Opened 15 years ago
Last modified 13 years ago
#62 closed defect
Finish the Win32 port — at Initial Version
Reported by: | Sam Hocevar | Owned by: | Sam Hocevar |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | port: Windows | Version: | SVN |
Keywords: | Cc: | ||
Product: | zzuf |
Description
There is no such thing as LD_PRELOAD
on Win32. Several strategies exist to mimic the Unix functionality:
- Use the
AppInit_DLLs
registry key (not acceptable: it affects all executables and requires a reboot for changes to be taken into account, although there is at least one interesting use of this feature) - Act as a kernel debugger (not acceptable: we want to remain in userland)
- DLL injection: inject code into the subprocess so that it overwrites the desired function addresses
The bases for DLL injection are already here:
- libzzuf's libzzuf.c contains a
DllMain
entry that calls_zz_init
upon load. - libzzuf's sys.c contains the following:
- A
LoadLibraryA_orig
pointer that should be filled with the address of the realLoadLibraryA
function - A
LoadLibraryA_new
function that callsLoadLibraryA_new
and displays a debug message - An
insert_func
function that replaces a given function address in the current process' address space - Code in
_zz_sys_init
that callsinsert_func
for each function we want to overwrite (currently only LoadLibraryA is affected; in the future, this will iterate over a global array)
- A
- zzuf's zzuf.c contains the following:
- A
dll_inject
function that writes bytecode into the subprocess' address space which basically doesLoadLibraryA("libzzuf.dll")
- A
get_entry
function that gets the entry point address of a given executable file - Code in the
run_process
function that tries to fork a subprocess in paused state, inject the desired code, and resume it
- A
All these functions seem to be consistent, but their combination does not seem to work. The expected result: any program that calls LoadLibraryA should display a warning message. What happens: nothing. I tested it with a simple program such as this one:
#include <windows.h> int main(void) { AllocConsole(); fprintf(stderr, "before\n"); LoadLibraryA("whatever"); fprintf(stderr, "after\n"); getchar(); }
And the command line:
zzuf.exe -d test.exe
Note: See
TracTickets for help on using
tickets.