views:

152

answers:

1

hi to all , In a Portable-Executable ,we can change the imported dll name ,by editing PE file , here , i had changed in one imported dll name of application exe,that time it changed normally ....e.g advapi32.dll to ^dvapi32.dll ,so here system32 or any other PATH location doesnt have ^dvapi32.dll ..this time simply i changed the real advapi32.dll into ^dvapi32.dll and put in the application directory ,this time its work fine ....but when i am trying with ntdll & gdi32.dll ,it doesnt supported ,i cant resolve the problem ,pls help me towards the problem ..thanks.

+1  A: 

System Dlls like GDI32.DLL are loaded into memory when Windows starts as they provide essential Windows OS functions (in this case, graphical functions). Some DLLs are built with a fixed ImageBase (suspect this applies to the most essential system DLLs e.g KERNEL32, GDI32.DLL, USER32.DLL) and copying and renaming this type of DLLs and referencing them will not work, not without modifying their ImageBase in the PE header.

This occurs because they will attempt to load themselves into memory specified by ImageBase and fail, since the particular memory location is already occupied by the original DLL already in memory and their fixed ImageBase prevents them from loading at alternative memory locations. DLLs without a fixed ImageBase will be relocated by Windows to use another memory location and run without problems.

If the ImageBase of the DLL copy is changed to a different value, DLLs with a fixed ImageBase will work properly provided that the memory location pointed by ImageBase is unoccupied.

While I have tested this approach successfully on a copy of Notepad and then changing the imported DLL names and ImageBases of the DLL copies on Windows XP, I STRONGLY DISCOURAGE this fiddling with imports and tampering of Windows system DLLs in this manner.

Mr Roys
you are correct .basically its not a good think ,any how i want to know for some research about pe .thanks a lot for ur valuable information ....if i change the imagebase of name changed dlls ,the application will work fine....isnt it?
Rajakumar
Yes. It's much easier to use a PE Editor like StudPE @ http://www.cgsoftlabs.ro/studpe.html to edit the ImageBase of the DLLs but it can be done with a hex editor.
Mr Roys
ok ,another doubt for me ,how can predict ,which is the location unoccupied by system dlls?
Rajakumar
I randomly changed GDI32's from 77F10000 to something like 74F10000. You'll have to read up on the internals of the particular OS you're working on as the default ImageBases of Windows DLLs do change across OS versions.
Mr Roys
while change the imported dll name only ,there is need to bound import descriptor to be zero ,here if i change the image base in win-server2008 ,in loadlibrary return handle zero ,any how we have to know about where is location is unoccupied by system dlls ....can u test one condition for me ,in any exe where gdi32.dll present ,just change the first letter of imported dll(gdi32.dll),and make avail this into ur application dir,and run the exe simply .what will the result ,dont need to change the imagebase...
Rajakumar
You'll get an access violation - 0xC000005. My OS is Win XP
Mr Roys
Rajakumar
Unless the memory region for certain DLLs are protected ... that's OS internals - not something I know that well, can't help there :(
Mr Roys
ok ...no problem Mr Royals ....thanks for your help regarding this ...
Rajakumar
Hey Rajakumar, I read that some DLLs are built with a fixed Imagebase meaning that if the location is occupied, it will not load itself into memory at all.
Mr Roys
yes,ur correct ,i also check it out ,and also i find the error value at getlasterror ,its also tell about invalid access to memory location when we change the imported dll name ....
Rajakumar