Find address of DLL - Same Instance

Hi

How do I get at list of associated dll of another application?
And then get the address of the dll?

The whole idea is I will setup a filter in the list function, so when let's say it will find a dll called "a.dll" it is collect the address.

So when I have the address I can call this dll with a function (GetProcAddress). Then I use the same instance.

DelphiUKAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
DelphiUKConnect With a Mentor Author Commented:
I have now tried some things. And it seems to me that it is not posible just like "cebasso" was written.

I was able to get the absolute address for a function in a dll which where loaded by another external application.

Then I was thinking, when I try to run the function by assign the address instead of using "GetProcAddress" I get a error.
In assambly it would be look like this
asm
 mov Function_DLL_Address, eax
call eax   <-------- Call function
end

This is not possible because the dll file was loaded by the external application, not the this application. The call function will try to go to this address with in the application memory area. And since the dll isn't in the memory area for this application an error eccour.

That is my version of the problem. Maybe some one has another version of the problem.

"This application" means the application that trying to obtain the absolute address and run the function. So there only are one instance.

0
 
cebassoCommented:
i think its not possible... using the "handle" of a DLL loaded from another app...
You can use GetModuleHandle, but it works just when the DLL already was loaded by the caller... like "kernel32.dll" for example, that is always loaded by any app
so to use any function from Kernel32.dll, you don't need to load it again dinamically, you can call GetModuleHandle since its already loaded by the app
the method above by @systan you can really load dinamically but, how you will get the DLL handle that was loaded by another app?
i already tried this one time... to share variables and others things... all my answers here and others forums was "not possible" :/
maybe i'm wrong and i hope i'm... but i think its really not possible
regards
0
[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

 
CodedKCommented:
You can get the list of all dll's that is exported from the application though (...along with the addresses).

Something like this :

dexp.gif
0
 
DelphiUKAuthor Commented:
Ok, but how do I do it??
0
 
DelphiUKAuthor Commented:
But if I get the exported list, I don't find the same address that the other application has loaded. Because that address could change from time to time when it is loaded. So I don't find the same instance??
0
 
DelphiUKAuthor Commented:
I have tried to with the code below.
"GetCurrentProcess" is replaced with the handle off the external application.

It works, BUT it only list the system dll's. It don't list any customs dll which the external use (The custom dll is loaded with Loadlibary-Function).
The code below can only recieve the handle number from the custom dll not the file name. So when I only have the dll handle number it could be difficult to find the right handle because I don't know which one??

var mods: array[0..1023] of DWORD;
    need: Cardinal;
    cnt: Integer;
    file_name: array[0..MAX_PATH] of Char;
begin
  FillChar(mods, 1024, 0);
  need := 0;
  EnumProcessModules(GetCurrentProcess, @mods[0], 1024, need);
  for cnt := 0 to need - 1 do begin
    GetModuleFileName(mods[cnt], file_name, MAX_PATH);

    
    Memo1.Lines.Add(ExtractFileName(file_name) + ' ' + (IntToStr(GetModuleHandle(File_Name))));
  end;

Open in new window

0
 
CodedKCommented:
I can get the list of all the function with Delphi but i cant get relative addresses.
Use NirSoft application if possible.
http://www.nirsoft.net/utils/dll_export_viewer.html
0
 
DelphiUKAuthor Commented:
Okay, but I need the absolute address. Is there a way maybe to calculate the absolute address, so I get the same instance??

Or is there another way do solve the problem?
0
 
DelphiUKAuthor Commented:
I way do to it could be to read the Relative Virtual Address in the dll file (PE Format). And then calculate the absolute address by chancing the formular below.


Relative Virtual Address
RVA = Absolute Address in memory – Base address


0
 
DelphiUKAuthor Commented:
absolute address = module base address + relative address.
0
 
systanCommented:
Hello

Since this post will be deleted,
Just asking, are you trying to make an antivirus or a virus? or like a PE explorer?

and a question for this:
Relative Virtual Address
RVA = Absolute Address in memory – Base address
absolute address = module base address + relative address.

I can't find the RVA in a PE explorer, what do you mean absolute address? is it the Address of Entrypoint?
Base Address? is it the <Image Base> in other words?
Relative address? in other words <entrypoint>?
0
 
DelphiUKAuthor Commented:
I trying to make a program like  PE explorer.

When I am writting "absolute address" I mean the real address where I can find the address in the memory.

Because the relative address is only where I can find the function IF the dll modul has been loaded into the memory starting with the image bass address.

And it is not possible all the time, so I need to find the absolute address.

0
 
systanCommented:
So, in other words, you need to know the RVAddress of each functions inside all the .dLLs or the .dLL you want?  I hope this is possible.
0
 
systanCommented:
Oh!

Your post about "GetProcAddress without LoadLibrary only by knowing handle"
http://www.experts-exchange.com/Programming/Languages/Pascal/Delphi/Q_24765090.html

I've downloaded also the sample code from ThievingSix link, it works fine, but what's the point of the code? where can be applied?  injecting what?  can you give me some detail of what your achieving here.  Why you ask for GetProcAddress, and now the RVA?  Whats going to happen it you get all the codes right?

0
 
DelphiUKAuthor Commented:
What I was trying to do is to call a function in a dll wich is loaded by another program.

Let's say program "Main.exe" load "test.dll", function "Hello".

Now I have program "a.exe" that wants to call  function "Hello", but with the same instance as "main.exe".

If I use "loadlibrary()" to load "test.dll" in program "a.exe" I don't get the same instance.
So I need to find the address where the program "main.exe" has loaded "test.dll".

To do this I did reading some PE format in "test.dll" to get the relative address for function "hello()".
Then I did find the Image base for the "test.dll" in the memory (EnumProcessModules() ).
By adding thees to values I got the corret address.

The problem occur when program "a.exe" try to call this address directly.
I don't ecsactly sure why I it won't work but I did get a error. And then I did debug it I could see "a.exe" program goes to the correct address. But it didn't work, maybe it is some kind of memory security in windows???

So what it did to solve this program was to allocate some memory in "main.exe" from "a.exe" (VirtualAllocEx() ). And then I injected some code in this memory. Then I just called the correct address (Adding image base and relative address to "hello()" function) and it work!

So now it is working.

Of course you need to know if there are some aguments for "hello()" function. Because it was me who had created the "hello()" function I did know if there where any aguments.

I am only do this to do some experiment. To learn more about windows memory and have it work.
0
 
systanCommented:
hello

Can you send me a demo of your work, that you said <and it work!
So now it is working.>

You can attach file here, just rename your .EXE and .DLL to bmp, or jpg

I'm interested on your explorations.  Please let me have the files, so I may understand it well, if your willing too.

Thanks
Gook Luck to your project.
0
 
DelphiUKAuthor Commented:
Okay I will make a demo for you, I will do it tomorrow.
0
 
systanCommented:
I'm excited to know what you are trying to do,
I'll be waiting...

I hope you can send it before this post is close
0
 
systanCommented:
Ops!  I don't think I can have the sample .EXE .DLL .DLL .EXE code,  but  I'll  be waiting for the result ... just comment on my open post if you got one.
Thanks
0
 
systanCommented:
Oh! Sorry, I think you clicked the Object Button to keep this post open, Ok, Thank you again,  I'll wait for the demo, (I'm just to excited),  and  if you haven't found the RVA, just tell me, I can help you find it to close this post.
0
 
systanCommented:
Ok, I'll wait for the demo, now that has been closed.
0
 
DelphiUKAuthor Commented:
I will create it tomorrow again... I had been busy today
0
 
DelphiUKAuthor Commented:
Here you got the sample. You have the rename the file to .RAR.

Demo.bmp
0
 
systanCommented:
Thanks, I'll view it.
0
 
systanCommented:
Amazing mine,
I think your building an antivirus, good work.
Thanks.
0
All Courses

From novice to tech pro — start learning today.