How to use UIF.dll?

[LCF-AT]

Hello,

so I have again a small question and need some help how to use the UIF.dll directly with pushed parameters.So I have read the help file but I dont see a way how to use and execute it with some code.

How to use UIF.dll?

int UIF ( LPDWORD ProcID // in : Process ID

LPDWORD CodeStart // in/out : if 0 automode else enter manually

LPDWORD CodeEnd // in/out : if 0 automode else enter manually

LPDWORD NewIAT // in/out : if 0 automode else enter manually

LPDWORD IATRVA // out : after UIF progress read this (use for Imprec etc)

LPDWORD IATSize // out : after UIF progress read this (use for Imprec etc)

LPDWORD NormImports // out : after UIF progress read this, Normal Imports Count

LPDWORD DirImports // out : after UIF progress read this, Direct Imports Count

bool FixDir // in : if True Directly Imports process else just normal imports

);

Samples coded by: Magic_h2001

VC:

====================================================================================================

#include "stdio.h"

#include "windows.h"

#pragma comment(linker,"/SUBSYSTEM:CONSOLE" )

typedef int (_stdcall *_UIF)(LPDWORD,LPDWORD,LPDWORD,LPDWORD,LPDWORD,LPDWORD,LPDWORD,LPDWORD,bool);

void main()

{

_UIF UIF;

HINSTANCE hInst;

bool UIFLoaded=FALSE;

DWORD ProcID, CodeStart, CodeEnd, NewIAT, IATRVA, IATSize,

NormImports, DirImports;

int Result;

hInst = LoadLibrary("UIF.dll");

if (hInst !=NULL) UIFLoaded=TRUE;

UIF = (_UIF)GetProcAddress(hInst,"UIF");

if (!UIFLoaded) return;

printf("UIF started...\n");

ProcID=0x1E80;

CodeStart=0;

CodeEnd=0;

NewIAT=0;

IATRVA=0;

IATSize=0;

NormImports=0;

DirImports=0;

Result=UIF(&ProcID, &CodeStart, &CodeEnd, &NewIAT, &IATRVA, &IATSize, &NormImports, &DirImports, FALSE);

switch (Result)

{

case 0:printf("Fixing Success...\n"); break;

case 1:printf("Error! Process ID is invalid or Process is Protected\n"); break;

case 2:printf("Process Modules Access Error! maybe Process is Protected\n"); break;

case 3:printf("Error! Virtual Memory is Low or Invalid 'Code Start','Code End'\n"); break;

case 4:printf("Memory Access Error! 'Code Start' or 'Code End' is Invalid or Process is Protected\n"); break;

case 5:printf("Memory Access Error! 'New IAT VA' is Invalid or Process is Protected\n"); break;

case 6:printf("Error: WinNt not Present\n"); break;

case 7:printf("Info: UIF is in Progress\n"); break;

case 8:printf("Error in Memory Allocation. Enter 'New IAT VA' Manually\n"); break;

}

if (Result==0) printf("IATRVA: %X , IATSize: %X \n",IATRVA,IATSize);

}

Delphi:

====================================================================================================

function UIF( var ProcID, CodeStart, CodeEnd,

NewIAT, IATRVA, IATSize,

NormImports, DirImports: DWORD;

FixDir:Bool ): Integer; stdcall; external 'UIF.dll' name 'UIF';

procedure Fixing;

var ProcID, CodeStart, CodeEnd,

NewIAT, IATRVA, IATSize,

NormImports, DirImports: DWORD;

Result1: Integer;

begin

ProcID:=$1DAC;

CodeStart:=0;

CodeEnd:=0;

NewIAT:=0;

IATRVA:=0;

IATSize:=0;

NormImports:=0;

DirImports:=0;

Result1:= UIF(ProcID, CodeStart, CodeEnd, NewIAT, IATRVA, IATSize, NormImports, DirImports, False);

case Result1 of

0: ShowMessage('Fixing Success...');

1: ShowMessage('Error! Process ID is invalid or Process is Protected');

2: ShowMessage('Process Modules Access Error! maybe Process is Protected');

3: ShowMessage('Error! Virtual Memory is Low or Invalid ''Code Start'',''Code End''');

4: ShowMessage('Memory Access Error! ''Code Start'' or ''Code End'' is Invalid or Process is Protected');

5: ShowMessage('Memory Access Error! ''New IAT VA'' is Invalid or Process is Protected');

6: ShowMessage('Error: WinNt not Present');

7: ShowMessage('Info: UIF is in Progress');

8: ShowMessage('Error in Memory Allocation. Enter ''New IAT VA'' Manually');

end;

if Result1 = 0 then ShowMessage(IntToHex(IATRVA,8)+' '+IntToHex(IATSize,8));

end;

VB:

====================================================================================================

Private Declare Function UIF Lib "UIF.dll" (ProcID As Long, _

CodeStart As Long, _

CodeEnd As Long, _

NewIAT As Long, _

IATRVA As Long, _

IATSize As Long, _

NormImports As Long, _

DirImports As Long, _

FixDir As Boolean) As Integer

Private Sub Command1_Click()

Dim ProcID, CodeStart, CodeEnd, NewIAT, IATRVA, IATSize, NormImports, DirImports As Long

Dim Result As Integer

ProcID = &H1CC0

CodeStart = 0

CodeEnd = 0

NewIAT = 0

IATRVA = 0

IATSize = 0

NormImports = 0

DirImports = 0

Result = UIF(ProcID, CodeStart, CodeEnd, NewIAT, IATRVA, IATSize, NormImports, DirImports, False)

Select Case Result

Case 0: MsgBox "Fixing Success..."

Case 1: MsgBox "Error! Process ID is invalid or Process is Protected"

Case 2: MsgBox "Process Modules Access Error! maybe Process is Protected"

Case 3: MsgBox "Error! Virtual Memory is Low or Invalid 'Code Start','Code End'"

Case 4: MsgBox "Memory Access Error! 'Code Start' or 'Code End' is Invalid or Process is Protected"

Case 5: MsgBox "Memory Access Error! 'New IAT VA' is Invalid or Process is Protected"

Case 6: MsgBox "Error: WinNt not Present"

Case 7: MsgBox "Info: UIF is in Progress"

Case 8: MsgBox "Error in Memory Allocation. Enter 'New IAT VA' Manually"

End Select

If Result = 0 Then MsgBox IATRVA & " " & IATSize

End Sub

So how must look the patch now?You know something like this I mean...

push PID
push CodeStart
push CodeEnd
push NewIAT
....
push dllname // UIF.dll
call LoadLibraryA

So I wanna use the UIF.dll with Olly script and I read the PID etc with script so I have the parameters and now I wanna let fix | move | etc | the IAT of my target.So I see no custom API in the UIF.dll where I can push the paras + call custom API which will execute my paras.So you know what I mean right?So I am no coder person.

So do you know how I can do this now?Or can you read the help file and tell me what and where to push etc?If you know then a exsample would be fine for me.

Thank you

[Killboy]

First of all, you should be familiar with x86 calling conventions.

UIF uses stdcall, so you have to call it accordingly.

All parameters are pointers to DWORD (LPDWORD), meaning you push the address of a DWORD that contains/receives a value.

The first three are optional, you can push 0 OR an address of a dword, if you push an address, it must contain code start/end or the new IAT.

Otherwise it tries to find the values automatically (and may fail).

The other params must be addresses, after UIF returns they dwords contain the needed values.

The last parameter is bool, so either push 1 or 0 depending on whether you want to fix direct imports.

[LCF-AT]

Hi Killboy,

ok but can you post a quick exsample from start first push xxx til end?You know Olly ASM style.So can I push the locations by myself or have I use xy store locations from the dll?Just need one exsample you know [MultiASM maybe].

Thanks

[Killboy]

Seriously, it's not that hard. Read up on stdcall, and it should be clear.

This should get you started:

<403000>
@FixDir:
; here should be a dword with value 1 or 0, depending on if you want to fix direct imports
<403004>
@DirImports:
; after UIF returns here will be the number of fixed direct imports
<403008>
; etc. etc. for all params
<403012> ; i just made up the address, you have to calculate it properly
@ProcID:
; etc. etc; fill paramsmov [@ProcID], PID
mov [@CodeStart], MyCodeStart
; ...;and now (go from right to left)push @FixDir
push @DirImports
; .... all other params
call [@UIF]

[LCF-AT]

Hi Killboy,

ah so.

So now I see that there is yes a custom API in this dll which I need to call.

call @UIF <---

So I did not see and found such API before.Ok ok so now I have test it and it works very well. Great.

Thank you so far Killboy

[LCF-AT]

Hi Killboy,

short question again.So I have make some test with the dll + execute patch and I see some problems.So in some cases the Dll + patch works 1A without any problems and sometime it happend nothing = no IAT fixing redirection to new loaction.So all is working if the IAT is small like 400 bytes but with a IAT more than some thousand bytes + many API commands there it makes trouble.Also in some cases it just fixed a part and the rest is still unfixed.So no problem if I use the UIF.exe tool but only with the DLL I get this trouble.Hhmmmm,so do you have any idea where the problem can be?So is the tool exe working on a other way than the DLL?

Ok,what I want to do.So first I have the IAT which is unsortet at the OEP and also in the memory to find.Now I wanna sort the IAT.I alloc some new space and let fix the IAT with UIF.dll also into a new memsection.After this the IAT is fixed and also sortet and very smaller than before.So and now I know the new IAT size which is now for exsample 700 bytes and now I want to change the IAT into the codesection where I have found some free bytes of 700+.Ok,all is working very well with UIF.exe no problems and I can redirect the IAT many times from A to B to C and to A again.But the dll makes trouble on this way.

Maybe you have a idea where the problem can be + a fix solution for something.So I also see no bad back parameters.Only eax 7 = UIF in progress if I have read the readme right.So does it mean I have still to wait or something?But the patch is already executed.....?!?Hmmm.Ok the exe tool need more time to fix than the dll patch execute.Strange.Maybe you know what the problem can be and you can give me some hint for a better using & working with the dll.

Thank you