Motivation

Background

both an exe and a dll share the same PE (Portable Executable) file format.

decode_string

Challenges

File Header - Both file types have the same PE header format, but there is one specific flag that is unique to dlls. This is discussed later in detail. Entry Point Code - Both file types have code that run once the file is loaded, but there are fundamental differences (in the purpose, integration, and structure) of that code between the two files types. This is also discussed in detail later on.

Step 1: Modify The File Header

IMAGE_FILE_DLL

IMAGE_FILE_DLL

Fig 1. Comparison Before And After Setting The IMAGE_FILE_DLL Flag

Step 2: Patch The Entry Point

main

DllMain

main()

DllMain()

Purpose

main()

DllMain

Return Value

main()

DllMain()

True

DllMain()

False

error code 1114

Function Prototype

main()

main()

argv

argc

envp

Fig 2. main()'s Arguments Are Prepared With Function Calls

DllMain

DllMain

hinstDLL

fdwReason

lpvReserved

The Patch

Fig 3. New Entry Point Code

Fig 4. Overwriting The .exe Entry Point With The Patch

Step 3: Invoke The Call

LoadLibrary()

Calculating RVA

Fig 5. Finding The Image Base Using A PE Viewer

Fig 6. Finding the target function's offset with IDA

LoadLibrary()

Fig 7. Source Code Of Program Loading Our Modified EXE As A DLL And Invoking Our Target Function

Fig 8. Succesfully Running Our Patched Executable As A .DLL

Closing Notes

LoadLibrary

Improving Implementation