tags:

views:

796

answers:

2
Q: 

Attempted to read or write protected memory when calling native C DLL.

I have a native C dll that exports one function besides DllEntryPoint, FuncX. I'm trying to find out how FuncX communicates with it's caller, because it has a void return type and no parameters. When I call it from a C# harness, I get an AccessViolationException - Attempted to read or write protected memory.

I have a hunch that its client application may allocate a buffer for sending or receiving values from the dll. Is this a valid hunch?

I can't debug the client application because for some reason it doesn't run, so I can't start it and attach to the process. I can, however, disassemble it in IDA Pro, but don't know how to, if I can, try and debug it in there.

+1  A: 

If the DLL in question has any static or global symbols, it's possible that all communication is done via those symbols. Do you have any API code that looks like it might be doing this?

It is unlikely that the DLL is using a client supplied buffer, as both client and server would need to know the base address of that buffer, and you can't ask calloc or malloc for a "preferred" address at call time.

You might also try running link /dump /symbols and point it at your DLL. That will show you the list of exported symbols in your DLL. Good luck!

Mike  2009-02-24 19:09:48
A: 

I would try loading the DLL itself into IDA Pro. Hopefully C# preserves the native call stack, and you can look at the code around where the DLL crashes.

Side note: the Decompiler plugin is pretty awesome.

zildjohn01  2009-02-24 20:52:45
I'm only on page 20 or so of a 300 page tutorial on IDA Pro, and have ordered a 600 page book, but for now, how would I load the DLL in IDA Pro and still call it from C#? I'm checking out the Decompiler plug-in, thanks.
ProfK  2009-02-25 09:28:24
Ouch, my eyes have seen the price of the decompiler. At current exchange rates that's three times my house payment! Probably a worthy investment if I get more reverse engineering work.
ProfK  2009-02-25 09:34:54
Don't know, I've never IDA'd much myself. Only seen it used at my old job.But when you get the crash, take a look in the AccessViolationException and see if you can find a memory address. I do know you can jump straight to a memory address and see what's there. Maybe that will get you started.
zildjohn01  2009-02-25 23:28:48

related questions

Wrapping Visual C++ in C#
Open source ER diagramming tool for mysql
What are the best ways to understand an unfamiliar database?
Is reverse engineering evil?
Best way to inject functionality into a binary...
Good techniques for understanding someone else's code
How is the photoshop cutout filter implemented?
Best way to reverse-engineer a web service interface from a WSDL file?
How to reverse engineer undocumented legacy application?
Is there a C++ decompiler?
What's a good C decompiler?
Reverse engineering war stories
How do I decompile a .NET EXE into readable C# source code?
Creating a new rrd database based on an existing one
how are serial generators / cracks developed?
Is it legal to reverse engineer binary file formats
How would you go about reverse engineering a set of binary data pulled from a device?
Reverse Engineering C# code using StarUML
What are the best tools for reverse engineering z80 machine code?
Sequence Diagram Reverse Engineering
Stored procedures reverse engineering
How do I disassemble a VC++ application?
best tool to reverse-engineer a WinXP PS/2 touchpad driver?
Reverse engineer (oracle) schema to ERD
Annotating YouTube videos programatically