Page 3 of 3 FirstFirst 123
Results 31 to 33 of 33

Thread: How to add Function to Various System DLL.

  1. #31
    Windows XP Forever
    Join Date
    Jun 2016
    Quote Originally Posted by Kayaker View Post
    As far as I know there are no automagic tools to add exports. Don't know why, I guess there was never a need, most RE tasks of that sort can be done with import addition/code injection. Adding exports is a cool idea, there just isn't usually a call for it.

    One way or another you're going to have to completely understand the PE structure and learn to add exports manually to even contemplate what you're trying to do in the larger scheme. Notice that the few in that msfn forum thread I linked who CAN add exports to a system file still have troubles, and they aren't giving away any secrets. "CFF Explorer" was the closest I saw to a clue, but that's only part of the solution.

    There are plenty of resources around to understand the PE structure. Iczelion's PE tutorials are a good first resource. Get hold of 010 Editor and run and study the PE parsing template on simple dlls. I've always used the following as a reference when working on PE files in a hex editor:

    Exe file format with offsets rather than explanations

    Iczelion's tutorial #17 contains the most basic dll/exe example you can get. Use it to try to add sections/exports and study the differences from the original. You can start by adding _imports_ with some existing tool and see how it's done, how you would do that manually. Adding the structure/offsets for exports should be somewhat similar.

    People will help if you have a *specific* problem to some detail you can't understand and you can show you've done some work. You're asking things about something that's very difficult to do to start with, and a general plea for help isn't going to get you very far if no one even knows what the question is.
    thanks a lot for help

  2. #32
    Super Moderator
    Join Date
    Dec 2004
    Blog Entries

    well studying the differences between an exe with and without exports or mimicking them should not be much of a problem

    an export by definition is some code that some one outside is expected to use

    that means if you export blah() from your binary you aren't normally supposed to use it

    some one either loadlibs and calls your blah() or links to your blah using .lib or .exp

    (there is no rule that you cant call an exported function internally or no exception that it is never called internally )

    Infact you can code a simple c program and produce an exe

    ( I will stick with exe for demo exports are normally done in a dll not in a exe )

    #include <windows.h>
    int  Add(int a , int b){
        return a+b;
    void main(void)
    with that code you can build two exes one with export and one without exports using this command-line

    cl /Fenoexport.exe   expotest.c /link  /ENTRY:main  /FIXED                      %linklibs%
    cl /Feexport.exe       expotest.c /link  /ENTRY:main  /FIXED /EXPORT:Add  %linklibs%
    it is a mean little exe with no bloat that you can easily compare for differences

    if the dos_elfaw_new is adjusted to point to same place and rich crap nuked out and time stamp ignored

    we can conclude that the only differences that matter in header for exported and noexport binary is

    Address of Export Table / Size of Export Table / and virtual size in .rdata section that has exports

    and then it is simply a matter of parsing the actual export table implementation in .rdata section

    fc /b export.exe noexport.exe | head -n 8
    Comparing files export.exe and NOEXPORT.EXE
    00000140: 30 00
    00000141: 20 00
    00000144: 41 00
    00000148: 28 D0
    00000149: 21 20
    000001F0: 74 1C
    00000600: 58 00
    xxd -s +0x140 -l 0x10 -g 1 export.exe
    0000140: 30 20 00 00 41 00 00 00 28 21 00 00 28 00 00 00  0 ..A...(!..(...
    xxd -s +0x140 -l 0x10 -g 1 noexport.exe
    0000140: 00 00 00 00 00 00 00 00 d0 20 00 00 28 00 00 00  ......... ..(...
    as stated earlier you can see 140 wrt pe signature at 0xc8 is Address of Export Table and 144 size of Export table
    0x148 is Address of import table and it changed because export table seems to be added first or i couldn't locate how to make linker embed the
    import table first and export table later
    the 1f0 is VirtualSize in .rdata section (do the math with PEHEADER format to confirm my assertion)
    and the next difference is directly at 0x600 ( the code section is same in both exes)

    and that is plain parsing the diffs by ignoring the import table and finding the diff using luvelsmeyer / iczelion / matt pietrek / and or other innumerable me toos

    the point is if you add export table who is going to code the actual crap that is exported that is what i was trying to elicit from XPFOREVER but it seems he is a quitter

    well let me go to sleep

  3. #33
    Windows XP Forever
    Join Date
    Jun 2016
    someone can write a tool for adding export

Similar Threads

  1. Function hooking on ARM
    By nothize in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: October 15th, 2010, 01:57
  2. Function Analysis
    By REBlog in forum Blogs Forum
    Replies: 0
    Last Post: October 19th, 2007, 20:27
  3. DLL Function Parameter Help
    By FattyMiller in forum OllyDbg Support Forums
    Replies: 1
    Last Post: October 27th, 2004, 09:02
  4. The Function in PE
    By AlanZheng in forum The Newbie Forum
    Replies: 10
    Last Post: February 16th, 2004, 11:06
  5. The Mod Function
    By Acid_Cool_178 in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: May 7th, 2001, 14:23

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts