This is something that may be interested for
those who are working in protection and revercing fields.
This app loaded itself as dynamic lybrary which lids to
have to copies of the same dll at a time.
M$ claims that it is impossible but you can see it clearly in SoftIce.
The proc itself is very simple:
it exports one of its function (use /export:FuncName key while linking for that)
then in start it loaded itself as dll, and calls one of it function.(simple msgbox)

The trick is done by making exe with long name and colling itself by short name.
To see results and consequences
1. Load it in SoftIce
2. after LoadLibrary call type mod - u and see that two identical lybrary are loaded.

What is usable about the trick and data?
Think about relocations.
Posted on 2002-10-31 18:44:07 by The Svin
Wow! That's possible?? DLL masquerading as EXE?

Still what about portability... maybe later Win versions won't work with this trick?
Posted on 2002-10-31 20:41:27 by AmkG
Works fine under XP. I used OllyDebug to view the extra module (i.e is visible to standed API's).

I also had an idea, under XP if you name a file "a .exe" the short filename has some apparently handle hex digets appended to it:
"a .exe" -> "AFD72~1.EXE"
"3 .exe" -> "3F5C1~1.EXE"

This just makes things slightly more confusing to anyone trying to find this "extra module" on disk.

Also for compatibility issues with future versions of windows LoadLibrary will just return the module handle to the previously loaded module.

Edit - I also wonder how windows will handle a shared segment withen the module that results in two shared segments per address space?
Posted on 2002-10-31 21:14:28 by huh
Privet The Svin,
Very interesting. What implications may it have / what advantages may it give to anti-debugging tricks et simila?

Dosvidanja,
Maverick
Posted on 2002-11-01 03:11:24 by Maverick
Hmmmmm. Weeeird. I bet you could also use this for the "remove file after run" trick.
on getting a WM_CLOSE message call an exported function to remove exe file on disk
in a loop until it works and then exit...
Posted on 2002-11-01 11:59:55 by Graebel

Privet The Svin,
Very interesting. What implications may it have / what advantages may it give to anti-debugging tricks et simila?

Dosvidanja,
Maverick

Vivat, Fabio!
Relocations as I said.
Data and code managed by export function would have different addrs. Though they would come from the same exe file.
+
Having to copies of the same data initialized (the same in file)
you have instrument to disorient hacker from finding offset of it in the file. There are many ideas that can come from it: for example you can do one thing with the data in
first proc and different with copy of the exe loaded as library. I'm sure you can in a time show us some new ideas coming from it. :)
My task was just to show interface of it and point out that we can have 2 copies of library that have the same name. Wich many Win32 programmers consider impossible.
Posted on 2002-11-01 15:18:05 by The Svin
I see. :alright:
Glad to see you're back with several posts lately, I hope it's not only a parenthesis. :)

Take Care!
Maverick
Posted on 2002-11-01 16:19:37 by Maverick


I see. :alright:
Glad to see you're back with several posts lately, I hope it's not only a parenthesis. :)

Take Care!
Maverick

Thank you.
I've started thinking of writing a book(or books ? :)), so if I have money for inet I'm going post some material from it for discussion here frequently.
Posted on 2002-11-02 18:59:51 by The Svin
Privet Alex,
Interesting.. a book about coding? I'll be glad to join the discussion when it's time to. ;)
Posted on 2002-11-03 02:57:50 by Maverick
I forgot to say that to use distracing relocation effect while calling your own export the exe need to be linked with FIXED:NO option. Otherwise relocation section would be stripped.
Posted on 2003-02-17 17:43:16 by The Svin
I'll try a Hook function as normally should be in a "separate" DLL ;)
Posted on 2003-02-19 06:39:15 by KaSt

Wow! That's possible?? DLL masquerading as EXE?

Still what about portability... maybe later Win versions won't work with this trick?
It's actually a pretty old trick. In Win16, the three core DLLs are called KERNEL.EXE, GDI.EXE, and USER.EXE.

I believe all OCX files are DLLs. However, because they're COM modules, it's possible that some are EXE files.

If LoadLibrary can use any valid file name to load a DLL, there is no portability problem. It will need to do some checking of the PE file for validity, in any case.


My task was just to show interface of it and point out that we can have 2 copies of library that have the same name. Wich many Win32 programmers consider impossible.
Which means there is still some old Win16 knowledge hanging around. It's definitely true in Win16 that you can't load two different DLLs with the same name, unless the first is completely unloaded beforehand.
Posted on 2003-02-19 14:02:50 by tenkey
I think the point was having an Exe with Exports, that can be used as a DLL. This is at least what I understood.
Posted on 2003-02-19 14:28:45 by KaSt
Awsome Thread/Idea The Svin

I had more fun playing around with this than iv'e had in a long time lol...... hmmmm uhoh. any way
I find....
You can Load it into itself with no problems whatsoever.
You can call you exports from yourself with 0 issues

You can load and call the exports from ANY app AS LONG AS YOUR EXPORTS MAKE NO API CALLS

The Import table does not get filled in when you call LoadLibrary to load it, this is not a problem in your own process
as the import table is alread filled in and your "DLL/EXE" uses an identical Import table as youe EXE/EXE
also, I do not think you have to use the short DOS name to load it as a dll, I think it will load anyway.

I'm not sure but I dont think LoadLibrary fills in the import table EVER when you use it to load an EXE this is probably
because it would endup overwriteing the calling APP's import table and all hell would break lose :)

I'm not adverse to being corected if im wrong, this is just what I have observer playing around with it.
Personally I LOVE the idea of makeing an EXE that has also has some fuunctions EXPORTED so that other people can use them . :)
to bad I can't If i make API calls :alright:


As Far as an EXE masqueradeing as a dll... well it's better to make a dll and edit the header to have it masquerade as an exe lol
Posted on 2003-02-19 15:41:11 by dionysus