DLL Injection Problem

Started by Aikar, April 01, 2009, 02:29:52 AM

Previous topic - Next topic

Aikar

Hello,

I'm having a weird problem with PECompact2. I've tried various different settings and both LZMA and LZMA2 compression settings.

I work on a 3rd party modification for an online game, so our software injects a DLL into the game on launch (our main code is in the DLL).

I was able to pack the DLL just fine at first and it would work, however I then upgraded my code to use some better coded functions.

Now, with the new code, the program works fine unpacked, however once packed, the DLL no longer is injected into the process.

I checked the module listing for process, no sign of our DLL.

I tried MANY different project settings thinking maybe its something wrong with that, and to no avail. So I tried it with a previous backup folder of the code and sure enough it still works when packed.

So to rule out project settings, I brought over the new project to the old source backup to test with new project settings. The app still works just fine when packed.

I was wondering if it was because the Entry Point was moved, but it said it was moved in the old source folder too and it still worked so that was ruled out.

So it has to be some of the new code I have implemented.

edit: Thought it may be one the 3 new functions added, but i commented out the code and simply returned 0 in it since its not ran until later, and it still exhibits the problem.


Do you have any clue what may be causing this?
last ATTEMPTED flags: (I tried MANY if not every possible combination of settings)
/Sd:Y /Ssh:Yes /Hh:pec2hooks_api_ispacked.dll,pec2hooks_break_un2pec.dll,pec2hooks_api_watermark.dll,pec2hooks_fastimport.dll /Lh:pec2ldr_antidebug.dl

Flags I knew worked previously cause I exported it to .bat file, and no longer works:
/Cl:9 /Dt:Fast /Sd:Y /Ssh:Yes /Emp:Yes

Aikar

#1
heres dump of headers if it helps you :/

E:\Dev\WindowerSVN\hook\branches\DEVEL_3_4\bin>dumpbin /headers hook.dll
Microsoft (R) COFF/PE Dumper Version 9.00.30729.01
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file hook.dll

PE signature found

File Type: DLL

FILE HEADER VALUES
             14C machine (x86)
               3 number of sections
        49D3113F time date stamp Wed Apr 01 03:01:19 2009
               0 file pointer to symbol table
               0 number of symbols
              E0 size of optional header
            2102 characteristics
                   Executable
                   32 bit word machine
                   DLL

OPTIONAL HEADER VALUES
             10B magic # (PE32)
            9.00 linker version
           B7200 size of code
           F8C00 size of initialized data
               0 size of uninitialized data
           5E298 entry point (1005E298)
            1000 base of code
           B9000 base of data
        10000000 image base (10000000 to 101D1FFF)
            1000 section alignment
             200 file alignment
            5.00 operating system version
            3.04 image version
            5.00 subsystem version
               0 Win32 version
          1D2000 size of image
             400 size of headers
           87E5B checksum
               2 subsystem (Windows GUI)
               0 DLL characteristics
          100000 size of stack reserve
            1000 size of stack commit
          100000 size of heap reserve
            1000 size of heap commit
               0 loader flags
              10 number of directories
               0 [       0] RVA [size] of Export Directory
          1CF1D4 [     179] RVA [size] of Import Directory
          1C5000 [    A119] RVA [size] of Resource Directory
               0 [       0] RVA [size] of Exception Directory
               0 [       0] RVA [size] of Certificates Directory
          1D1000 [      30] RVA [size] of Base Relocation Directory
               0 [       0] RVA [size] of Debug Directory
               0 [       0] RVA [size] of Architecture Directory
               0 [       0] RVA [size] of Global Pointer Directory
          1D0110 [      44] RVA [size] of Thread Storage Directory
               0 [       0] RVA [size] of Load Configuration Directory
               0 [       0] RVA [size] of Bound Import Directory
               0 [       0] RVA [size] of Import Address Table Directory
               0 [       0] RVA [size] of Delay Import Directory
               0 [       0] RVA [size] of COM Descriptor Directory
               0 [       0] RVA [size] of Reserved Directory

SECTION HEADER #1
   .text name
  1C4000 virtual size
    1000 virtual address (10001000 to 101C4FFF)
   77400 size of raw data
     400 file pointer to raw data (00000400 to 000777FF)
32434550 file pointer to relocation table
    4F4E file pointer to line numbers
       0 number of relocations
       0 number of line numbers
E0000020 flags
         Code
         Execute Read Write

SECTION HEADER #2
   .rsrc name
    C000 virtual size
  1C5000 virtual address (101C5000 to 101D0FFF)
    B200 size of raw data
   77800 file pointer to raw data (00077800 to 000829FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
E0000020 flags
         Code
         Execute Read Write

SECTION HEADER #3
  .reloc name
     200 virtual size
  1D1000 virtual address (101D1000 to 101D11FF)
     200 size of raw data
   82A00 file pointer to raw data (00082A00 to 00082BFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000040 flags
         Initialized Data
         Read Write

  Summary

        1000 .reloc
        C000 .rsrc
      1C4000 .text

And a copy of the binary (Packed ver that wont load): http://aikar.us.to/badhook/Hook.dll
If you need a copy of the unpacked version please let me know and ill email you it.

Aikar

#2
Heres dump of normal unpacked PE.

Dump of file hook.dll.pec2bac

File Type: DLL

  Summary

       16000 .data
        1000 .data1
       1E000 .rdata
        B000 .reloc
       C8000 .rsrc
       A5000 .text
        1000 .tls
        1000 BSS
       18000 CODE
        1000 DATA
        1000 SHARED

and heres another standard dump of one done properly with GUI with these flags (I notice one above i did with console has SHARED stripped)
/Sd:Y /Ssh:Yes /Hh:pec2hooks_api_ispacked.dll,pec2hooks_break_un2pec.dll,pec2hooks_api_watermark.dll,pec2hooks_fastimport.dll /Lh:pec2ldr_antidebug.dll

E:\Dev\WindowerSVN\hook\branches\DEVEL_3_4\bin>dumpbin hook.dll
Microsoft (R) COFF/PE Dumper Version 9.00.30729.01
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file hook.dll

File Type: DLL
LINK : warning LNK4078: multiple '.rsrc' sections found with different attribute
s (E0000020)

  Summary

        1000 .reloc
       D3000 .rsrc
        C000 .rsrc
       F5000 .text
        1000 SHARED


I am sure my DllMain is not being called now too, added a MessageBox to test and getting nothing.

need to hit bed now 4am :( hopefully will hear back from ya tomorrow as cant get a new version out to our users to test until i can pack it. (We develop a 'good' 3rd party app for the game, however 'bad' people would love to get ahold of some our info to make cheats and bots, and this next version of the code im using thats improved is using strings instead of byte arrays for its workings, so really need to protect those. and yes I will be putting to use the encrypted strings code from PEHideText, thats going to help alot!)

Jeremy Collake

I will have to do some runtime debugging to determine the cause. I will need an uncompressed copy of the DLL. Please email it to binaries@bitsum.com.

I took a cursory glance at the compressed DLL you sent. All I can say at this point is that there is a memory access violation in the DLL entry code, perhaps in the PECompact loader. I will know more when I get the uncompressed DLL and can compress it with the debug loader (re: in contrast to the anti-debug loader, the debug loader removes protection code in the loader to allow for easier debugging).



Software Engineer. Bitsum LLC.

Aikar

Ok let me get all my code reenabled (The parts commented out for testing, all the changes I reverted before were not 'crucial' to be done that way, so just need to uncomment the functionality functions now) and rebuild everything and i'll email both to you.

On a side note, I noticed when I do "Make these settings the default", those dont apply to Console based usage (IE Explorer Context Menu). Would be nice if no flags are passed to pec2.exe to use the default settings, or maybe save a binaryname.pec2settings file with the flags for use in console and gui loading?

Jeremy Collake

Quote from: Aikar on April 01, 2009, 02:49:48 PM
On a side note, I noticed when I do "Make these settings the default", those dont apply to Console based usage (IE Explorer Context Menu). Would be nice if no flags are passed to pec2.exe to use the default settings, or maybe save a binaryname.pec2settings file with the flags for use in console and gui loading?

Yes, I agree. I intend to address this in a future update to PECompact.
Software Engineer. Bitsum LLC.

Aikar

note on binaries, I left a TEST messagebox in the DllMain entry point for testing.

It's pretty much first thing called
//DLL Entry Point
BOOL APIENTRY DllMain( HANDLE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
)
{
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
{
MessageBoxA(NULL,"TEST","TEST",MB_OK);

Jeremy Collake

Ok, thanks. It will likely be tomorrow morning before I get to doing this debugging. I apologize for the wait, I a several things to do at present.
Software Engineer. Bitsum LLC.

Jupiter

quick answer:
It seems that problem is in shared sections, which are not supported by packers
EnJoy!

Jeremy Collake

Quote from: Jupiter on April 02, 2009, 07:00:06 AM
It seems that problem is in shared sections, which are not supported by packers

A good guess, but PECompact actually has the ability to skip shared sections, a parameter he is using (/ssh:yes). This of course lowers compression ratio, but allows those sections to remain shared by all instances of the module.
Software Engineer. Bitsum LLC.

Jeremy Collake

I have not yet found the time to debug this problem. Please understand that I am quite busy here ;o. I will try to get to it today.
Software Engineer. Bitsum LLC.

Aikar


Jeremy Collake

#12
Quote from: Aikar on April 08, 2009, 09:05:51 AM
any luck with it jeremy?

I haven't done enough to determine a cause for certain. However, I think it is possible that the problem is the particular way the module was built causes PECompact to relocate the entry point, instead of its normal practice of inserting a 'call' (to the PECompact loader) at the original entry point.

As an experiment, can you try moving the DllMain function higher up in the source code? This may cause it to be positioned earlier in the compiled object, transferring to an earlier positioning in the linked DLL. Basically, you want to end up with the original entry point in a location as early as possible in the built DLL. There are also other ways to do this.

Of course, this may have nothing to do with the crash, and a proper fix is really needed. However, from your description of when this started occurring, it seems like a very likely candidate.
Software Engineer. Bitsum LLC.

Aikar

that was one thing i tried too, i had put it in my stdafx file to try that before i even made the topic and it still relocated.


Jeremy Collake

#14
Ok, I am not sure that is the entire problem anyway, as that portion of the code seemed to do ok when I was debugging it. The crash could be manifested by a base collision, but I have not verified that. I obviously haven't spent much time with it, and I apologize. I unfortunately have to prioritize my time in ways other than I would prefer ;(

The investigation is going to take more time for sure. I intend to eventually solve this problem, but still don't know when... nor can I guarantee it will be solved. I am sorry I don't have more immediate help for this problem.

Software Engineer. Bitsum LLC.

Aikar

been a while... any chance you can re look into this issue? its still a problem in latest PECompact :(

I even removed almost all code from my DllMain and it still does it. a simple DllMain with a message box only still doesnt trigger the DllMain.

And yes I am getting that "EntryPoint is no longer in the DLL Address space, Relocating" message but I got that on many other DLL's that worked fine too.

Really would love to use PEcompact but havnt been able to use it on our main software due to this :(