News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

Export name with 'disallowed' character

Started by revolta, September 09, 2013, 04:57:11 PM

Previous topic - Next topic

Vortex

Hi Gunther,

I agree with you. Unfortunately, the name decorations can be very complicated and sharing object modules between different linkers can be difficult because of this.

Gunther

Hi Erol,

Quote from: Vortex on September 28, 2013, 04:46:15 AM
I agree with you. Unfortunately, the name decorations can be very complicated and sharing object modules between different linkers can be difficult because of this.

that's the crucial point. Some schemes doesn't fit together.

Gunther
You have to know the facts before you can distort them.

Vortex

An interesting article :

http://wyw.dcweb.cn/stdcall.htm

Gunther

Erol,

thank you for the information. It could be helpful in some cases.

Gunther
You have to know the facts before you can distort them.

revolta

thx to all. i decided to make some research about this issue.. i found out that it is enough to rename the
name of the exported function in the export pe section (in this case .rdata). it is needed to find the name
of the exported function in the export directory in PE and put to the end of the name string the "="
character ("c3Vja2VkIG15IGNvY2s" -> "c3Vja2VkIG15IGNvY2s="). when this patch is done, the api GetProccAddress
finds the function as "c3Vja2VkIG15IGNvY2s=".

.def
LIBRARY Library
EXPORTS c3Vja2VkIG15IGNvY2s


.asm
.486p
.model flat, stdcall
option casemap:none


include    \masm32\include\kernel32.inc
include    \masm32\include\windows.inc
includelib \masm32\lib\kernel32.lib


.const
NameOfLibrary db "Library.dll", 0


.code

dllentry proc hInstance:HINSTANCE, reason:DWORD, reserved1:DWORD
mov eax,TRUE

;========================================PATCH========================================
pushad ;save registers onto stack

invoke GetModuleHandleA,offset NameOfLibrary ;get imagebase of Library.dll

movzx edx,word ptr ds:[eax+3ch] ;get offset of PE header to EDX
add edx,eax ;add offset of PE header with imagebase, get VA of PE header
mov edx,dword ptr ds:[edx+78h] ;get offset of Export Table (Export Directory)
add edx,eax ;add offset of Export Table (Export Directory) with imagebase, get VA
mov edx,dword ptr ds:[edx+20h] ;get offset of AddressOfNames
add edx,eax ;add offset of AddressOfNames with imagebase, get VA
mov edx,dword ptr ds:[edx] ;get name of the exported function
add edx,eax ;add offset of name of the exported function with imagebase, get VA
push edx ;start address of exported function name put do EDI
pop edi ;start address of exported function name put do EDI
xor ecx,ecx ;clear ECX - put into ECX the maximal counter (0ffffffffh)
dec ecx ;clear ECX - put into ECX the maximal counter (0ffffffffh)
xor eax,eax ;clear EAX - we have to have the AL cleared, the AL will be searched
repne scasb ;find AL (00h) from the starting address of the exported function name - i.e. find the first zero byte at the end of the name of the exported function - we can put there the "=" character
dec edi ;get back one byte

push NULL
invoke VirtualProtect,edi,TRUE,PAGE_READWRITE,esp ;we have to change the access protection of the byte we wanna patch
pop ecx

mov byte ptr ds:[edi],'=' ;put there the "=" character

popad ;restore the registers from the stack
;========================================PATCH========================================

ret
dllentry Endp


;==============================CODE_OF_EXPORTED_FUNCTION==============================
c3Vja2VkIG15IGNvY2s proc


nop
ret


c3Vja2VkIG15IGNvY2s endp
;==============================CODE_OF_EXPORTED_FUNCTION==============================

End dllentry

dedndave

you may be able to get the proc address using an ordinal, rather than a long string

Vortex

Hi revolta,

Nice solution but if there is more than one modification, you must take in account the alphabetical order of the exported symbols.