Opened 15 years ago

Last modified 13 years ago

#62 closed defect

Finish the Win32 port — at Version 2

Reported by: Sam Hocevar Owned by: Sam Hocevar
Priority: major Milestone:
Component: port: Windows Version: SVN
Keywords: Cc:
Product: zzuf

Description (last modified by Sam Hocevar)

There is no such thing as LD_PRELOAD on Win32. Several strategies exist to mimic the Unix functionality:

  • Use the AppInit_DLLs registry key (not acceptable: it affects all executables and requires a reboot for changes to be taken into account, although there is at least one interesting use of this feature)
  • Act as a kernel debugger (not acceptable: we want to remain in userland)
  • DLL injection: inject code into the subprocess so that it overwrites the desired function addresses

The bases for DLL injection are already here:

  • libzzuf's sys.c contains the following:
    • A LoadLibraryA_orig pointer that should be filled with the address of the real LoadLibraryA function
    • A LoadLibraryA_new function that calls LoadLibraryA_new and displays a debug message
    • An insert_func function that replaces a given function address in the current process' address space
    • Code in _zz_sys_init that calls insert_func for each function we want to overwrite (currently only LoadLibraryA is affected; in the future, this will iterate over a global array)
  • libzzuf's libzzuf.c contains a DllMain entry that calls _zz_init upon load, which in turn causes _zz_sys_init to be called.
  • zzuf's zzuf.c contains the following:
    • A dll_inject function that writes bytecode into the subprocess' address space which basically does LoadLibraryA("libzzuf.dll")
    • A get_entry function that gets the entry point address of a given executable file
    • Code in the run_process function that tries to fork a subprocess in paused state, inject the desired code, and resume it

All these functions seem to be consistent, but their combination does not seem to work. The expected result: any program that calls LoadLibraryA should display a warning message. What happens: nothing. I tested it with a simple program such as this one: 

#include <windows.h>

int main(void)
{
    AllocConsole();
    fprintf(stderr, "before\n");
    LoadLibraryA("whatever");
    fprintf(stderr, "after\n");
    getchar();
}

And the command line: 

zzuf.exe -d test.exe

Change History (2)

comment:1 Changed 15 years ago by Sam Hocevar

Assigning to myself until someone improves [1701].

comment:2 Changed 15 years ago by Sam Hocevar

Description: modified (diff)
Note: See TracTickets for help on using tickets.