All geek questions in one place

How to run a PE image without a link to kernel32.dll and ntdll.dll

I tried to write a pedal. I first load the executable image and all its dependent dlls (including kernel32.dll and ntdll.dll) into memory, process the entire import address table, rewrite all the data that needs to be moved.

Then I call the entire EntryPoint image in order. I get return code 0 from ntdll.dll EntryPoint, but kernel32.dll returns 0xC0000000. When I tried to invoke the EntryPoint executable image, the program crashed.

I know that the Windows system already loads the ntdll.dll and kernel32.dll files into the process memory when creating the process. My question is how to load another copy of the ntdll.dll and kernel32.dll file into memory and associate my module with copies.

I am doing an experiment: 1. Copy the ntdll.dll file → a.dll

  • copy kernel32.dll → b.dll
  • modify the b.dll PE image so that it does not depend on ntdll.dll, but a.dll
  • write a simple program a.exe and change the PE-image file a.exe so that it does not depend on kernel32.dll, but b.dll
  • run a.exe and the program crashed

Is it possible to execute a.exe correctly?

This is my first stack overflow question, sorry for my poor english. Thanks.

+6
source share
3 answers

I do not think you can do this. The kernel32.dll and ntdll.dll, AFAIK files are not moved. That is, MS deleted the movement information from them, because since they are already loaded into each process, their assigned addresses are always available by design.

So, if you try to download them to another address, well, they will break. You could theoretically try to rearrange the moving information for them ... but I would not bet on it.

My question in turn is: why can't you use the preloaded kernel32 / ntdll? Why do you feel you need personal copies? As I can see, you should consider their system API and leave them alone.

+3
source

In the visual studio, add the project properties linker->input->Ignore All default libraries to yes. Then in c++->Code Generation->Basic Runtime Check by default (to avoid binding in __RTC_* . Then in linker->Advanced->Entry Point you specify the function in your project that you want to call when the program starts.

Create everything, and you should have a program that is not associated with any library, including c-runtime.

0
source

If you want to use your own version of ntdll.dll (a.dll) in your code, you can read the dll with Readfile () and analyze the PE structures that will be used in your code. for example: you can analyze the export name table, export the ordinal table and the address export table to find pointers to the exported functions and use them in your executable file.

0
source

Source: https://habr.com/ru/post/897661/

More articles:


All Articles