How to call exported function?

Question

How to call exported function?

MasterSoft24 opened this issue 4 years ago · 7 comments

Hi! How I could call exported function from program who inject dll's?

Answer 1 · 2021-03-23T21:33:17.000Z

Map the DLL with it's headers, parse the export directory to get the address of said function, then execute it using some shellcode in the context of the process.

Whilst the library has the functionality to do this internally (and does do this during the mapping process,) I didn't make it public to avoid bloating the public interface.

Answer 2 · 2021-03-24T00:12:24.000Z

I does

mapper.MapLibrary();

var baseAddr = mapper.DllBaseAddress;

ExportedFunction ef = mapper.GetPEImage().ExportDirectory.GetExportedFunction("MyFunction");

mapper._processContext.CallRoutine(baseAddr + ef.RelativeAddress);

but seems that function does not worked and target process crashed. Maybe I loose somethings?

Answer 3 · 2021-03-24T00:38:30.000Z

Thanks for bringing this to my attention - I was actually just trying to figure out the same thing as I'm going to push through an update for static tls data in the next few days and was having issues with shellcode execution.

Basically, it seems I introduced a bug in a commit somewhere down that makes the shellcode execution method I'm using unreliable (however for some odd reason still works fine in some cases.)

I will try and get a patch for this out before I do the release (once I figure out what the issue actually is.)

Answer 4 · 2021-03-24T00:59:19.000Z

I think I found the issue. You can try the following in your version for the time being

Change the following

var status = Ntdll.NtCreateThreadEx(out var threadHandle, AccessMask.SpecificRightsAll | AccessMask.StandardRightsAll, IntPtr.Zero, process.SafeHandle, address, IntPtr.Zero, ThreadCreationFlags.HideFromDebugger | ThreadCreationFlags.SkipThreadAttach, 0, 0, 0, IntPtr.Zero);

To

var status = Ntdll.NtCreateThreadEx(out var threadHandle, AccessMask.SpecificRightsAll | AccessMask.StandardRightsAll, IntPtr.Zero, process.SafeHandle, address, IntPtr.Zero, 0, 0, 0, 0, IntPtr.Zero);

I'm hoping to swap the execution method to something else soon, but that should work on your copy for the time being

Answer 5 · 2021-03-24T11:51:42.000Z

You are right. This change has fix bug with target process crash. But my function still not working. During library mapping I've catch exception in LoadDependencies procedure. I've avoid it

            System.Xml.Linq.XDocument manifest = null; // _peImage.ResourceDirectory.GetManifest();

            try
            {
                manifest = _peImage.ResourceDirectory.GetManifest();
            }
            catch { }

            var activationContext = new ActivationContext(manifest, _processContext.Process);

But I dont know how correct it is.

Answer 6 · 2021-03-24T21:09:30.000Z

Can you send me the DLL so I can check that out and do a fix? Discord is Quin#4576

Answer 7 · 2021-03-26T16:31:02.000Z

Thank you again. Your fixes for #22 (comment) were really helpful. Problem solved