Author Topic: Basic Win32 API DLL file structure + Loader  (Read 12274 times)

Offline encryptor256

  • Full Member
  • **
  • Posts: 250
  • Country: lv
  • Win64 .
    • On Youtube: encryptor256
Basic Win32 API DLL file structure + Loader
« on: July 24, 2013, 11:24:13 AM »
Hello!

This is Basic Win32 API DLL file structure + Loader.

.Things_you_find_here:
  • Create Win32 API DLL File structure.
  • Manage DLL entry procedure and it's parameters.
  • Load with seperate module - loader.
  • How to compile with NASM and link with ALINK.

Ivestigate the code, it's easy.



Create Win32 API DLL File structure, Manage DLL entry procedure and it's parameters.

Create file: "dllmain.asm", and put this following code inside it.
This code will show MessageBox, with text, according to fdwReason value,
there is a small jump table, to find and calculate the right text(address) to display.

Code: [Select]
[BITS 32]

; Export DllMain, so LoadLibrary in other module, could call this
GLOBAL DllMain
EXPORT DllMain

; Import function macro
%MACRO dllimport 2
IMPORT %2 %1
EXTERN %2
%ENDMACRO

; Import some function
dllimport user32.dll, MessageBoxA

DLL_PROCESS_ATTACH equ 1
DLL_THREAD_ATTACH equ 2
DLL_THREAD_DETACH equ 3
DLL_PROCESS_DETACH equ 0

[SEGMENT .DATA USE32]

; fdwReason ------------------------------------------------
text_pa db "DLL_PROCESS_ATTACH",0
text_ta db "DLL_THREAD_ATTACH",0
text_td db "DLL_THREAD_DETACH",0
text_pd db "DLL_PROCESS_DETACH",0

; address jump table
text_ptad_address dd text_pd,text_pa,text_ta,text_td

text_ad db "ebp_fdwReason: %s",0

[SEGMENT .TEXT USE32]

..start:

DllMain:
push ebp
mov ebp,esp

; Dll main parameter location ----------
%define ebp_hinstDLL ebp+8 ; HINSTANCE hinstDLL, // handle to DLL module
%define ebp_fdwReason ebp+12 ; DWORD fdwReason, // reason for calling function
%define ebp_lpvReserved ebp+16 ; LPVOID lpvReserved // reserved
;-------------------------------------

; # MessageBoxA - creates, displays, and operates a message box

push dword 0 ; style of message box

; Find correct address of jump table according to fdwReason value
mov ebx,dword [ebp_fdwReason]
imul ebx,4
add ebx,text_ptad_address

push dword [ebx] ; address of title of message box 
push dword [ebx] ; address of text in message box
push dword 0 ; handle of owner window
call [MessageBoxA]


mov esp,ebp
pop ebp
mov eax,dword 1
ret 12



Load with seperate module - loader.

Create file: "dllloader.asm", and put this following code inside it.
The code will load and free library, you should receive two messages from
dll file, one for load and one for freeing library.

Code: [Select]
[BITS 32]

; Import function macro
%MACRO dllimport 2
IMPORT %2 %1
EXTERN %2
%ENDMACRO

; Import some function
dllimport kernel32.dll, LoadLibraryA
dllimport kernel32.dll, ExitProcess
dllimport kernel32.dll, FreeLibrary

[SEGMENT .DATA USE32]

dllName db "dllmain.dll",0

[SEGMENT .BSS USE32]

hInstDll resb 4

[SEGMENT .TEXT USE32]

..start:

; # Call - LoadLibrary and receive one message: PROCESS ATTACH
push dword dllName
call [LoadLibraryA]
mov [hInstDll],eax

; # Call - FreeLibrary and receive one message: PROCESS DETACH
push dword [hInstDll]
call [FreeLibrary]

; # Terminate program, quit
push dword 0
call [ExitProcess]



How to compile with NASM and link with ALINK.

Put files: "dllmain.asm" and "dllloader.asm" in the same directory.

.MAKE_BUILD_DLL_FILE:

Now lets do some magic and turn dllmain.asm file into dllmain.obj with NASM help,
and then dllmain.obj into dllmain.dll with ALINK help.

NASM cmd command: "nasm -fobj dllmain.asm" (This will produce dllmain.obj)
ALNIK cmd command: "alink -c -dll -oPE -subsys windows dllmain.obj"  (This will produce dllmain.dll)

So, now you should see two new files created in your directory,
dllmain.obj we dont need anymore, and lets keep this other one dllmain.dll. :)

.MAKE_BUILD_DLL_LOADER:

Partly the same thing for this other "dllloader.asm" file.

NASM cmd command: "nasm -fobj dllloader.asm" (This will produce dllloader.obj)
ALNIK cmd command: "alink -c -oPE -subsys windows dllloader.obj"  (This will produce dllloader.exe)

P.S.
!!! You have to set window PATH variable, so Command Promt Console can find those NASM and ALINK exe files.
... wWww...what? you dont want to? Okey, Bkey, CKey, .... :D
 Then copy those nasm.exe and alink.exe also in this "the same directory." Done!

.DO_TEST:

Make sure, dllloader.exe and dllmain.dll is in the same directory.

Now run dllloader.exe, and you should receive two messages, one for loadlibrary and one for freeing library.

DONE, BYE! :)
Encryptor256's Investigation \ Research Department.