News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

How to made just a crash:invoke LoadLibrary,TEXT("bootvid.dll")

Started by TouEnMasm, August 18, 2012, 10:24:58 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

TouEnMasm

August 18, 2012, 10:24:58 PM
Hello,
I have made further test to outpass this problem.
LoadLibraryEx made the samething,except used like that:
Quote
invoke LoadLibraryEx,pchemin,NULL,LOAD_LIBRARY_AS_DATAFILE
I want just a list of is functions.Loaded like that,the normal PE way to find them is out:
Quote
   mov   edi,hModule
   add   edi,[edi].IMAGE_DOS_HEADER.e_lfanew
   mov   edi,[edi].IMAGE_NT_HEADERS32.OptionalHeader.DataDirectory.VirtualAddress
   add   edi,hModule
   mov   ebx,edi
   mov   eax,[edi].IMAGE_EXPORT_DIRECTORY.NumberOfNames
   mov   esi,[edi].IMAGE_EXPORT_DIRECTORY.AddressOfNames ;tableau d'adresses
   add   esi,hModule
   mov   counter,eax

Perhaps someone have experimented the same thing?.

Fa is a musical note to play with CL

dedndave

#1
August 19, 2012, 08:26:55 AM
i just use the dependancy walker   :t
one of Vortex's utilities does it, also, i think

Antariy

#2
August 19, 2012, 09:18:21 AM
Code Select

invoke CreateFile,offset szExeName,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0
mov hFile,eax
invoke CreateFileMapping,eax,0,SEC_IMAGE or PAGE_READONLY,0,0,offset szMappingName
mov hMapping,eax
invoke MapViewOfFile,eax,FILE_MAP_READ,0,0,0

EAX - pointer to a properly mapped but not processed PE file.

TouEnMasm

#3
August 19, 2012, 05:44:36 PM

Thanks for answers
It's ok now

Fa is a musical note to play with CL

ragdog

#4
August 19, 2012, 06:44:07 PM
You can get the PeHeader with LoadLibraryEx
and parsing to the Import and export table ;)

Code Select
; Load the requested library, without executing it.
invoke LoadLibraryEx,CTEXT ("xxx.dll"),NULL,DONT_RESOLVE_DLL_REFERENCES

Eax is now the pointer to the Pe-header

10000000  4D 5A 90 00 03 00 00 00 04 00 00 00 FF           MZ.......ÿ

Now can you parsing to the import or export table 

Regards,

TouEnMasm

#5
August 20, 2012, 03:15:39 AM
Quote
You can get the PeHeader with LoadLibraryEx
and parsing to the Import and export table
Helas!!!! This don't work,some dll crashes just in the loadlibrary.
The bootvid.dll is one of them ++ there is also the no read memory dll.
This proc made a test after loadlibrary don't failed.
Quote
;################################################################
Autorise PROC  pchain:DWORD
   Local mem_basic_inf:MEMORY_BASIC_INFORMATION
   Local  retour:DWORD   
      mov retour,0
   mov edx,pchain
      invoke VirtualQuery,pchain,addr mem_basic_inf,sizeof mem_basic_inf
      .if eax != 0
         mov eax,mem_basic_inf.AllocationProtect
         .if eax == 0
            jmp fin
         .endif
         and eax,PAGE_NOACCESS
         jnz fin
         mov eax,mem_basic_inf.AllocationProtect         
         and eax,PAGE_EXECUTE
         jnz fin
         mov eax,mem_basic_inf.AllocationProtect         
         and eax,PAGE_GUARD
         jnz fin                           
         mov retour,1
      .endif 
      fin:   
FindeAutorise:
         mov eax,retour
         ret
Autorise endp
Think as me it was simple to made a list of functions of all the dll ?.
It isn't.
Try this one "nv4_disp.dll" with CreateFileMapping or other things.....





Fa is a musical note to play with CL

dedndave

#6
August 20, 2012, 03:35:09 AM
i am curious...
what are you doing with bootvid.dll ?
are you trying to modify the splash screen (boot screen) ?

TouEnMasm

#7
August 20, 2012, 03:39:41 AM

I am just trying to get a data base of all functions with there dll,library,include files ..and so on.
No more.

Fa is a musical note to play with CL

dedndave

#8
August 20, 2012, 03:47:15 AM
i believe that file provides a basic video driver for use during boot - prior to loading of the real video driver
it allows the system to display the splash screen while the other drivers are being loaded

under XP, it is a 16-color 640x480 image - stretched out to 800x600, i think

it may also provide basic video capabilities during safe mode

MichaelW

#9
August 20, 2012, 05:11:18 AM
I think the BOOTVID.DLL functions are likely to require, as a minium, a prior call to the InbvAcquireDisplayOwnership function in NTOSKERNEL.EXE. My attempt to call the VidInitialize function triggered an access violation in RtlAllocateHeap (running under Windows 2000).

The attachment contains what I have. I used BOOTVID.DLL version 5.1.2600.0 from my XP SP3 system.
Well Microsoft, here's another nice mess you've gotten us into.

TouEnMasm

#10
August 20, 2012, 04:02:06 PM
I have made a search to find a prog making just a failed instead of a crash when loading the library.
It is this one.
http://msdn.microsoft.com/en-us/library/ms177531(v=vs.80).aspx
I have try to made it work without the crt,in masm,but failed.
An object file,written in masm,loading the library, is able to just failed when inserted in this prog.


Fa is a musical note to play with CL

Tedd

#11
August 20, 2012, 11:45:22 PM
The easy way to get a list of exported functions from a dll..

link /dump /exports C:\WINDOWS\system32\bootvid.dll

You'll probably want to edit the output a little, but it's simple enough. Using "*.dll" will also work ;)


Assuming you just want the list. If you want to do it yourself there's a little more work, but it's just a case of parsing the PE structure, finding the exports table, and parsing it. You don't need to load the dll, and you shouldn't really (dllentry will be executed.)
Potato2

dedndave

#12
August 21, 2012, 01:22:14 AM
nice, Tedd   :t

here's what i get under XP MCE2005 SP3
Code Select
Microsoft (R) COFF Binary File Dumper Version 5.12.8078
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.

Dump of file C:\WINDOWS\system32\bootvid.dll

File Type: DLL

  Section contains the following exports for BOOTVID.dll

           0 characteristics
    3B7D7304 time date stamp Fri Aug 17 12:39:48 2001
        0.00 version
           1 ordinal base
          11 number of functions
          11 number of names

    ordinal hint RVA      name

          1    0 000017D6 VidBitBlt
          2    1 000014CC VidBufferToScreenBlt
          3    2 0000166A VidCleanUp
          4    3 00001694 VidDisplayString
          5    4 000017B2 VidDisplayStringXY
          6    5 00000834 VidInitialize
          7    6 0000094E VidResetDisplay
          8    7 000013A0 VidScreenToBufferBlt
          9    8 00001634 VidSetScrollRegion
         10    9 00000C2E VidSetTextColor
         11    A 00000A7C VidSolidColorFill

  Summary

         E00 .data
         180 .edata
         180 .reloc
         400 .rsrc
        1600 .text
         200 INIT

MichaelW

#13
August 21, 2012, 03:56:59 AM
I generate DEF files directly with pexports.exe from a MinGW installation. Although I don't use it this way, it has the ability to parse header files to get the correct decoration for stdcall symbols. The file format is generally usable with the Microsoft tools, but sometimes it's necessary to massage the export definitions to sort everything out.
Well Microsoft, here's another nice mess you've gotten us into.

TouEnMasm

#14
August 21, 2012, 05:11:25 AM
Here is a test prog to get the exported functions of the system32 dll.
He use the CreateFileMapping fonction.
He show no trouble with the dll in win xp  (system32).
A messagebox (10s),prompt you when it is finish
He write dllsystem.txt in the current directory.


Fa is a musical note to play with CL
Print
Go Up Pages1
User actions