-
-
Save livz/f690953589e27f1f19c71d51aeb480ba to your computer and use it in GitHub Desktop.
Dynamic load - manual
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Compile with cl: | |
| * cl /nologo /EHsc DllDynamic3.c | |
| * | |
| */ | |
| #include <Windows.h> | |
| typedef int (WINAPI * ptrMessageBox)(HWND, LPCTSTR, LPCTSTR, UINT); | |
| typedef HANDLE (WINAPI *ptrLoadLibraryA)(LPCTSTR); | |
| ptrMessageBox fMessageBox; | |
| ptrLoadLibraryA fLoadLibraryA; | |
| // Must be defined globally, outside main() | |
| char libName[] = "user32.dll"; | |
| int main(int argc, char **argv) | |
| { | |
| /* Resolve imports */ | |
| HMODULE hUser32; | |
| unsigned jumpAddr = 0x771d395c; // LoadLibraryA address | |
| // Load library using inline assembly to jump inside LoadLibraryA | |
| __asm | |
| { | |
| start: | |
| // Push library name parameter | |
| mov eax, offset libName | |
| push eax | |
| // Get and push return address | |
| call get_eip | |
| add eax, 11 // end offset | |
| push eax | |
| // Transfer execution | |
| jmp jumpAddr | |
| get_eip: | |
| mov eax, [esp] | |
| ret | |
| end: | |
| mov hUser32, eax | |
| } | |
| fMessageBox = (ptrMessageBox) GetProcAddress(hUser32, "MessageBoxA"); | |
| if (NULL == fMessageBox) { | |
| printf("Error loading function."); | |
| return 1; | |
| } | |
| fMessageBox(NULL, "A process is loading the DLL", "Title", MB_OK); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment