Back to General and Gameplay Programming

Problem with loading a DLL through a code cave

Falcon22 · 2014-02-03T00:14:31

Hello, I am trying to load a certain dll from inside a certain .exe of which I don't have the source code. So I tried to do it with a code cave which seemed like a good option, but I am experiencing some trouble. This is what I have so far: I first load the .exe in ollydebugger then I select the exe module with ALT + E. then I make sure I have at least 5 bytes of free space somewhere in the stack, in this case I did that by replacing the following asm commands with NOP's: 004BF23B 8BF2 MOV ESI,EDX 004BF23D 8BD8 MOV EBX,EAX 004BF23F 94 XCHG EAX,ESP After that I go to the bottom to find some free space and add this code: 0052152A 90 NOP 0052152B 68 87155200 PUSH some.00521587 ; ASCII "some.dll" 00521530 E8 42349B76 CALL kernel32.LoadLibraryA 00521535 90 NOP ..... 8BF2 MOV ESI,EDX ..... 8BD8 MOV EBX,EAX ..... 94 XCHG EAX,ESP 00521536 68 FDF04B00 PUSH <some.codecave.Return> 0052153B C3 RETN I declared the ASCII somewhere above this code in the stack, also in some free space. The "codecave.Return" label is attached to the command right below the free space I made, so it would normally come after "XCHG EAX, ESP". Finally I replaced the 5 bytes of free space with this command: 004BF23B E9 E7220600 JMP <some.codecave.MyCodeCave> which makes it jump straight to the beginning of the code you see in the second code window. then I right click and do "copy all modifications to executable", when another window which shows the selection of what I modified appears, I right click again and do "save" and I enter another name than the original. So when I have the dll in the same folder as the edited executable it still doesnt load it, the executable doesnt even start. I hope someone can tell me what I did wrong. Thanks alot in advance!

General and Gameplay Programming Programming

Started by Falcon22 January 29, 2014 08:51 PM

19 comments, last by Nypyren 10 years, 2 months ago

ApochPiQ

23,138

January 30, 2014 09:47 PM

That's just zeroed bytes. It doesn't mean the memory it corresponds to is actually executable.

Wielder of the Sacred Wands
[Work - ArenaNet] [Epoch Language] [Scribblings]

Falcon22

110

Author

January 30, 2014 09:52 PM

Alright so where should I place my codecave then?

ApochPiQ

23,138

January 30, 2014 10:16 PM

It needs to go somewhere where you know it will be loaded by the OS into an executable memory page. We can't tell without the EXE itself where that might be, so you'll have to look at how PE loading works as well as understand the structure of the actual binary you're trying to modify.

Or you could just do what was suggested earlier, and launch the process under a debugger to see why it won't run.

Wielder of the Sacred Wands
[Work - ArenaNet] [Epoch Language] [Scribblings]

Falcon22

110

Author

January 30, 2014 10:36 PM

But does the fact that the size of the modded exe isn't different from the original size, already tell me that the part I am using for my code cave isn't loaded by the OS?

Nypyren

12,313

January 30, 2014 10:58 PM

But does the fact that the size of the modded exe isn't different from the original size, already tell me that the part I am using for my code cave isn't loaded by the OS?

When the program is actually loaded into RAM there will be padding at the end of the code section until the next page size boundary (Typically 4096 bytes for a 32-bit process, which it looks like yours is). The linker can optionally leave that same amount of padding in the EXE file itself, but it is not required to.

If you load the EXE in a hexeditor and see a bunch of zeros after the "end" of the code but before the start of the next section listed in the PE headers, that's padding, and you can add instructions there without editing the PE headers.

If there's no padding, then you'll have to rearrange the EXE or scavenge space from some unimportant existing code (perhaps a logging function if you can find any).

Falcon22

110

Author

February 02, 2014 04:32 PM

Does anyone here know of any good tutorial which explains the process of fixing an executable with a debugger?

Adam_42

3,664

February 02, 2014 08:53 PM

The first thing to do with a debugger is to work out why it's crashing. You can do that with visual studio in the same way you'd debug any other process without symbols.

If this is some sort of commercial product you're trying to adjust I wouldn't be surprised if simply noping out a single harmless instruction would stop it loading. They will generally have some kind of built in anti-cheating and copy protection code that go to a lot of effort to make it difficult to do much.

ApochPiQ

23,138

February 02, 2014 09:11 PM

Perhaps a more useful question is, what are you trying to accomplish in the first place? If all you want is to get your code loaded into another process, there are far simpler and easier ways - look up DLL injection.

Wielder of the Sacred Wands
[Work - ArenaNet] [Epoch Language] [Scribblings]

Nypyren

12,313

February 02, 2014 09:53 PM

Agreed with Apoch. It's easier to just CreateProcess(suspended), VirtualAllocEx, WriteProcessMemory and CreateRemoteThread to load a DLL into another process than it is to find space in the existing EXE and patch it.

Falcon22

110

Author

February 02, 2014 10:14 PM

Thanks alot for the replies guys, I am aware of dll injection and how it works. But I really need to have this dll loaded when the exe, that I am modifying, starts. Without depending on other executables like dll injectors.

I think code caving is my best option.

Problem with loading a DLL through a code cave

This topic is closed to new replies.

Popular Topics

Recommended Tutorials

Problem with loading a DLL through a code cave

This topic is closed to new replies.

Popular Topics

Recommended Tutorials

Reticulating splines