如何在不连接KERNEL32.DLL和ntdll.dll中运行PE映像 [英] How to run a PE image without linking kernel32.dll and ntdll.dll
问题描述
我试着写一个peloader。
我第一次加载可执行映像和它所有的相关DLL(包括KERNEL32.DLL和ntdll.dll中)到内存中,过程中的所有导入地址表,改写这就需要搬迁的所有数据。
I tried to write a peloader. I first load the executable image and all it's dependent dlls(include kernel32.dll and ntdll.dll) into memory, process all import address table, rewrite all data which need relocation.
然后,我呼吁所有的图像的入口点秩序。
我得到的回报code 0从ntdll.dll中的入口点,但KERNEL32.DLL返回0xC0000000的。
当我试图调用可执行映像的入口点,程序崩溃。
Then I call all image's EntryPoint in order. I get the return code 0 from ntdll.dll's EntryPoint, but kernel32.dll returns 0xC0000000. When I tried to call the executable image's EntryPoint, the program crashed.
我知道Windows系统已经加载ntdll.dll中,并创建进程时KERNEL32.DLL到进程的内存。
我的问题是我怎么能装入ntdll.dll的另一个副本和KERNEL32.DLL到内存中,而我的模块链接到复制的。
I know the windows system already load ntdll.dll and kernel32.dll into process memory when the process is created. My question is how can I load another copy of ntdll.dll and kernel32.dll into memory, and link my module to the copy ones.
我做一个实验:
1.复制ntdll.dll中 - > A.DLL
I make an experiment: 1. copy ntdll.dll -> a.dll
- 复制kernel32.dll中 - > B.DLL
- 修改PE映像文件B.DLL,使其不依赖于ntdll.dll中,但A.DLL
- 编写一个简单的程序a.exe的,并修改PE映像文件A.EXE,使其不依赖于KERNEL32.DLL但B.DLL
- 运行a.exe的,并且程序崩溃
时,能够正确地做出A.EXE运行?
Is it possible to make a.exe run correctly?
这是我的堆栈溢出的第一个问题,对不起我的英文不好。
谢谢你。
It's my first question on stack overflow, sorry for my poor english. Thanks.
推荐答案
我不认为你可以做到这一点。该KERNEL32.DLL和ntdll.dll中,AFAIK不重定位。也就是说,MS删除从他们搬迁的信息,因为,他们在每一个流程已经加载,分配给他们的地址是总是可用的,由设计。
I don't think you can do this. The kernel32.dll and ntdll.dll, AFAIK are not relocatable. That is, MS removed the relocation information from them, because, as they are already loaded in every process, their assigned addresses are always available, by design.
所以,如果你试图把它们加载到不同的地址,那么,他们就会崩溃。理论上你就可以尝试重建他们搬迁的信息......但我不会赌。
So, if you try to load them into a different address, well, they'll crash. You could theoretically try to rebuild the relocation information for them... but I wouldn't bet on it.
我反过来的问题是:为什么你不能使用preloaded KERNEL32 / NTDLL?为什么你觉得你需要传抄?在我看来,你应该考虑他们的系统API,所以让他们独立。
My question in turn is: why cannot you use the preloaded kernel32/ntdll? Why do you feel that you need private copies? As I see it, you should consider them the system API, and so leave them alone.
这篇关于如何在不连接KERNEL32.DLL和ntdll.dll中运行PE映像的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
