如何从dll获取稳定的地址？ [英] How to get stable Address from a dll?

问题描述

一个DLL有一组其他应用程序可以调用的导出函数。通常要调用这些函数，您可以使用函数名或序号。

在 MSO.dll 中，的导出入口点到DLL没有名字，所以我不能通过正常的方式调用我想要的实用功能。

有一点Google搜索我碰到一个博客，声称已经找到了稳定的地址（不改变地址）到我想要调用的功能。

这些地址的问题是他们不能被视为从一个Office版本到另一个版本，或者甚至从一个更新到另一个更新。所以我需要了解Lee Benfield如何在 MSO.dll 中找到这些稳定的地址，当他写了他的

这是我写的一些代码，找到这些地址：

  #include< Windows.h> 
 #include< stdint.h> 
 #include< iostream> 
 #include< map> 
 
 int main（）
 {
 HMODULE hGetProcIDDLL = LoadLibrary（C：\\Program Files\\Microsoft Office 15\\\\\ \\vfs\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE15\\\\mso.dll）; 
 
 PIMAGE_NT_HEADERS header =（PIMAGE_NT_HEADERS）（（char *）hGetProcIDDLL +（（PIMAGE_DOS_HEADER）hGetProcIDDLL） - > e_lfanew）; 
 PIMAGE_EXPORT_DIRECTORY exports =（PIMAGE_EXPORT_DIRECTORY）（（char *）hGetProcIDDLL + header-> 
 OptionalHeader.DataDirectory [IMAGE_DIRECTORY_ENTRY_EXPORT] .VirtualAddress）; 
 
 char ** names =（char **）（（int）hGetProcIDDLL + exports-> AddressOfNames）; 
 std :: cout<<< 功能总数：<< exports-> NumberOfFunction<<<的std :: ENDL; 
 std :: cout<<< Total＃of named functions：<< exports-> NumberOfNames<<<的std :: ENDL; 
 
 std :: map< uintptr_t，char *> addressToName; 
 
 for（uint16_t i = 0; i< exports-> NumberOfNames; i ++）
 {
 char * name =（char *）hGetProcIDDLL +（int）names [一世]; 
 void * fn = GetProcAddress（hGetProcIDDLL，name）; 
 addressToName [（uintptr_t）fn] = name; 
 // std :: cout<<< Export：Name：<<名称<< 地址：<< fn < \\\
; 
 
} 
 
（uint16_t i = 1; i< exports-> NumberOfFunction; i ++）
 {
 void * fn = GetProcAddress hGetProcIDDLL，MAKEINTRESOURCE（i））; 
 std :: map< uintptr_t，char *> :: iterator it; 
 it = addressToName.find（（uintptr_t）fn）; 
 std :: cout<<< oridinal＃：<< i< address：<< fn < 名称：<< （it！= addressToName.end（）？it-> second：N\\A）<< \\\
; 
} 
 
 //释放DLL模块。 
 if（！FreeLibrary（hGetProcIDDLL））
 {
 return E_FAIL; 
} 
 
 return 0; 
} 
  

它本质上与

请参阅 bin dump 1 和

我的问题有几个部分：

1. 什么使高阶字稳定，低位字变化？




2. 如何获得稳定的地址发现在MSO.dll？




3. 如何找出哪一个是 clearclipboard 和 getClipboardCount 函数应该找到一个稳定的地址？

解决方案

1。）什么使高阶字稳定，低阶字变化？ - 起初这根本不是真的。如果采用CONCRETE二进制mso.dll - 每个func都有一些RVA（相对VA从模块基础）。但是如果您采取任何其他mso.dll构建 - 几乎100％的可能性 - 你有另一个RVA的功能。你寻找VA - 绝对地址。但VA = ImageBase + RVA，其中加载了mso.dll的ImageBase - 地址（HMODULE）。然而，它调用所有时间负载在不同的地址（ASLR） - 所以VA将根本不稳定。 RVA将稳定只有当您使用相同的mso.dll版本（在另一个版本和RVA将是另一个）

2。）如何获得稳定的地址，李在MSO.dll中找到？ - 李没有找到。这一点，正如我所描述的，错误的问题。如果函数导出 - 你可以通过名称或序数来获得地址（顺序可能也不稳定，但这非常依赖于dll）。也可能，如果你有pdb文件，获取公共符号地址（RVA），从pdb按名称（即使不导出符号）

3）我如何找到哪一个是clearclipboard和getClipboardCount函数，我应该找到一个稳定的地址？ - 再次 - 没有任何稳定的地址存在。仅在pdb中导出或符号

A DLL has a set of exported functions that other applications can call. Typically to call these functions you either have a function name or an ordinal number.

In MSO.dll, most of the exported entry points to the DLL don't have names, so I can't call the function I want pragmatically by normal means.

Upon a bit of Google searching I ran into a blogger that claims to have found stable addresses (addresses that don't change) to the very function I want to call.

The issue with these addresses is that they can't be counted on to be the same from one release of Office to another, or even from one update to the next. So I need to find out how Lee Benfield found these stable addresses in MSO.dll when he wrote his blog post. You can find the source code on his blog.

The portion of Lee's code I am trying to understand:

Here is some code I wrote to find these addresses:

#include <Windows.h>
#include <stdint.h>
#include <iostream>
#include <map>

int main()
{
    HMODULE hGetProcIDDLL = LoadLibrary("C:\\Program Files\\Microsoft Office 15\\root\\vfs\\ProgramFilesCommonX86\\Microsoft Shared\\OFFICE15\\mso.dll");

    PIMAGE_NT_HEADERS header = (PIMAGE_NT_HEADERS)((char *)hGetProcIDDLL + ((PIMAGE_DOS_HEADER)hGetProcIDDLL)->e_lfanew);
    PIMAGE_EXPORT_DIRECTORY exports = (PIMAGE_EXPORT_DIRECTORY)((char *)hGetProcIDDLL + header->
        OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);

    char** names = (char**)((int)hGetProcIDDLL + exports->AddressOfNames);
    std::cout << "Total # of functions: " << exports->NumberOfFunctions << std::endl;
    std::cout << "Total # of named functions: " << exports->NumberOfNames << std::endl;

    std::map<uintptr_t, char*> addressToName;

    for (uint16_t i = 0; i < exports->NumberOfNames; i++)
    {
        char* name = (char*)hGetProcIDDLL + (int)names[i];
        void* fn = GetProcAddress(hGetProcIDDLL, name);
        addressToName[(uintptr_t)fn] = name;
        //std::cout << "Export: Name: " << name << " Address: " << fn << "\n";

    }

    for (uint16_t i = 1; i < exports->NumberOfFunctions; i++)
    {
        void* fn = GetProcAddress(hGetProcIDDLL, MAKEINTRESOURCE(i));
        std::map<uintptr_t, char*>::iterator it;
        it = addressToName.find((uintptr_t)fn);
        std::cout << "oridinal #: " << i << " address: " << fn << " Name: " << (it != addressToName.end() ? it->second : "N\\A") << "\n";
    }

    // Free the DLL module.
    if (!FreeLibrary(hGetProcIDDLL))
    {
        return E_FAIL;
    }

    return 0;
}

It essentially does the same thing as Dumpbin.exe /Export, but also prints out the procAddress, name, and ordinal value. Below you can see a picture of a diff of two runs. The two byte of the higher order word are stable.

see bin dump 1 and bin dump 2.

My question has a few parts:

1. what makes the higher order word stable and the lower order word vary?

2. how do I get the stable addresses that Lee found in the MSO.dll?

3. how do I find out which one is the clearclipboard and getClipboardCount function should I find a stable address?

解决方案

1.) "what makes the higher order word stable and the lower order word vary?" - at first this is not true at all. if take CONCRETE binary mso.dll - every func have some RVA (relative VA from module base). but if you take any another mso.dll build - with almost 100% posibility - you got another RVA for functions. you looking for VA - absolute address. but VA = ImageBase + RVA, where ImageBase - address(HMODULE) at which your mso.dll is loaded. however it call all time load at different addreses (ASLR) - so VA will be not stable at all. RVA will be stable only while you use same mso.dll version (in another versions and RVA will be another)

2.) how do I get the stable addresses that Lee found in the MSO.dll? - Lee nothing found. this, as i describe, mistake question at all. if function exported - you can got in address by name or ordinal (ordinal may be also not stable, but this is very depended from dll). also possible, if you have pdb file, get public symbol address (RVA), from pdb by name(even for not exported symbols)

3)how do I find out which one is the clearclipboard and getClipboardCount function should I find a stable address? - again - no any "stable address" exist. only exports or symbols in pdb

这篇关于如何从dll获取稳定的地址？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！