How to made just a crash:invoke LoadLibrary,TEXT("bootvid.dll")

[TouEnMasm]

Hello,
I have made further test to outpass this problem.
LoadLibraryEx made the samething,except used like that:

invoke LoadLibraryEx,pchemin,NULL,LOAD_LIBRARY_AS_DATAFILE

I want just a list of is functions.Loaded like that,the normal PE way to find them is out:

   mov   edi,hModule
   add   edi,[edi].IMAGE_DOS_HEADER.e_lfanew
   mov   edi,[edi].IMAGE_NT_HEADERS32.OptionalHeader.DataDirectory.VirtualAddress
   add   edi,hModule
   mov   ebx,edi
   mov   eax,[edi].IMAGE_EXPORT_DIRECTORY.NumberOfNames
   mov   esi,[edi].IMAGE_EXPORT_DIRECTORY.AddressOfNames ;tableau d'adresses
   add   esi,hModule
   mov   counter,eax

Perhaps someone have experimented the same thing?.

[dedndave]

i just use the dependancy walker   :t
one of Vortex's utilities does it, also, i think

[Antariy]

Code: [Select]

invoke CreateFile,offset szExeName,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0
mov hFile,eax
invoke CreateFileMapping,eax,0,SEC_IMAGE or PAGE_READONLY,0,0,offset szMappingName
mov hMapping,eax
invoke MapViewOfFile,eax,FILE_MAP_READ,0,0,0

EAX - pointer to a properly mapped but not processed PE file.


[TouEnMasm]

Thanks for answers
It's ok now

[ragdog]

You can get the PeHeader with LoadLibraryEx
and parsing to the Import and export table ;)

Code: [Select]

; Load the requested library, without executing it.
invoke LoadLibraryEx,CTEXT ("xxx.dll"),NULL,DONT_RESOLVE_DLL_REFERENCES
Eax is now the pointer to the Pe-header

10000000  4D 5A 90 00 03 00 00 00 04 00 00 00 FF           MZ.......ÿ

Now can you parsing to the import or export table 

Regards,

[TouEnMasm]

You can get the PeHeader with LoadLibraryEx
and parsing to the Import and export table

Helas!!!! This don't work,some dll crashes just in the loadlibrary.
The bootvid.dll is one of them ++ there is also the no read memory dll.
This proc made a test after loadlibrary don't failed.

;################################################################
Autorise PROC  pchain:DWORD
   Local mem_basic_inf:MEMORY_BASIC_INFORMATION
   Local  retour:DWORD   
      mov retour,0
   mov edx,pchain
      invoke VirtualQuery,pchain,addr mem_basic_inf,sizeof mem_basic_inf
      .if eax != 0
         mov eax,mem_basic_inf.AllocationProtect
         .if eax == 0
            jmp fin
         .endif
         and eax,PAGE_NOACCESS
         jnz fin
         mov eax,mem_basic_inf.AllocationProtect         
         and eax,PAGE_EXECUTE
         jnz fin
         mov eax,mem_basic_inf.AllocationProtect         
         and eax,PAGE_GUARD
         jnz fin                           
         mov retour,1
      .endif 
      fin:   
 FindeAutorise:
         mov eax,retour
         ret
Autorise endp

Think as me it was simple to made a list of functions of all the dll ?.
It isn't.
Try this one "nv4_disp.dll" with CreateFileMapping or other things.....

[dedndave]

i am curious...
what are you doing with bootvid.dll ?
are you trying to modify the splash screen (boot screen) ?

[TouEnMasm]

I am just trying to get a data base of all functions with there dll,library,include files ..and so on.
No more.

[dedndave]

i believe that file provides a basic video driver for use during boot - prior to loading of the real video driver
it allows the system to display the splash screen while the other drivers are being loaded

under XP, it is a 16-color 640x480 image - stretched out to 800x600, i think

it may also provide basic video capabilities during safe mode

[MichaelW]

I think the BOOTVID.DLL functions are likely to require, as a minium, a prior call to the InbvAcquireDisplayOwnership function in NTOSKERNEL.EXE. My attempt to call the VidInitialize function triggered an access violation in RtlAllocateHeap (running under Windows 2000).

The attachment contains what I have. I used BOOTVID.DLL version 5.1.2600.0 from my XP SP3 system.

[TouEnMasm]

I have made a search to find a prog making just a failed instead of a crash when loading the library.
It is this one.
http://msdn.microsoft.com/en-us/library/ms177531(v=vs.80).aspx
I have try to made it work without the crt,in masm,but failed.
An object file,written in masm,loading the library, is able to just failed when inserted in this prog.

[Tedd]

The easy way to get a list of exported functions from a dll..

link /dump /exports C:\WINDOWS\system32\bootvid.dll

You'll probably want to edit the output a little, but it's simple enough. Using "*.dll" will also work ;)


Assuming you just want the list. If you want to do it yourself there's a little more work, but it's just a case of parsing the PE structure, finding the exports table, and parsing it. You don't need to load the dll, and you shouldn't really (dllentry will be executed.)

[dedndave]

nice, Tedd   :t

here's what i get under XP MCE2005 SP3

Code: [Select]

Microsoft (R) COFF Binary File Dumper Version 5.12.8078
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.

Dump of file C:\WINDOWS\system32\bootvid.dll

File Type: DLL

  Section contains the following exports for BOOTVID.dll

           0 characteristics
    3B7D7304 time date stamp Fri Aug 17 12:39:48 2001
        0.00 version
           1 ordinal base
          11 number of functions
          11 number of names

    ordinal hint RVA      name

          1    0 000017D6 VidBitBlt
          2    1 000014CC VidBufferToScreenBlt
          3    2 0000166A VidCleanUp
          4    3 00001694 VidDisplayString
          5    4 000017B2 VidDisplayStringXY
          6    5 00000834 VidInitialize
          7    6 0000094E VidResetDisplay
          8    7 000013A0 VidScreenToBufferBlt
          9    8 00001634 VidSetScrollRegion
         10    9 00000C2E VidSetTextColor
         11    A 00000A7C VidSolidColorFill

  Summary

         E00 .data
         180 .edata
         180 .reloc
         400 .rsrc
        1600 .text
         200 INIT

[MichaelW]

I generate DEF files directly with pexports.exe from a MinGW installation. Although I don’t use it this way, it has the ability to parse header files to get the correct decoration for stdcall symbols. The file format is generally usable with the Microsoft tools, but sometimes it’s necessary to massage the export definitions to sort everything out.

[TouEnMasm]

Here is a test prog to get the exported functions of the system32 dll.
He use the CreateFileMapping fonction.
He show no trouble with the dll in win xp  (system32).
A messagebox (10s),prompt you when it is finish
He write dllsystem.txt in the current directory.