jumper Posted April 6, 2012 Author Share Posted April 6, 2012 Sorry to still be confused, I thought "small" DLL's patched by 'fwd' did work?...BTW, the checksum error in "Dependency Walker" did not occur when I used 'IPStub.dll' as the base DLL, with forwarding to 'netapi32.dll'.Well, they should. But so far there have been no reports of success. IPstub.dll did not have the checksum set, so modding the file goes undetected. fwd.03 is now posted--it updates the Link Checksum after all forwarders are added. It will also correct the Link Checksum for any PE file! See post #1 for details. Link to comment Share on other sites More sharing options...
jds Posted April 17, 2012 Share Posted April 17, 2012 Sorry to still be confused, I thought "small" DLL's patched by 'fwd' did work?...BTW, the checksum error in "Dependency Walker" did not occur when I used 'IPStub.dll' as the base DLL, with forwarding to 'netapi32.dll'.Well, they should. But so far there have been no reports of success. IPstub.dll did not have the checksum set, so modding the file goes undetected. fwd.03 is now posted--it updates the Link Checksum after all forwarders are added. It will also correct the Link Checksum for any PE file! See post #1 for details.Yeah, something must be wrong. I finally managed to get SAP GUI for Java to work by stubbing both 'netapi32.dll' functions, instead of using 'fwd' : Joe. Link to comment Share on other sites More sharing options...
jumper Posted April 18, 2012 Author Share Posted April 18, 2012 Yeah, something must be wrong. I finally managed to get SAP GUI for Java to work by stubbing both 'netapi32.dll' functions, instead of using 'fwd' : fwd doesn't yet support the renaming of external functions. Adding the functions in ipstub to netapi32 won't work because the new functions will not have the names we need.Using a Win2k netapi32 as the primary and a renamed Win9x netapi32 as the secondary should yield a usable netapi32 with both the original Netbios function along with all the NT functions.The next beta of fwd will include support for using a .def file as the secondary. That will allow for such renaming as: NetUserEnum=IPstub.o8 Link to comment Share on other sites More sharing options...
jds Posted April 19, 2012 Share Posted April 19, 2012 Yeah, something must be wrong. I finally managed to get SAP GUI for Java to work by stubbing both 'netapi32.dll' functions, instead of using 'fwd' : fwd doesn't yet support the renaming of external functions. Adding the functions in ipstub to netapi32 won't work because the new functions will not have the names we need.No, that's not the problem. I took care of the renaming issue by also patching the 'JPlatin.dll' file with Import Patcher. Dependency Walker was satisfied with the end result, but it didn't work.Joe. Link to comment Share on other sites More sharing options...
jumper Posted April 19, 2012 Author Share Posted April 19, 2012 No, that's not the problem. I took care of the renaming issue by also patching the 'JPlatin.dll' file with Import Patcher. Dependency Walker was satisfied with the end result, but it didn't work.Understood. We have a fundamental problem with export forwarders not working, plus a function renaming issue.Using a .def file to tell fwd how to name/rename the new export will prevent the need to use ImportPatcher on every app that links to those new functions.Export forwarding seems to the issue of the day: vilyathegreat and schwups are having success printing with ComDlgEx (but can they "Open File" or "Save As" using export-forwarded functions?) loblo is having trouble with the export-forwarded Netbios function in NetApiEx that is linked the same way as ComDlgEx fwd.03 produces DLLs that still don't seem to work as expected. Looks like I'll have to review and restudy the whole concept of export forwarding and write some very targetted test apps and test cases to determine things like whether KernelEx processing affects link search paths, etc. Any programmers with experience that might be relevant are encouraged to chime in here. Link to comment Share on other sites More sharing options...
rloew Posted April 19, 2012 Share Posted April 19, 2012 No, that's not the problem. I took care of the renaming issue by also patching the 'JPlatin.dll' file with Import Patcher. Dependency Walker was satisfied with the end result, but it didn't work.Understood. We have a fundamental problem with export forwarders not working, plus a function renaming issue.Using a .def file to tell fwd how to name/rename the new export will prevent the need to use ImportPatcher on every app that links to those new functions.Export forwarding seems to the issue of the day: vilyathegreat and schwups are having success printing with ComDlgEx (but can they "Open File" or "Save As" using export-forwarded functions?) loblo is having trouble with the export-forwarded Netbios function in NetApiEx that is linked the same way as ComDlgEx fwd.03 produces DLLs that still don't seem to work as expected. Looks like I'll have to review and restudy the whole concept of export forwarding and write some very targetted test apps and test cases to determine things like whether KernelEx processing affects link search paths, etc. Any programmers with experience that might be relevant are encouraged to chime in here. DLLHOOK already can forward as well as rename exports. It also works globally so only one .INI is needed for everybody.Unlike the Demo, the current Version is compatable with Kernelex 4.5.2. It is now listed on my Website as a separate product. Link to comment Share on other sites More sharing options...
Dibya Posted June 13, 2016 Share Posted June 13, 2016 (edited) IT is truely awesome. Previously i am using flexhex , pemaker by BlackWingCat and IDA pro and a debugger Then tried this one :: https://dl.packetstormsecurity.net/papers/win/intercept_apis_dll_redirection.pdf It is truely awesome EDIT : I am tring with XP kernel32.dll(Renamed to primary.dll) and Server 2008 R1 SP2 Kernel32.dll (Renamed to Secondary.dll) then draged both over fwd but no export was added. Am i doing any wrong? fwd.log Edited June 13, 2016 by Dibya Link to comment Share on other sites More sharing options...
Dibya Posted June 13, 2016 Share Posted June 13, 2016 can any one explain me how can i add all api of psapi.dll of xp to one present in 98? I am selecting both and draging and droping but following error happening Debug : Export table not at end of section same tring with d3d9.dll but fwd is crashing . Link to comment Share on other sites More sharing options...
Dibya Posted June 15, 2016 Share Posted June 15, 2016 helllo! ANY ONe here ! I am facing following ERROR? Link to comment Share on other sites More sharing options...
dencorso Posted June 15, 2016 Share Posted June 15, 2016 @Dibya: Stop being bothersome, already! You resurrected a thread nobody has posted to since 2012 and you want an instant reply ? You know fully well jumper is around, so he'll answer you if and when he can. Cool down and wait, will you? 1 Link to comment Share on other sites More sharing options...
Dibya Posted June 16, 2016 Share Posted June 16, 2016 okay Link to comment Share on other sites More sharing options...
jumper Posted June 23, 2016 Author Share Posted June 23, 2016 Thank you for the error report. Fwd currently only works in very simple cases. One requirement is that the export table to be expanded must be at the end of a section. Now that I have more experience with the PE file format, I do have plans, but no time table, for rewriting this tool from scratch. Link to comment Share on other sites More sharing options...
Dibya Posted August 26, 2016 Share Posted August 26, 2016 @jumper Yesrerday , I am playing with kernel32.dll of xp , server 2008 r1 sp2 and 98 se(included in usp 3 ). Can you write a tool which can find out which codes are for which function ? if you have time . is it all right to expand section , adding entrypoint with some extra code of that function ? Wsapoll function causing some problem in ws2_32.dll of xp , i donot know how to fix it. One of my game need it. is there in detailed guide regarding adding export ? I found a awesome tool some where for testing export and adding entry point please see here http://www.woodmann.com/forum/showthread.php?15720-Export-Table-Tester Link to comment Share on other sites More sharing options...
jumper Posted August 29, 2016 Author Share Posted August 29, 2016 (edited) > Can you write a tool which can find out which codes are for which function ? Use a disassembler like Procwin and/or DumpPe. > is it all right to expand section , adding entrypoint with some extra code of that function ? Sure. > Wsapoll function causing some problem in ws2_32.dll of xp , i donot know how to fix it. One of my game need it. Try this Kexstubs definition: [Ws2_32.dll] WSAPoll=z3 In assembly: 33 c0 xor eax, eax c2 0c 00 ret 12 ref: https://msdn.microsoft.com/en-us/library/windows/desktop/ms741669(v=vs.85).aspx > is there in detailed guide regarding adding export ? Not that I remember. Search for "code cave" and use that information with ETT below. > I found a awesome tool some where for testing export and adding entry point please see here http://www.woodmann.com/forum/showthread.php?15720-Export-Table-Tester Good find. :) Works with Kex in win2k mode. Main window is unremarkable except for "Edit Exports" button. Clicking (after loading target dll) opens dialog that makes it easy to add export forwards to functions residing in another dll. The process is manual and the checksum is not corrected, but it currently works better than fwd! Edited August 29, 2016 by jumper Link to comment Share on other sites More sharing options...
Dibya Posted September 1, 2016 Share Posted September 1, 2016 (edited) Jumper , You are doing nice job. can you suggest me good code cave tutorial ? If any you like Thanks for WSA POLL , it worked flawlessly Edited September 1, 2016 by Dibya Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now