Open rainkin1993 opened 6 years ago
Have you ever load a system dll(user32.dll, ntdll.dll) succeed?
I have played with this as well, but had similar results.
I can try to find some time to take a look, I agree with your setiment that some part of the loading process is obviously being missed.
You could try loading with the MemoryModule project and see if you have better luck. Their code does a much better job of handling edge cases in the unpacking process. Off the top of my head, delayed imports and TLS call backs are still missing from sRDI
AH, I firstly try MemoryModule but also failed with another error messages
It seems that totally simulating the process of loading system DLLs is very difficult.
Interesting results. I might assume there is a class of core system DLLs (kernel32, user32, ntdll, etc.) which have special handling to deny loading multiple instances in one process.
Other Microsoft DLLs like urlmon, gdi, etc. might not have this special handling and therefore might give better results. Going to do some digging to try and find out more.
The PE load process is well documented, but I can't shake the feeling that Microsoft has some special handling that doesn't conform to well-known standards.
Adding an interesting note here, kernel32.dll appears to load and run fine for those wondering.
I can validate the failure of user32 and the crash from urlmon. Looking through ReactOS and online material, my guess for the user32 failure is the relation to GDI. Potentially something about GDI heaps being allocated and mapped in the PEB.
Environment: Win10 1709 DLL: C:\Windows\SysWOW64\user32.dll
python Python\ConvertToShellcode.py user32.dll
convert user32.dll to user32.bin.Then I change the code in Native\Loader.cpp to call API MessageBoxA after loading the user32.dll and compile the Native project using Visual Studio 2015 Debug x86.
typedef int (WINAPI *MyMessageBoxA)(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType);