Solved

Exported functions from injected DLL

Posted on 2004-04-19
9
714 Views
Last Modified: 2010-04-05
I am injecting a DLL into another EXE process. The other EXE process has other DLL's loaded into it.
What I want to do is use the exported functions of the other DLL's. The other DLL doesn't have actual function names but I do have the cardinal name of the function.
Here is an example of a function from the DLL. This is the GetTextWidth function:

type
TGetTextWidth=function(text: widestring): integer;
var
GetTextWidth: TGetTextWidth;
myint: integer;
begin
hmod:=GetModuleHandle('EXTRAFUNCS.DLL');
@GetTextWidth:=GetProcAddress(hmod,pchar($2789));
myint:=GetTextWidth('test');

for some reason the value returned is always "504". I believe this is the address or offset to the value but it is Definetly not the correct value. (I haven't tried booting my computer to see if it changes).

Another note:the DLL is made in C++. The function GetTextWidth goes like this : int __fastcall, (wchar_t * wText)

I need to know if I am declaring the function wrong or calling it wrong. Any help is appreciated and will get some points. Thanks!
0
Comment
Question by:GiulianoB
  • 5
  • 4
9 Comments
 
LVL 20

Expert Comment

by:Madshi
ID: 10866362
It has to be:

type TGetTextWidth=function(text: PWideChar): integer;

C++ doesn't know Delphi's "wideString" type.
0
 

Author Comment

by:GiulianoB
ID: 10867519
that didn't make a difference. Am I calling GetProcAddress correctly to get an ordinal function ?
0
 
LVL 20

Expert Comment

by:Madshi
ID: 10867535
Looks alright to me.

Try using this:

var strVar;
begin
  madDisAsm.ParseFunction(@GetTextWidth, strVar);

Then save that strVar into a text file and post it here. Maybe we can see what's wrong then.
0
 

Author Comment

by:GiulianoB
ID: 10867549
what type is strVar ?
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:GiulianoB
ID: 10867568
6f8aa2a0 public #10121:                   ; function entry point
6f8aa2a0   push    ebx
6f8aa2a1   push    ebp
6f8aa2a2   push    esi
6f8aa2a3   push    edi
6f8aa2a4   mov     esi, ecx
6f8aa2a6   call    dword ptr [$6f8ba06c]  ; ?strlen@Unicode@@SIHPBU1@@Z
6f8aa2a6
6f8aa2ac   xor     edi, edi
6f8aa2ae   xor     ebx, ebx
6f8aa2b0   cmp     [esi], di
6f8aa2b3   mov     ebp, eax
6f8aa2b5   jz      loc_6f8aa2db
6f8aa2b5
6f8aa2b7 loc_6f8aa2b7:
6f8aa2b7   cmp     edi, ebp
6f8aa2b9   jge     loc_6f8aa2db
6f8aa2b9
6f8aa2bb   mov     cx, [esi]
6f8aa2be   cmp     cx, $a
6f8aa2c2   jz      loc_6f8aa2d1
6f8aa2c2
6f8aa2c4   call    dword ptr [$6f8fe20c]
6f8aa2c4
6f8aa2ca   xor     ecx, ecx
6f8aa2cc   mov     cl, [eax+3]
6f8aa2cf   add     ebx, ecx
6f8aa2d1
6f8aa2d1 loc_6f8aa2d1:
6f8aa2d1   add     esi, 2
6f8aa2d4   inc     edi
6f8aa2d5   cmp     word ptr [esi], 0
6f8aa2d9   jnz     loc_6f8aa2b7
6f8aa2d9
6f8aa2db loc_6f8aa2db:
6f8aa2db   pop     edi
6f8aa2dc   pop     esi
6f8aa2dd   mov     eax, ebx
6f8aa2df   pop     ebp
6f8aa2e0   pop     ebx
6f8aa2e1   ret
0
 
LVL 20

Accepted Solution

by:
Madshi earned 135 total points
ID: 10868233
Hmmmm... Delphi stores the first parameter in EAX, C++ seems to use ECX when using fastcall. Try this:

type TGetTextWidth=function(dummy1, dummy2: integer; text: PWideChar): integer;

Fill in 0 for the dummy parameters.
0
 

Author Comment

by:GiulianoB
ID: 10871553
Wow! You never seize to amaze me Madshi ^_^

Looking at the ASM code my only guess is that we want to store the parameter in ECX so the first two pushes, you put the dummy ints for them.
is that right ?
0
 

Author Comment

by:GiulianoB
ID: 10871596
btw: Delphi doesn't have any way to do fastcalls ?
0
 
LVL 20

Expert Comment

by:Madshi
ID: 10875563
>> is that right ?

Yes.

>> btw: Delphi doesn't have any way to do fastcalls ?

Not directly. But seemingly you can simulate it with those dummy parameters.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Connection between libmysql.dll and MySQL Versions 7 87
Help on project with Soap 10 47
select query - oracle 16 91
Multiple image collision 13 69
Introduction Raise your hands if you were as upset with FireMonkey as I was when I discovered that there was no TListview.  I use TListView in almost all of my applications I've written, and I was not going to compromise by resorting to TStringGrid…
In my programming career I have only very rarely run into situations where operator overloading would be of any use in my work.  Normally those situations involved math with either overly large numbers (hundreds of thousands of digits or accuracy re…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now