search

fancycode / MemoryModule

Library to load a DLL from memory.
http://www.joachim-bauch.de/tutorials/loading-a-dll-from-memory/
Mozilla Public License 2.0
2.8k stars 755 forks source link

Trying any Function from ntdll.dll crashes without error message. #85

Open Hansbald opened 6 years ago

Hansbald commented 6 years ago

No matter what function I tried it always crashes without any error message. It says the DLL got loaded fine, and the function loaded fine too, but when executed it just crashes.

My code for reading DLL into memory: `HANDLE hFile = CreateFileA("C:\Windows\SysWOW64\ntdll.dll", GENERIC_READ, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); if (hFile == NULL) { printf("Error opening file: %d", GetLastError()); return 0; } DWORD dwSize = GetFileSize(hFile, 0); printf("Size: %d : %d\n", dwSize, GetLastError());

BYTE* buff = new BYTE[dwSize];
if (ReadFile(hFile, buff, dwSize, 0, 0) == FALSE) {
    printf("Error reading file: %d", GetLastError());
    return 0;
}`

Typedef for the function: typedef NTSTATUS(__stdcall* tdNtTerminateProcess)(HANDLE ProcessHandle, NTSTATUS ExitStatus);

Thanks for the help :)

Elmue commented 4 years ago

It does not make any sense to load ntdll.dll into a running process. Windows automatically loads ntdll.dll into EVERY process as the very first DLL when the process is started. So if you need any function from ntdll.dll use GetModuleHandle("ntdll.dll") and then GetProcAddress()

By the way: Why do you specify "SysWOW64" in your path? This is surely wrong. If you run this in a 32 bit process it is not needed. If you run this in a 64 bit process you load the wrong DLL into your process..