1

I created an windows x86 .exe file that I reverse engineer. Imagine I only have the .exe file and I reverse engineered some functions.

The goal is to create a dll that links with this .exe so the dll can call functions of the .exe, let's say the function defined at address 0x401000, let's call it foo. The dll is in the same process memory as the .exe of course (dll hijacking strategy).

Is it possible to code using c or c++ such that the assembly of the dll will call foo using call 0x401000? But then of course relocated such that the relative call is correct.

What I have tried so far is defining const function pointers in C, but that always seems to lead to assembly that does two steps, e.g. call dword ptr [pointer variable] or mov ecx, 0x401000; call ecx. What I would like to see is that machine code instruction 0xE8 is used.

See this example:

// For the result, see https://godbolt.org/z/T6aabn6Wd
void (* const foo)(int b, int c) = (void (* const)(int b, int c)) 0x401000;

#pragma optimize("",off)
int bar(int a, int b) {
    return a * b;
}
#pragma optimize("",on)

int main(int argc, char**argv) {
    int ba = bar(100, 200);
    foo(100, ba);
    return 0;
}

I also tried doing it using inline assembly in a __asm {call foo } block, but that leads to FF 15 00 00 00 00 and not to E8 00 00 00 00.

If I understand the PE file format correctly then a relocation table should make it possible to use E8 since the address location of the .exe is known (assuming image base address 0x400000), but the dll location in virtual memory is unknown at compile time.

Should I generate a custom .obj or .lib based on the .exe? As far as I know a .lib can only be used if the binary actually exports the function, which an .exe file doesn't.

Improve this question
2
  • 2
    You cannot do that. You are asking about cross-module relocation. You basically want to fix up some offset based on the base address of the another module (the executable). The PE way of doing this is an import table, but you can only import from a module with a well-defined name (see this). Nothing, at the PE level, prevents an exe from exporting functions and being loaded like a DLL. If you really need to avoid and indirect call, you must fix up the calls yourself.
    – Margaret Bloom
    Commented Jul 8 at 9:41
  • 1
    I don't think this can be done (for COFF files). What you need here is to get it to do target - $ relocation, i.e. substract dll offset. I think all of the relocation modes only do addition and never substraction. You can forego relocations and make non-relocatable dll pinned somewhere in the address space (hopefully at a free space). Then you should be able to do it, defining function as extern in C file, and then somehow letting linker know this symbol is at absolute location (maybe masm/nasm can embed it in an obj file?).
    – Andrey Turkin
    Commented Jul 8 at 9:46
Related questions
110
Could not load file or assembly 'System.ValueTuple'
111
How does the Import Library work? Details?
4
Given return address, how to get the address of the function?
Load 5 more related questions Show fewer related questions

0

Reset to default

Browse other questions tagged or ask your own question.