DLL proxy

aluigi · **Posted:** 12 Oct 2008 22:34

I have just released a project which was in a "work in progress" stage from I don't remember how much time (tons of months) and I have finally decided to fix the latest bugs and releasing it:

http://aluigi.org/mytoolz.htm#dllproxyskel

in short it's a small tool for generating the C source code for a DLL proxy which works with any DLL, it just gets all the exported functions and do all the needed "base" stuff (the "skeleton" about I refer in the title of the tool).

DLL proxifying is a typical way to hook system functions without hooking them at runtime and is a technique which has many advantages, so having a tool which does all the initial "dirty" work could be useful (at least for me IF I will need it one day).

This is the first version and I have written it with the compatibility in mind so are not needed particular compiling options or similar (even -fomit-frame-pointer is supported though the disabling of the POP EBP work-around).
For the moment only Gcc is supported but if the tool will be enough "interesting" it's a joke to modify its code for adding support to other compilers because the only problem are the assembly instructions which do POP EBP and JMP _original_function and unfortunately the syntax of inline assembly changes between the various compilers (arghhh).

Feedback, suggestions and critics are welcome as usual.

Crocodyle · **Joined:** 03 May 2009 04:22 **Posts:** 33

Can you please give a simple example and src of a proxy Dll ?

Crocodyle · **Joined:** 03 May 2009 04:22 **Posts:** 33

I tested your tool but i'am getting many errors.

Code:

test.cpp(56) : error C2010: '.' : inattendu dans la liste de param??tres formels d'une macro
test.cpp(62) : error C2059: erreur de syntaxe : 'type'
test.cpp(62) : error C2059: erreur de syntaxe : 'type'
test.cpp(62) : error C2143: erreur de syntaxe : absence de ';' avant '{'
test.cpp(62) : error C2447: '{' : en-t??te de fonction manquant (liste formelle ?? l'ancien format ?)
test.cpp(63) : error C2059: erreur de syntaxe : 'type'
test.cpp(63) : error C2059: erreur de syntaxe : 'type'
test.cpp(63) : error C2143: erreur de syntaxe : absence de ';' avant '{'
test.cpp(63) : error C2447: '{' : en-t??te de fonction manquant (liste formelle ?? l'ancien format ?)
test.cpp(72) : error C2664: 'GetSystemDirectoryW' : impossible de convertir le param??tre 1 de 'char [260]' en 'LPWSTR'
        Les types point??s n'ont aucun rapport entre eux ; conversion n??cessitant reinterpret_cast, cast de style C ou cast de style fonction
test.cpp(76) : error C2664: 'LoadLibraryW' : impossible de convertir le param??tre 1 de 'char [260]' en 'LPCWSTR'
        Les types point??s n'ont aucun rapport entre eux ; conversion n??cessitant reinterpret_cast, cast de style C ou cast de style fonction
test.cpp(79) : error C2065: '_dllEntry' : identificateur non d??clar??
test.cpp(80) : error C2065: '_vmMain' : identificateur non d??clar??

aluigi · **Posted:** 30 May 2009 19:17

a simple example can be the dll proxifying of ws2_32.dll (like done by proxocket which has been created with dllproxyskel):

Code:

dllproxyskel c:\windows\system32\ws2_32.dll
notepad ws2_32.c
uncomment  //   #define _WINSOCK_H
gcc -shared -enable-stdcall-fixup -o ws2_32,dll ws2_32.c ws2_32.def

then the tool has been written to create a source code compatible with gcc/mingw so it has been not tested with other compilers like vc (the obtained source code must be edited for sure moreover because the assembly instruction used for POP_EBP is probably not compatible)

Crocodyle · **Joined:** 03 May 2009 04:22 **Posts:** 33

I gave up Visual Studio.
I downloaded mingw, installed it, and i gave up after i had some troubles whit it and after i learnt the Dev-c++ compilator is based on gcc/mingw(it still gets errors).

I dont think proxifying of ws2_32.dll like done by proxocket is a short and simple example. Many files, and quit a lot of code(but it works great!).

Since the only game i play is ET and since this board deals with security in online game, i tested your tool on cgame_mp_x86.dll: It found only two exported functions.
But if only two functions are exported, then how does ET.exe to find all the others functions offsets in the cgame_mp_x86.dll ??

To make a proxy Dll we need to intercept calls from ET.exe and throwing responding with the fubctione addy of the real DLL(?).

So i would like to understant how we intercept this calls in our proxy DLL and how we are suposed to respond (with the functions addy of the real dll?)

aluigi · **Posted:** 31 May 2009 13:56

ET's cgame_x86.dll indeed exports only 2 functions: dllEntry and vmMain.
because only these 2 functions are used by the quake 3 engine since all the various syscalls are got from dllEntry.
anyway if you need more info is better if you put quake dllentry vmain on google (or look at the source code of the engine or the sdk) because my knowledge about this specific field arrives here.

Crocodyle · **Joined:** 03 May 2009 04:22 **Posts:** 33

Here are the errors i get with Dev C++ which use mingwm compilator.

Code:

main.cpp In function `BOOL InitInstance()': 
71 main.cpp void value not ignored as it ought to be 
72: main.cpp void value not ignored as it ought to be 
Makefile.win [Build Error]  [main.o] Error 1 

Here is the code:

Code:

// code generated by "DLL proxy skeleton generator 0.1.1b", Luigi Auriemma http://aluigi.org
#include <cstdlib>
#include <iostream>

#define DLL_NAME    "cgame_mp_x86.dll"     // the name of the original DLL

// if DLL_PATH is not defined the proxy DLL will automatically retrieve the Windows system32
// folder of the system and will load the DLL in that location
//#define DLL_PATH    "."    // if uncommented will be loaded the DLL in this current location
//#define DLL_PATH    "c:\\windows\\system32"

// if you want to proxify a system DLL remember to disable the header file which already exports those functions
// for example, if you want to proxify wsock32.dll or ws2_32.dll you must uncomment the following lines:
//   #define _WINSOCK_H
//   #define _WINSOCK2_H
// you can find the needed "#define"s in the include header files showed by your compiler when it reports the
// "redeclaration" or "previous declaration" errors (example: winsock.h and winsock2.h)
// if you need one or more specific functions declared in those include files you must redeclare them here

// all the original functions have an additional underscore before their name so, for example,
// the original recv function is _recv and the original one of __myfunc is ___myfunc

// example of a simple recv() hooking using two different types of declarations of the function
// available in this code so you can choose the most confortable (the resulting code IS the same):
//   #define recv_(X) int (X)(int s, char *buf, int len, int flags)
//   CALL_FUNCTION(recv) {
//       len = _recv(s, buf, len, flags);
//       return(len);
//   }
// or:
//   CALL_FUNCTION2(int, recv, int s, char *buf, int len, int flags) {
//       len = _recv(s, buf, len, flags);
//       return(len);
//   }

// example of compiling: gcc -o ws2_32.dll ws2_32.c -shared ws2_32.def
//#define POP_EBP                               // uncomment if you use -fomit-frame-pointer
#define POP_EBP     __asm__("pop %ebp");     // comment if you use -fomit-frame-pointer



#include <stdlib.h>
#include <string.h>
#include <windows.h>

#define CALLING_CONVENTION WINAPI       // default for Windows DLLs, this IS important
#define PROXY_PROTOTYPE(FUNCTION_NAME) void (FUNCTION_NAME)(void)
#define PROXY_FUNCTION(FUNCTION_NAME) static CALLING_CONVENTION PROXY_PROTOTYPE(*_##FUNCTION_NAME) = NULL;CALLING_CONVENTION PROXY_PROTOTYPE(FUNCTION_NAME) { POP_EBP __asm__("jmp *__"#FUNCTION_NAME);}
#define CALL_FUNCTION(FUNCTION_NAME) static CALLING_CONVENTION FUNCTION_NAME##_(*_##FUNCTION_NAME) = NULL; CALLING_CONVENTION FUNCTION_NAME##_(FUNCTION_NAME)
#define CALL_FUNCTION2(FUNCTION_RET, FUNCTION_NAME, FUNCTION_ARGS ...) static CALLING_CONVENTION FUNCTION_RET (*_##FUNCTION_NAME)(FUNCTION_ARGS) = NULL; CALLING_CONVENTION FUNCTION_RET FUNCTION_NAME(FUNCTION_ARGS)


HMODULE hm = NULL;
PROXY_FUNCTION(dllEntry)
PROXY_FUNCTION(vmMain)

BOOL InitInstance(void) {
    char    winpath[MAX_PATH];

    if(hm) return(TRUE);
#ifdef DLL_PATH
    strcpy(winpath, DLL_PATH);
#else
    GetSystemDirectory(winpath, sizeof(winpath));
#endif
    strcat(winpath, "\\" DLL_NAME);

    hm = LoadLibrary(winpath);
    if(!hm) return(FALSE);

    _dllEntry = (void )GetProcAddress(hm, "dllEntry");
    _vmMain = (void )GetProcAddress(hm, "vmMain");
    return(TRUE);
}

void ExitInstance(void) {
    if(hm) {
        FreeLibrary(hm);
        hm = NULL;
    }
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) {
    switch(fdwReason) {
        case DLL_PROCESS_ATTACH: {
            DisableThreadLibraryCalls(hinstDLL);
            InitInstance();
            break;
        }
        case DLL_PROCESS_DETACH: {
            ExitInstance();
            break;
        }
        default: break;
    }
    return(TRUE);
}

aluigi · **Posted:** 02 Jun 2009 11:13

the error you get is caused by the removing of the '*' char from line 71 and 72 (void *).

then the vmMain and DllEntry are not WINAPI/stdcall functions but they are __cdecl, so you must adjust the CALLING_CONVENTION.

and then by default the C skeleton built by dllproxyskel says that the original dll must be loaded from c:\windows\system32 which obviously is not your case so you must modify DLL_NAME (call it "cgame_mp_x86.dll.original" and uncomment the first DLL_PATH, that one with the dot).