - we can put there the "=" character
dec edi ;get back one byte

push NULL
invoke VirtualProtect,edi,TRUE,PAGE_READWRITE,esp ;we have to change the access protection of the byte we wanna patch
pop ecx

mov byte ptr ds:[edi],'=' ;put there the "=" character

popad ;restore the registers from the stack
;========================================PATCH========================================

ret
dllentry Endp


;==============================CODE_OF_EXPORTED_FUNCTION==============================
c3Vja2VkIG15IGNvY2s proc


nop
ret


c3Vja2VkIG15IGNvY2s endp
;==============================CODE_OF_EXPORTED_FUNCTION==============================

End dllentry

dedndave

  • Member
  • *****
  • Posts: 8823
  • Still using Abacus 2.0
    • DednDave
Re: Export name with 'disallowed' character
« Reply #20 on: October 09, 2013, 04:36:34 AM »
you may be able to get the proc address using an ordinal, rather than a long string

Vortex

  • Member
  • *****
  • Posts: 1996
Re: Export name with 'disallowed' character
« Reply #21 on: October 09, 2013, 05:15:54 AM »
Hi revolta,

Nice solution but if there is more than one modification, you must take in account the alphabetical order of the exported symbols.