Author Topic: Lib- and Inc-files selfhandmake  (Read 127 times)

Mikl__

  • Member
  • *****
  • Posts: 1263
Lib- and Inc-files selfhandmake
« on: August 19, 2022, 11:31:11 AM »
lib- and inc-files are not difficult to create yourself from the contents of system dll's
Purpose of inc and lib files
inc-files are text files containing descriptions of Windows data structures and constants, as well as macro definitions.
inc files are formed by the programmer as the operating system tools he uses expand. Similar to the h/hpp header files used in C/C++ programming, it is sometimes possible to generate inc files from h files using the h2inc.exe utility (found in older MASM packages).
The purpose of lib files is to provide the link.exe program with information about external references to WinAPI functions inside system dll files. lib file is an archive that stores a set of "external symbol" mappings - a link to an object (COFF or PE) file. This "symbol" at the linking stage is either added to the executable image (in the case of COFF, from the precompiled object file) or written in the import table (in the case of PE). That is, some amount of external links is translated into your exe or dll.
link.exe handles the standard COFF libraries and the COFF import libraries that have a .lib extension. Standard libraries contain objects and are created using the lib.exe utility. Import libraries contain information about exports to other programs and are created either by the link.exe compiler when building the program containing the export, or by the lib.exe utility.
To get the contents of the system dll file, I use the following bat-file
Code: [Select]
@echo off
cls
set masm64_path=\masm64\
set FileName=user32
if exist %FileName%.inc del %FileName%.inc
if exist %FileName%.def del %FileName%.def
%masm64_path%bin\dumpbin.exe /EXPORTS %windir%\System32\%FileName%.dll /OUT:%FileName%.txt
@echo EXPORTS >> %FileName%.def
for /f "skip=16 tokens=1-4" %%a in (%FileName%.txt) do ( if "%%a"=="Summary" goto :exit
if "%%d"=="" ( @echo extern __imp_%FileName%_ordinal%%a:qword >> %FileName%.inc
@echo %FileName%_ordinal%%a TEXTEQU ^<__imp_%FileName%_ordinal%%a^> >> %FileName%.inc
@echo %FileName%_ordinal%%a=ordinal%%a @%%a NONAME >> %FileName%.def
) else ( if not "%%d"=="(forwarded" ( @echo extern __imp_%%d:qword >> %FileName%.inc
@echo %%d TEXTEQU ^<__imp_%%d^> >> %FileName%.inc
@echo %%d=__imp_%%d >> %FileName%.def )))
:exit
%masm64_path%bin\link -lib /DEF:%FileName%.def /OUT:%FileName%.lib /MACHINE:X64
Parsing a bat file
preconfiguring a bat file
Code: [Select]
::erasing from the screen
cls
::set path to masm64 directory
set masm64_path=\masm64\
::name of the "dissected dll", start with user32
set FileName=user32
:: process user32.dll and get user32.txt file
%masm64_path%bin\dumpbin.exe /EXPORTS %windir%\System32\%FileName%.dll /OUT:%FileName%.txt
contents of user32.txt
Code: [Select]
Dump of file C:\Windows\System32\user32.dll
File Type: DLL
  Section contains the following exports for USER32.dll
    00000000 characteristics
    4CE799CD time date stamp Sat Nov 20 17:50:05 2010
        0.00 version
        1500 ordinal base
        1003 number of functions
         830 number of names
    ordinal hint RVA name
       1502 0 000083C0 ActivateKeyboardLayout
       1503 1 0002AD40 AddClipboardFormatListener
       1504 2 000235B8 AdjustWindowRect
       1505 3 00017CE4 AdjustWindowRectEx
 ....
       2341 33C 0007B430 wvsprintfA
       2342 33D 00020BFC wvsprintfW
       1500 0002B260 [NONE]
       1501 0002AE80 [NONE]
....
  Summary
        2000.data
        A000.pdata
       10000.rdata
        1000 .reloc
       5B000.rsrc
       81000.text
after reviewing user32.txt, it can be seen that 846 functions are imported from user32.dll, of which 826 functions are imported by name, 16 by ordinals, and the functions DefDlgProcA, DefDlgProcW, DefWindowProcA, DefWindowProcW are ported to user32.dll from the system library NTDLL.dll
Code: [Select]
Dump of file C:\Windows\System32\user32.dll
File Type: DLL
  Section contains the following exports for USER32.dll
    00000000 characteristics
    4CE799CD time date stamp Sat Nov 20 17:50:05 2010
        0.00 version
        1500 ordinal base
        1003 number of functions
         830 number of names
    ordinal hint RVA name
       1502 0 000083C0 ActivateKeyboardLayout <-- useful info starts here
if before the start of processing the directory already contains user32.inc, user32.def, user32.lib files remaining from the previous processing of dll files, delete them.
Code: [Select]
if exist %FileName%.inc del %FileName%.inc
if exist %FileName%.def del %FileName%.def
create a user32.def file, which should start with the line "EXPORTS"
Code: [Select]
@echo EXPORTS >> %FileName%.defUseful information begins in user32.txt from line 16, so skip=16 means that we skip the first 16 lines in user32.txt when parsing the user32.txt file line by line, use the first four words in the line, which we will assign the names %%a, %%b, %%c, %%d
Code: [Select]
for /f "skip=16 tokens=1-4" %%a in (%FileName%.txt) doif the first parameter is equal to "Summary", then all the functions included in the dll have been processed, we stop processing, exit the user32.txt file and go to the :exit label
Code: [Select]
if "%%a"=="Summary" goto :exitif the fourth parameter in the user32.txt file is empty, we have an import by ordinals
|%%a|%%b|%%c|%%d
|1500|0002B260|[NONAME]|
save the first word (the ordinal of the WinAPI function) in the user32.txt line in the %%a variable, frame it and place it on two new lines in the user32.inc file
Code: [Select]
extern __imp_user32_ordinal1500:qword
user32_ordinal1500 TEXTEQU <__imp_user32_ordinal1500>
and user32.def
Code: [Select]
user32_ordinal1500=ordinal1500 @1500 NONAMEif the fourth parameter is non-empty, we have an import by function names in the next line of the user32.txt file
|%%a|%%b|%%c|%%d
|1502|0|000083C0|ActivateKeyboardLayout
the fourth word in the line (the name of the WinAPI function), save it in the variable %%d, create two new lines in the user32.inc file, preface the line with %%d "extern __imp_" end the line with ":qword", add "TEXTEQU", "__imp_ ", we escape the control characters "<" and ">" (^<__imp_%%d^>) so that the bat-file perceives them as ordinary characters.
Code: [Select]
extern __imp_ActivateKeyboardLayout:qword
ActivateKeyboardLayout TEXTEQU <__imp_ActivateKeyboardLayout>
and user32.def
Code: [Select]
ActivateKeyboardLayout=__imp_ActivateKeyboardLayoutif the fourth parameter is equal to "(forwarded", then the WinAPI function is taken from another dll and we skip such a line.
|%%a|%%b|%%c|%%d
|1657|94|DefDlgProcA|(forwarded to NTDLL.NtdllDialogWndProc_A)
from the contents of the user32.def file we create the file with name user32.lib
Code: [Select]
:exit
%masm64_path%bin\link -lib /DEF:%FileName%.def /OUT:%FileName%.lib /MACHINE:X64
the same result can be achieved with the line
Code: [Select]
%masm64_path%bin\lib /DEF:%FileName%.def /OUT:%FileName%.lib /MACHINE:X64move the user32.inc file to the masm64\include directory, and move the user32.lib file to the masm64\lib directory and remove the software garbage
Code: [Select]
if exist %FileName%.def del %FileName%.def
if exist %FileName%.exp del %FileName%.exp
if exist %FileName%.txt del %FileName%.txt
I was surprised to find that there is no ExitProcess in kernel32.dll, and no DefWindowProcA in user32.dll, both functions are ported from ntdll.dll (RtlExitUserProcess and NtdllDefWindowProc_A, respectively ) Similarly, we dissect user32.dll kernel32.dll, ntdll.dll, gdi32.dll, comctrl32.dll onwards as needed
« Last Edit: August 24, 2022, 10:43:51 AM by Mikl__ »

learn64bit

  • Member
  • **
  • Posts: 73
Re: Lib- and Inc-files selfhandmake
« Reply #1 on: August 19, 2022, 03:55:58 PM »
I think ".inc" is ok, but ".lib" is annoying thing, it should not exist, haha!

We can handwrite ".inc", but ".lib" is not, below is another way to deal with the ".lib" thing.

makeit.cmd

@echo off
rem \masm64\bin64\polib.exe /LIST user32.lib >a.txt
rem sha1sum:e89fe104a3672f5bd1f47176fdca6f0301416243
rem Edit a.txt to user32.def
\masm64\bin64\polib.exe /machine:x64 /def:kernel32.def /out:kernel32.lib
rem \masm64\bin64\polib.exe /machine:x64 /def:user32.def /out:user32.lib
pause