tags:

views:

73

answers:

4
Q: 

Why loading Ntdll from local folder produces exception?

Hi, My exe depends on ntdll, user32 and kernel32. I save these dlls as a local copy and change the first letter as "V". I then edit the exe's Import dll name as Vernel32.dll from kernel32. The application works fine by loading vernel32.dll in local space. Next i edit the exe's import dll spec as vtdll as ntdll, the process loads vtdll from local, runs its code and throws an _stackhash exception on vtdll instructions.

I need this for developing my appliction to bundle all windows dependencies. Does any body have any idea, Why ntdll cant be run in local space.

+2  A: 

I find the idea to "bundle" system DLL as not a good idea.

First of all it is illegal to redistribute this DLLs together with your application. Seconds you should understand that a DLL can create some global objects and the usage of two copies of the same DLL (vtdll.dll and ntdll.dll) can not work. You don't wrote how you modified imports of the dlls. If you do it on the disk it is illegal and moreover it break the signature of the files (open file properties of any of the dlls and look at "Digital Signatures" tab).

If you do want to experiment with different copies of system dlls you can better use DLL redirection (see http://msdn.microsoft.com/en-us/library/ms682600.aspx) through creating of files with the name myapp.exe.local where myapp.exe is the name of your application. It can be required to delete some entries from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs to do this. You should understand that your computer will run slowly after this and I recommend to make such experiments better inside a virtual machine which you can easy restore if it will be no more booted.

Oleg  2010-07-07 13:21:37
Hi Oleg, Many thanks for your help. I could not type all details in the commnet window, hence i posted it on answers window. Could you kindly have a look at the page for me
Rajakumar  2010-07-08 11:25:03
A: 

Hi Oleg,

Thanks for the information. It helped me to do a research on it.

I am not bundling the dlls for my own application. I am doing it for existing applications to provide a windows cross platform independence solution.

I tried the dll redirection technique which you have posted, with all applications. It works well with all dlls except NTdll and User32.dll

User32.dll: It loads user32.dll from local space only and not kernel space. I confirmed it. But on executing its instructions, it results in the null address access exception (c0000005) with fault module name StackHash_5964

ntdll: The application on booting, it loads ntdll from system32 and again loads ntdll from local space, which may cause the error as you said (global object sharing violation) This happens only for ntdll and not for user32.dll.

Is there any way we can make load ntdll once(only form local space) and avoid the errors caused by user32.dll in local space.

Rajakumar  2010-07-08 11:21:11
Look at http://www.packetstormsecurity.org/papers/win/intercept_apis_dll_redirection.pdf which describes how implement redirection of user32.dll.
Oleg  2010-07-08 23:36:39
Do you removed all DLLs (because of any DLL has NTDLL.DLL as a indirect dependency) from KnownDLLs registry key and rebooted computer? Loading an DLL of the startup shows that this DLL is mapped in the address space of all applications and it is from KnownDLLs or one of it's dependency. You can use WinObj.exe (see http://technet.microsoft.com/en-us/sysinternals/bb896657.aspx) and look at KnownDLLs folder to see which DLLs are KnownDLL actually.
Oleg  2010-07-08 23:43:27
A: 

I tried the references sent by you and here are the results.

User32.dll

I couldnot build user32.dll having these below functions. IsThreadDesktopComposited = user33.IsThreadDesktopComposited, User32InitializeImmEntry = user33.User32InitializeImmEntry It produces a linker error (Unreolved external symbol "IsThreadDesktopComposited")

Hence i left 100 such functions out of 800 functions in user32.dll. The DLL was built finally. I then placed the dll in local space along with user33.dll. On running the application, it says the 100 missed functions procedure entry points are not found.

Ntdll.dll

I tried removing known dlls. But its inacccesible for modify or delete operations. I could just read. I am the admin and ran regedit as administrator.

Is it possible to do such implementatipons for ntdll or user32.dll. I guess, am coming with repeated times. Thanks for all your help. But, If you have any other ways or any suggestions you can make, that would be grateful

Rajakumar  2010-07-09 12:35:47
If you are an administrator you can change the owner of the key KnownDLLs from TrustedInstaller to Administrators and then give administrators or some other accounts more permission to the key. But I recommend do such experiments on a virtual computer or on a test computer where you can easy restore the original state from the image. Another option: you can do modification of KnownDLLs key inside of small Windows Installer setup.
Oleg  2010-07-09 12:59:06
Here is one more example of redirection of system dlls: http://www.ethicalhacker.net/content/view/207/24/
Oleg  2010-07-09 13:06:11
Creating of empty files like user32.dll.local etc. together with myapp.exe.local can be also helpful
Oleg  2010-07-09 13:07:48
Oleg  2010-07-09 13:11:13
i tried everything, then I realised with below answer from wj32. all the steps we are performing is to load ntdll and user32.dll. Its already been loaded with .local redirection technique itself. The loaded code on running produces the exception. the reason is said by wj32. I started this to provide downward compatibility(running vista app in Xp) in windows. However that is not possible. Because the dependency list is almost the size of OS, because it even requires session image. Anyhow, nice discussion time, thanks a lot mate.
Rajakumar  2010-07-10 12:08:51
A: 

No! You cannot try to replace ntdll. It is mapped by the kernel into every single process, probably before any of your code is even loaded. It has an intricate connection with the kernel. It knows all the correct system call numbers. Try using ntdll from NT 5.1 and it will crash on NT 6.1. ntdll hosts the system call entry and exit code. The kernel-user callback dispatcher code. The thread start function which the kernel knows the address of. The user exception dispatcher. The user APC handler. I could go on, but I won't.

I don't see why you're trying to "bundle" these DLLs with your program. There is no way a Windows install won't have these DLLs. And that's ZERO chance for ntdll.dll since I don't see how without the session manager and CSR you are going to run your program in the first place.

wj32  2010-07-09 12:45:08
I could understand your point. thanks wj32.
Rajakumar  2010-07-10 12:10:16

related questions

How to protect yourself against shell DLLs loaded into your process?
How can I use classes from VisualBasic-Express in VBA for Excel or Access projects?
Passing EXE data down to one or more DLLs
Checking version of file in Ruby on Windows
What happens to global variables declared in a DLL?
How can a C++ windows dll be merged into a C# application exe?
Is it bad to load many managed DLL's without using any types in them?
What is the best tool to find which DLL another VB6 DLL is referenced to?
Loading Assemblies from the Network
Is it possible to embed and use a portable executable in a .net DLL?
Loading different versions of the same assembly
What is the difference between dllexport and dllimport?
How to add a dll to gac in vista
In what order are locations searched to load referenced DLLs?
How to ensure that the same thread is used to execute code in IIS?
Debugging DLL Called With CeRapiInvoke
Very simple C++ DLL that can be called from .net
Exporting a C++ class from a DLL
Asp.net Reinstalling a DLL into the GAC
Overloaded functions in C++ DLL def file
Determine Loaded Assemblies
IIS 6/COM+ hangs
How to trace COM objects exceptions?
Why won't Entourage work with Exchange 2007?
Can a windows dll retrieve its own filename?