dllimport


Detecting DLL Code Splicing


I'm trying to write some functions to detect DLL code splicing. I take dll code splicing to mean modifying the bytes at the start of functions in loaded dll's, so that instead of jumping to the full function implementation within the dll, it will jump to some other location.
My approach so far has been:
Firstly - loaded dll information (eg. image base of loaded dll, etc.) I get from using Toolhelp32 libraries.
For each loaded dll:
get each function address (rva) by reading export table, in memory, of the dll
read in 8 bytes at this address in memory
get function rva from version of dll on disk
parse PE header of dll-on-disk, to convert rva to file-offset - read 8 bytes here too
compare these 8 bytes
Now I know I'm not doing something quite right, and I may be making a conceptual blunder.
I've been testing with notepad.exe, 32bit. The comparisons succeed for the majority of the functions in the loaded DLL's but it tends to find some differences.
For example:
ntdll.dll: ordinal=00000059, rva=0007e098, fileoffs=0007d498, function VA: 7c97e098
disk: 00 00 00 00 00 00 00 00
mem: e4 04 00 00 00 00 00 00
and:
ntdll.dll: ordinal=0000003d, rva=0009d0d8, fileoffs=0009c4d8 function VA: 77a9d0d8
disk: a1 5c 81 f9 77 c3 90 90
mem: a1 5c 81 ad 77 c3 90 90
Someone mentioned to me that it has something to do with relocations. I can't figure this out, however, and I haven't found any documentation on how this applies here.
Does anyone have some info, or links on this? Or does anyone know where I am failing?
Many thanks in advance.
EDIT: The DLL's are being loaded at their preferred image base (when comparing the OptionalHeader.ImageBase to the base address of the loaded module in memory).
Therefore I'm stuck trying to figure out why there could be a difference - eg. above: why 1312 functions in ntdll seemed to match, but the 1313'th one doesnt.
Relocations are a list of virtual offsets which contains absolute addresses. If an image isn't loaded at its preferred image base, all offsets listed in the relocation table needs to be adjusted. If you'r preferred image base is 0x400000 and the DLL loads at 0x500000, you simply need to adjust the data at the offsets mentioned in the relocation list with 0x100000.
See e.g. the "PE File Base Relocations" section in Peering inside the PE for the format.

Related Links

DllImport is not found C++
Mangled member function name different during dllimport
how to use DllImport in metro-style app
Converting doc file to post script
How can I get a COM component which can be used on Windows phone 8 project with C#
Externs and DLL imports
Mixed native and managed code heap corruption
MarshalDirectiveException
call unmanaged C++ code from C# using pinvoke
Detecting DLL Code Splicing
WOW64 Redirection and LoadLibrary
Using C# dll in Windows phone 7
Python 2.5 Import dll AttributeError
Replacing the Import Table in PE file by standart LoadLibrary
Unresolved external symbol
Declare and <DllImport> in VB.NET have different results

Categories

HOME
sonarqube
api
cobalt
checkstyle
ggplot2
forms
fpga
formal-languages
angular-formly
jmx
themes
yahoo-finance
oracle-apex-5
apiblueprint
knitr
static-site
scripting
rds
cq5
pyqt4
ado.net
odoo-8
owin
commonjs
heap
pega
project-intu
mautic
jsonpath
frequency-distribution
3nf
entitymanager
symfony-2.8
android-7.0-nougat
pyramid
delphi-xe5
backpack-for-laravel
event-store
highstock
mount
licensing
sinch
vex
finagle
postback
turfjs
jbutton
hreflang
browser-extension
google-knowledge-graph
imagenet
zoomify
openalpr
metaprogramming
setup.py
numberpicker
xv6
apriori
postgresql-8.4
claims
logback-groovy
placeholder
dapper-simplecrud
spring-integration-sftp
dtsearch
tf
trojan
aquamacs
bbpress
android-instrumentation
simplepie
custom-lists
redistributable
segment-io
tooleap
avspeechsynthesizer
http-status-code-401
deep
fink
cycle2
user-management
jnlua
directdraw
assertion
avisynth
google-books
sha512
sql-server-data-tools
airbrake
snoop
matlab-deployment
bufferedinputstream
actionfilterattribute
openbabel
variadic-templates
rapidsvn
post-commit-hook
encryption-asymmetric
cuba
verold
fpdi
clickbank
gwt-openlayers
hibernate-entitymanager
jeromq
mvc-editor-templates
process-explorer
merb
kaleidoscope
abstract-data-type
jquery-1.9
onload-event
superscrollorama
server-administration
bjyauthorize
robotlegs
intersect
joomla3.1
lambdaj
appjs
floating-point-exceptions
luabind
entity-attribute-value
workflow-services
promotion-code
mysql-error-1205
creole
socketserver
globals
build-environment
purepdf
web-application-project
asynchronous-wcf-call
linfu-dynamicproxy

Resources

Database Users
RDBMS discuss
Database Dev&Adm
javascript
java
csharp
php
android
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App