Finish the Win32 port

[Sam Hocevar]

Strategies

There is no such thing as LD_PRELOAD on Win32. Several strategies exist to mimic the Unix functionality:

• Use the AppInit_DLLs registry key (not acceptable: it affects all executables and requires a reboot for changes to be taken into account, although there is at least one interesting ​use of this feature)
• Act as a kernel debugger (not acceptable: we want to remain in userland)
• DLL injection: inject code into the subprocess so that it overwrites the desired function addresses

Code already in zzuf

The bases for DLL injection are already here:

• libzzuf's sys.c contains the following:
  • A LoadLibraryA_orig pointer that should be filled with the address of the real LoadLibraryA function
  • A LoadLibraryA_new function that calls LoadLibraryA_new and displays a debug message
  • An insert_func function that replaces a given function address in the current process' address space
  • Code in _zz_sys_init that calls insert_func for each function we want to overwrite (currently only LoadLibraryA is affected; in the future, this will iterate over a global array)
• libzzuf's libzzuf.c contains a DllMain entry that calls _zz_init upon load, which in turn causes _zz_sys_init to be called.
• zzuf's zzuf.c contains the following:
  • A dll_inject function that writes bytecode into the subprocess' address space which basically does LoadLibraryA("libzzuf.dll")
  • A get_entry function that gets the entry point address of a given executable file
  • Code in the run_process function that tries to fork a subprocess in paused state, inject the desired code, and resume it

All these functions seem to be consistent, but their combination does not seem to work (yet).

Expected workflow

What should happen in zzuf:

• zzuf enters run_process() to call the target binary
• run_process calls get_entry() to retrieve the target binary's entry point
• run_process runs the binary in suspended mode
• run_process calls dll_inject() to inject our dll-loading code at the target binary's entry point
• run_process resumes the binary's execution

What should happen in the target binary:

• we get started in suspended mode
• 78 bytes of code containing a DLL loader are allocated in our address space by zzuf
• our entry point is overwritten by zzuf with the DLL loader's address
• our execution is resumed by zzuf

Current behaviour

The real zzuf diversions are not implemented for Win32. For now, only LoadLibraryA is diverted, for debugging purposes.

The expected result: any program that calls LoadLibraryA should display a warning message. What happens: nothing. I tested it with a simple program such as this one:

#include <windows.h>

int main(void)
{
    AllocConsole();
    fprintf(stderr, "before\n");
    LoadLibraryA("whatever");
    fprintf(stderr, "after\n");
    getchar();
}

And the command line:

zzuf.exe -d test.exe

[Sam Hocevar]

Assigning to myself until someone improves [1701].

[Sam Hocevar]

Better status description.

[Sam Hocevar]

I managed to debug the problem a bit further.

zzuf currently goes as far as dll_inject() but the first call to ReadProcessMemory() immediately fails.

My current guess: epaddr (supposed to contain the process's entry point address) is not valid because of Vista's ​ASLR which completely ignores PIMAGE_NT_HEADERS::OptionalHeader.ImageBase.

Here is what zzuf gets when trying to load zznop:

• 0x00400000 # ImageBase
• 0x00027a64 # AddressOfEntryPoint
• 0x00427a64 # epaddr

But here is what OllyDbg sees when loading the same executable:

• 0x00a90000 # Base
• 0x00ab7a64 # EntryPoint

At least we know the entry point's relative address is correct. What is wrong is the address of the executable when it's mapped into memory.

[Sam Hocevar]

As a temporary workaround, ALSR can be disabled on Vista by setting the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management] dword key MoveImages to 0.

Using this, functions are correctly diverted but other problems arise:

• %esp is corrupted when original functions are called (probably due to missing __stdcall modifiers in function pointer declarations)
• either stdin/stdout inheritance or pipes do not work properly
• process crash detection is untested

[Sam Hocevar]

For more about defeating ALSR:

• ​http://blogs.technet.com/b/mmpc/archive/2009/06/15/bugging-the-debuggers.aspx
• ​http://www.rohitab.com/discuss/topic/34435-get-base-address-via-process-peb-and-hide-from-peb/

[Sam Hocevar]

Closing this bug and reopening smaller ones in order to better follow the Win32 port status.

[OraFULLER35]

The <a href="​http://bestfinance-blog.com/topics/mortgage-loans">mortgage loans</a> are useful for people, which are willing to ground their business. By the way, that is not very hard to receive a student loan.

[StaffordMelanie35]

Perfectly written academic essays are not a problem now because university students are able to ask: " write my essay online ". Last years people did not have got such advantages.

[BrendaConner32]

The best way to get an academic success was to get the hot custom essay service or topics just about this topic, or just get know just about our services selecting the custom essays writing service.

[GINA32Galloway]

Students want buy research paper or buy custom essay papers about this good post, using the support the essays writers.

[QueenLOWERY27]

Different men cannot stop steal someone's ideas for their own stuff. Neverhteless, you are able to pevent stolen stuff with a purpose to save you good name. Hence, utilize check plagiarism.

[ColemanRhea19]

Continue on going that way and I really know that you will get an award, because people buy essays and some friends of mine want buy term papers or superior fact like this topic.

[CHRISTISampson]

The essay writing just about this post, you can detect at the paper writing services. Buy the research paper and custom essay about this post.

[GladysSullivan]

Alone with your essays composing assignment? Do not worry, just because that's practicable to buy term paper anytime at the business writing service.

[MoonSheri27]

Do you understand that great essay writing service can utilize great papers writers and that will be risk-free to order term papers for sale.

[CELESTEHenderson34]

You have to set top gains and you need complete essay assignments of paramount quality for it. Hence, you will probably need buy custom papers. That may be you way to the best results.

[HerreraDena18]

That is very important to select very good optimization and seo packages service experts, because only professionals know strategies of link building.

[Norton28SADIE]

My advise to you is that I will perpetually strive to equip subject that provides perfect value & benefit to you all the time you come to this page. Everytime you visit here I want you to feel that it's time well spent. . I find it very helpful especially when you need college research paper.

[AraceliBullock21]

Very oft, something that seems to be complicated is simple and guys just need to see it! For example, term papers composing supposes to be hard, but, it is just from the first sight! It should be easy if you unclose your feelings and see completely things. Hence, you can just learn how to write term paper, because it is your a different way.

[Barton21Angel]

Everything in the world is related with internet technologies. Traffic optimization becomes actual for guys and they utilize any seo backlinks service to help their sites to be well optimized.

[COOPER26JAIME]

Students in the whole world purchase the already written essay or custom essays at the paper writing service about this good post. People know about the essay writing from the essay writing services.

[TashaMckee28]

I usually dreamt just about academic success, however,did not understand the way to get it. Thus, one my good friend recommended to order the term papers at the essays help service and this worked. At this time, I have got great research essays.

[HOOVERMARION]

Different of paper writing services make the written essays just about this post. Thence, that’s a very good possibility to buy custom essay papers and buy research paper just about this good post.

[LunaMichelle]

Students have a right to choose the essay writing services. There are quantities of academic papers writing corporations in the internet. So, it will be real to choose the most reputable corporation among quantities of frauds!

[CastilloCHERIE]

There’re extraordinary suggestions how to have the academic grade. So, you require look through the theme and just finish the best philosophy essay. The other way is to search for the experienced cheap essay writing service and just purchase research paper online. I hope that helps some people.

[KochTami28]

Accomplishing an academic assignment by your own will be a nice attempt. However, it does not mean that your academic paper can be perfect. Come to the speech and presentation writing company to become assured that all academic custom papers you purchase are non-plagiarized!

[WALLBrigitte34]

Very oft, different guys, which really need the application paper writing, do not actually know the way to find it. But it’s not hard to pay for quality essays from the innovative essay writing service. That is a usual option for some people.

[DickersonMaura]

Students require a lot of time to see the issue of the essay writer paper. But when you don’t have time, it will be great to buy essays. In such way that would be available to save reputation.

[Mavis35Delgado]

Thanks a lot for such good note more or less about this topic ! You should found your own dissertation writing, we think. Just because different thesis writing services make things like that and you are able compose very thesis papers as well.

[FlynnKara27]

Looking for a right solution for your papers problems? It's not a problem! Just get information: "how to do my essay " and everything will be OK.

[PatsyMarks]

I am aware of various ways of advertising such as newspapers, buy, the most effective is SEO and experts of it work for the submission services.

[FrederickMadeline21]

Hey, such a perfect article I detect! I will buy essay just about this good topic at the paper writing service!

[BrockJessie34]

To find facts about this good topic, people purchase essay and custom essays at the term paper writing services. Lots of essays writing services render the essay writing just about this post.

[SHERRIESharpe]

There are many several path ways to get information close to this topic . But I advice to buy an essay and custom essay or buy a term paper detecting the really good writing services.

[LindaKaufman18]

Several years ago I didn't realize that seo links building played great role for websites. Nonetheless, my comrade who was hired at company to buy backlink, explicated me all just about SEO. Therefore, now I realize what my website requires for better PR.