Jump to content

fwd: DLL Forwarder and Checksum Corrector


jumper

Recommended Posts

Sorry to still be confused, I thought "small" DLL's patched by 'fwd' did work?

...

BTW, the checksum error in "Dependency Walker" did not occur when I used 'IPStub.dll' as the base DLL, with forwarding to 'netapi32.dll'.

Well, they should. But so far there have been no reports of success. :(

IPstub.dll did not have the checksum set, so modding the file goes undetected. :sneaky:

fwd.03 is now posted--it updates the Link Checksum after all forwarders are added. It will also correct the Link Checksum for any PE file! :w00t:

See post #1 for details.

Link to comment
Share on other sites

  • 2 weeks later...

Sorry to still be confused, I thought "small" DLL's patched by 'fwd' did work?

...

BTW, the checksum error in "Dependency Walker" did not occur when I used 'IPStub.dll' as the base DLL, with forwarding to 'netapi32.dll'.

Well, they should. But so far there have been no reports of success. :(

IPstub.dll did not have the checksum set, so modding the file goes undetected. :sneaky:

fwd.03 is now posted--it updates the Link Checksum after all forwarders are added. It will also correct the Link Checksum for any PE file! :w00t:

See post #1 for details.

Yeah, something must be wrong. I finally managed to get SAP GUI for Java to work by stubbing both 'netapi32.dll' functions, instead of using 'fwd' :

Joe.

Link to comment
Share on other sites

Yeah, something must be wrong. I finally managed to get SAP GUI for Java to work by stubbing both 'netapi32.dll' functions, instead of using 'fwd' :

fwd doesn't yet support the renaming of external functions. Adding the functions in ipstub to netapi32 won't work because the new functions will not have the names we need.

Using a Win2k netapi32 as the primary and a renamed Win9x netapi32 as the secondary should yield a usable netapi32 with both the original Netbios function along with all the NT functions.

The next beta of fwd will include support for using a .def file as the secondary. That will allow for such renaming as:


  • NetUserEnum=IPstub.o8

Link to comment
Share on other sites

Yeah, something must be wrong. I finally managed to get SAP GUI for Java to work by stubbing both 'netapi32.dll' functions, instead of using 'fwd' :

fwd doesn't yet support the renaming of external functions. Adding the functions in ipstub to netapi32 won't work because the new functions will not have the names we need.

No, that's not the problem. I took care of the renaming issue by also patching the 'JPlatin.dll' file with Import Patcher. Dependency Walker was satisfied with the end result, but it didn't work.

Joe.

Link to comment
Share on other sites

No, that's not the problem. I took care of the renaming issue by also patching the 'JPlatin.dll' file with Import Patcher. Dependency Walker was satisfied with the end result, but it didn't work.

Understood. We have a fundamental problem with export forwarders not working, plus a function renaming issue.

Using a .def file to tell fwd how to name/rename the new export will prevent the need to use ImportPatcher on every app that links to those new functions.

Export forwarding seems to the issue of the day:

  • vilyathegreat and schwups are having success printing with ComDlgEx (but can they "Open File" or "Save As" using export-forwarded functions?)
  • loblo is having trouble with the export-forwarded Netbios function in NetApiEx that is linked the same way as ComDlgEx
  • fwd.03 produces DLLs that still don't seem to work as expected.

Looks like I'll have to review and restudy the whole concept of export forwarding and write some very targetted test apps and test cases to determine things like whether KernelEx processing affects link search paths, etc. Any programmers with experience that might be relevant are encouraged to chime in here. :hello:

Link to comment
Share on other sites

No, that's not the problem. I took care of the renaming issue by also patching the 'JPlatin.dll' file with Import Patcher. Dependency Walker was satisfied with the end result, but it didn't work.

Understood. We have a fundamental problem with export forwarders not working, plus a function renaming issue.

Using a .def file to tell fwd how to name/rename the new export will prevent the need to use ImportPatcher on every app that links to those new functions.

Export forwarding seems to the issue of the day:

  • vilyathegreat and schwups are having success printing with ComDlgEx (but can they "Open File" or "Save As" using export-forwarded functions?)
  • loblo is having trouble with the export-forwarded Netbios function in NetApiEx that is linked the same way as ComDlgEx
  • fwd.03 produces DLLs that still don't seem to work as expected.

Looks like I'll have to review and restudy the whole concept of export forwarding and write some very targetted test apps and test cases to determine things like whether KernelEx processing affects link search paths, etc. Any programmers with experience that might be relevant are encouraged to chime in here. :hello:

DLLHOOK already can forward as well as rename exports. It also works globally so only one .INI is needed for everybody.

Unlike the Demo, the current Version is compatable with Kernelex 4.5.2. It is now listed on my Website as a separate product.

Link to comment
Share on other sites

  • 4 years later...

IT is truely awesome.

Previously i am using flexhex , pemaker by BlackWingCat and IDA pro and a debugger

Then tried this one :: https://dl.packetstormsecurity.net/papers/win/intercept_apis_dll_redirection.pdf

It is truely awesome

EDIT : I am tring with XP kernel32.dll(Renamed to primary.dll) and Server 2008 R1 SP2  Kernel32.dll (Renamed to Secondary.dll) then draged both over fwd but no export was added. Am i doing any wrong?

fwd.log

Edited by Dibya
Link to comment
Share on other sites

can any one explain me how can i add all api of psapi.dll of xp to one present in 98?

I am selecting both and draging and droping but following error happening Debug : Export table not at end of section

same tring with d3d9.dll but fwd is crashing .

Link to comment
Share on other sites

@Dibya: Stop being bothersome, already!

You resurrected a thread nobody has posted to since 2012 and you want an instant reply ?

You know fully well jumper is around, so he'll answer you if and when he can.

Cool down and wait, will you?

Link to comment
Share on other sites

Thank you for the error report.

Fwd currently only works in very simple cases. One requirement is that the export table to be expanded must be at the end of a section.

Now that I have more experience with the PE file format, I do have plans, but no time table, for rewriting this tool from scratch.

Link to comment
Share on other sites

  • 2 months later...

@jumper

Yesrerday , I am playing with kernel32.dll of xp , server 2008 r1 sp2 and 98 se(included in usp 3 ).

Can you write a tool which can find out which codes are for which function ? if you have time .

is it all right to expand section , adding entrypoint with some extra code of that function ?

Wsapoll function causing some problem in ws2_32.dll of xp , i donot know how to fix it. One of my game need it.

is there in detailed guide regarding adding export ?

I found a awesome tool some where for testing export and adding entry point please see here http://www.woodmann.com/forum/showthread.php?15720-Export-Table-Tester

Link to comment
Share on other sites

> Can you write a tool which can find out which codes are for which function ?
Use a disassembler like Procwin and/or DumpPe.

> is it all right to expand section , adding entrypoint with some extra code of that function ?
Sure.

> Wsapoll function causing some problem in ws2_32.dll of xp , i donot know how to fix it. One of my game need it.
Try this Kexstubs definition:

[Ws2_32.dll]
WSAPoll=z3

In assembly:

33 c0      xor eax, eax
c2 0c 00   ret 12

ref: https://msdn.microsoft.com/en-us/library/windows/desktop/ms741669(v=vs.85).aspx

> is there in detailed guide regarding adding export ?
Not that I remember. Search for "code cave" and use that information with ETT below.

> I found a awesome tool some where for testing export and adding entry point please see here http://www.woodmann.com/forum/showthread.php?15720-Export-Table-Tester
Good find. :) Works with Kex in win2k mode. Main window is unremarkable except for "Edit Exports" button. Clicking (after loading target dll) opens dialog that makes it easy to add export forwards to functions residing in another dll. The process is manual and the checksum is not corrected, but it currently works better than fwd!

Edited by jumper
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...