Jump to content
Tuts 4 You

Scylla as DLL/EXE Version

Aguila

By Aguila
in Scylla Imports Reconstruction

Recommended Posts

Aguila

Aguila

Posted
Posted (edited)

I found a solution to create single binary that works as dll and exe. I don't know if there are any side effects.

Somebody has a better solution?

This is the entrypoint function:


extern "C" BOOL WINAPI _CRT_INIT(HINSTANCE HinstDLL, DWORD FdwReason, LPVOID LpReserved);BOOL WINAPI DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
if ((fdwReason == DLL_PROCESS_ATTACH && lpReserved == NULL) || fdwReason == DLL_THREAD_ATTACH)
{
if (!_CRT_INIT(hinstDLL, fdwReason, lpReserved))
{
return(FALSE);
}
}
else if ((fdwReason == DLL_PROCESS_DETACH && lpReserved == NULL) || fdwReason == DLL_THREAD_DETACH)
{
if (!_CRT_INIT(hinstDLL, fdwReason, lpReserved))
{
return(FALSE);
}
}
else
{
//EXE file
if (!_CRT_INIT(hinstDLL, DLL_PROCESS_ATTACH, 0))
{
return(FALSE);
}STARTUPINFOW StartupInfo;
GetStartupInfoW(&StartupInfo);
return _tWinMain(hinstDLL, 0, 0, StartupInfo.dwFlags & STARTF_USESHOWWINDOW ? StartupInfo.wShowWindow : SW_SHOWDEFAULT);
}
return(TRUE);
}

Linker option: /ENTRY:"DllEntryPoint"

It is difficult to enable CRT support. Luckily there is the source code of the normal CRT init method: VC\crt\src\crtexe.c and VC\crt\src\crtdll.c I hope my workaround works.

You need to change in the pe header a flag to use it as dll: File Header -> Characteristics must be 2102 ("File is executable", "File is a dll")

please test it.

Edited by Aguila
  • Like 2
LCF-AT

LCF-AT

Posted
Posted

Hi,

hmmmm and how to use the fix functions?I just see 2 Dump Exports.Also can you explain next time the API paras normaly [for me] not in programmer style.

push xy

push xy

etc

call xy

So I mean just add a simple txt exsample. :) Does this exe file Scylla_x86.exe then also work with win7 as dll?

greetz

Aguila

Aguila

Posted
  • Author
Posted

Same thing as with any windows api.

BOOL WINAPI ScyllaDumpCurrentProcessW(const WCHAR * FileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult);

push fileResult

push entrypoint

push imagebase

push FileToDump

call ScyllaDumpCurrentProcessW

cmp eax, 1

JNE ERROR

....

all 32-bit values. FileToDump/fileResult must point to an unicode string (each char has 2 bytes).

  • 2 weeks later...
Aguila

Aguila

Posted
  • Author
Posted (edited)

This was a bad idea. DLL/EXE in one file doesnt work smoothly.

So here you have a separate dll file.


EXPORTS
ScyllaDumpCurrentProcessW @1
ScyllaDumpCurrentProcessA @2
ScyllaDumpProcessW @3
ScyllaDumpProcessA @4
RebuildFileW @5
RebuildFileA @6

W = unicode

A = ANSI

like any windows api.

Edited by Aguila
ragdog

ragdog

Posted
Posted

Hi Aguila

This is a nice idea ;-)

Can you upload this lib from this dll?

Greets,

Aguila

Aguila

Posted
  • Author
Posted (edited)

ok here you go. I added dynamic libs.


ScyllaDumpCurrentProcessW @1
ScyllaDumpCurrentProcessA @2
ScyllaDumpProcessW @3
ScyllaDumpProcessA @4
ScyllaRebuildFileW @5
ScyllaRebuildFileA @6
ScyllaVersionInformationW @7
ScyllaVersionInformationA @8
ScyllaVersionInformationDword @9

i added 3 new functions for version checking. ScyllaRebuildFile has a new parameter.

Edited by Aguila
LCF-AT

LCF-AT

Posted
Posted

@ Aguila

Can you post some understandable exsamples?I have test this...


008E0000   PUSH 0        ; string pointer, this can be 0
008E0002   PUSH 1000000  ; ImageBase
008E0007   PUSH 1000000  ; EP
008E000C   PUSH 901FAC   ; ASCII "C:\123_dump.exe" ; New file to create or?
008E0011   PUSH 74C      ; PID
008E0016   CALL 10003BE0 ; Scylla_x.ScyllaDumpCurrentProcessA
008E001B   NOP

So this code crash so I am doing something wrong again so thats the reason because you don't post this what I need. :)

1. string pointer, this can be 0 = Path of file which is loaded in Olly?

2. imagebase base of target = the used IB or the PE IB? :)

3. entrypoint = with or without ImageBase? :)

4. string pointer, resulting file = Path with new filename?

5. target process PID = Dec or Hex?

6. What is if I want to dump a dll which is loaded with loaddll?Using then same PID of loaddll?In which order I have to use the APIs?

PS: Or maybe you can create a small exe file which dumped & fixed itself as new file with using your dll file & APIs so then I can see how to use the APIs correctly.Thanks.

greetz

Aguila

Aguila

Posted
  • Author
Posted (edited)

it is a very simple logic...


function(a, b, c); /* Funktionsaufruf */
->; Argumente in umgekehrter Reihenfolge auf den Stack legen
push c
push b
push a; Funktion aufrufen
call function

Actually I don't understand why you dont understand this.

BOOL __stdcall ScyllaDumpCurrentProcessA(const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult);

->

push fileResult

push entrypoint

push imagebase

push fileToDump

call ScyllaDumpCurrentProcessA

->


PUSH 901FAC ; ASCII "C:\123_dump.exe" ; New file to create
PUSH 1000000 ; EP
PUSH 1000000 ; ImageBase
PUSH 0 ; string pointer, this can be 0
CALL 10003BE0 ; Scylla_x.ScyllaDumpCurrentProcessA
NOP

ScyllaDumpCurrentProcess doesnt need a pid, you dump the process where the scylla dll was loaded

1. always full path of file

2. imagebase of target to dump

3. entrypoint with imagebase

4. full path with new file name for dump

5. its always hex in olly

6. you dont need a pid if you load scylladll with loadlibrary/getprocaddress in the loaddll address space

Edited by Aguila
LCF-AT

LCF-AT

Posted
Posted

Hi,

ok I have test now a while and now I get the dump process working so far.

If you post it in Olly Style then don't post it wrong like here!

push fileResult 
push entrypoint
push imagebase
push fileToDump
call ScyllaDumpCurrentProcessA

So does it work now.


push fileToDump
push entrypoint
push imagebase
push fileResult / 00
call ScyllaDumpCurrentProcessA$ ==>    > 010073A4  RETURN to notepad.010073A4
$+4      > 00000000
$+8      > 01000000  notepad.01000000
$+C      > 0100739D  ASCII "QSVj"
$+10     > 00D20000  ASCII "c:\testdump.exe"

Ok so far to dump the file now.Now I tried also to use the ScyllaRebuildFileA API but this I get again not working....


push NewDumpedFileString ; "c:\testdump.exe"
push 0
push 0
push 0
call ScyllaRebuildFileA

...return result is 00 in eax so what is here wrong again?Oh and how can I fix the new dumped file with the new IAT start & size etc?There are still open questions for me and it would be nice if you also could create some simple descriptions too about all exports etc [use exports xy if you want to do this etc] and not only post this coder infos [why simple if it can be so complicated - right?]. :) Sorry about it but I am no coder person.Thanks again so far of course.

PS: Don't tell me that's not possible to fix the dumped exe/dll files with your dll?

greetz

  • 1 year later...
  • 4 weeks later...
cypher

cypher

Posted
Posted

Hi Aguila,


 


could you add DLL exports for IAT fixing?


 


I tried using ImpRec_DLL along with TitanEngine in one of my unpackers, however it doesnt work to well (and the IAT fixing in TE::Importer is broken :/ )


 


Would be awesome! Thx for the great work so far!


  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...