C - Calling functions from external process without exported functions

Question

Hey guys, I am trying to figure out how I can call a function without having it being exported.

Okay so I have an exe file with "add" defined in it, This exe is a win32 console application and loads a DLL. The DLL also aims to use the add function from the exe file ( without exports )

Here is my main win32 console application file:

#include <windows.h>
#include <stdio.h>

#pragma auto_inline ( off )

int add ( int a, int b )
{
    printf( "Adding some ints\n" );
    return a + b;
}

int main ( )
{
    HMODULE module = NULL;

    if ( (module = LoadLibrary( L"hook.dll" )) == NULL )
    {
        printf( "Could not load library: %ld\n", GetLastError() );
        return 0;
    }

    add( 3, 5 );

    FreeLibrary( module );

    return 0;
}

Here is code for hook.dll:

#include <windows.h>
#include <stdio.h>
#include <detours.h>

static int (*add) ( int a, int b ) = ( int (*)( int a, int b ) ) 0x401000;

int Detoured_add ( int a, int b )
{
    return add( a, b );
}

BOOL WINAPI DllMain ( HINSTANCE hDll, DWORD reason, LPVOID reserved )
{
    if ( reason == DLL_PROCESS_ATTACH )
    {
        DetourTransactionBegin();
        DetourAttach( (PVOID*) &add, Detoured_add );
        DetourTransactionCommit();

    }
    else if ( reason == DLL_PROCESS_DETACH )
    {
        DetourTransactionBegin();
        DetourDetach( (PVOID*) &add, Detoured_add );
        DetourTransactionCommit();
    }

    return TRUE;
}

I disassembled my win32 console application to find the address of the add function

.text:00401000 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00401000
.text:00401000
.text:00401000 sub_401000      proc near               ; CODE XREF: sub_401020:loc_40104Bp
.text:00401000                 push    offset aAddingSomeInts ; "Adding some ints\n"
.text:00401005                 call    ds:printf
.text:0040100B                 add     esp, 4
.text:0040100E                 mov     eax, 8
.text:00401013                 retn
.text:00401013 sub_401000      endp

The problem is when I call LoadLibrary, it returns 998 which I believe is error code access violation. I guess this makes sense though as that memory area is probably protected.

Any tips?

( Also, the disassembler I used is Ida Pro free version, and the detours library is provided by Microsoft. )

Answer 1

Modules are relocated as they are loaded. You should find the base address of the loaded module and relocate the address yourself. Also, you could use the [DebugHelp][1] library to retrieve the function address by symbolic name instead of hard-coding it.