I have to spy on a C++ DLL. I would like to insert trace calls inside the assembly code, e.g modifying the code to put a small code that would trace some variable into a text file. I do not have access to the runtime of the machine where the dll is used, I only can access the storage, so I cannot spy dynamically using IDA debug, I must put some files with spy code inside and then start the machine, run it then shutdown the machine and get back the trace files eventually created in the storage.
Is there some way to automate that spy code insertion using IDA Pro for example or a similar tool.
I have decompiled the Dll using Hex-Ray and, yes I could modify the C source code and plant the functions there but unfortunately Hex-Ray cannot reverse all the code , only like 90%, and then I cannot use that way.
Seeing as this a dll, you can use the wrapgen IDA plugin to create a wrapper DLL that calls the original and insert whatever tracking and tracing code you need.
In more advanced cases you can use the wrapper dll to dynamically patch the original dll if you need to monitor function local variables.
Related
I am trying to Instrument .NET Core web applications that runs on .NET Core 3.1 using CoreCLR Profiler in linux centos7.
I have set the environment values CORECLR_PROFILER , CORECLR_ENABLE_PROFILING and CORECLR_PROFILER_PATH, where my CoreCLRProfiler dll gets attached to dotnet.exe and it is getting the callbacks.
I am able to get all the callbacks,but when i allow injecting the code into the Webapplication's method then the app is getting crashed(dotnet.exe gets killed) as it couldnt find the injected function call.
I have created helper assembly(.NET standard 2.0) with the injected functions body and signed it with strong name and installed it in to the GAC. And also used DefineAssemblyRef(),DefineTypeRefByName() and DefineMemberRef() from IMetaDataAssemblyEmit to load assembly and its class methods. And also tried by placing dotnet standard dll in application folder. But the helper assembly is not loaded to dotnet.exe process.
Where should my helper assembly placed..? and
how can I load helper assembly to dotnet process from my native coreclr profiler?
It would be much helpful if i get some correct direction to load or use helper assembly to dotnet process.
Thanks in advance.
I played around a lot with loading a managed DLL and calling it from our Profiler: many different approaches, almost all of them had a limitation one way or another.
The problem we saw was that if the method that calls the external dll is already compiled, it is now too late to load the external dll. Even if the method is compiled and the dll is loaded as part of the method (before the call is made to the dll), this is still too late for the CLR.
What you can do is a bit patchy but it works: instrument a call to https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.assemblyresolve and add your own method that looks up in a specific place. This has to be done as early as possible (before the method calling this assembly is compiled). Note that this will support .Net Framework as well as .Net Core. If you only need support for .Net Core, you can use the way described here:
https://github.com/richlander/dotnet-core-assembly-loading
Context: A Win32/64 Process running on Win7. I do not build the Process itself, I development a set of dll's "under" it.
One of the these dll's load third party dlls(plug-ins) which I do not control, but for which I cant get acces to the src.
Question: how do I get to list the local variable values at Process runtime from the functions from these plug-in dlls?
Remember, I'm sort of în the middle of The call stack Being loaded by the process and loading în turn the dll for which I need to get this info.
WINdbg maybe, some Minidump functionality API I can call?
Later Edit: I have the *. pdbs of the dlls I'm trying to get the local variables from.
Is there a way to load all functions from runtime loaded DLL? Current code:
hGetProcIDDLL = LoadLibrary(dll);
typedef int(*f_connection_a)(args);
typedef int(*f_connection_b)(args);
typedef int(*f_connection_c)(args);
f_connection_a connection_a = (f_connection_a)GetProcAddress(hGetProcIDDLL, "connection_a");
f_connection_b connection_b = (f_connection_b)GetProcAddress(hGetProcIDDLL, "connection_b");
f_connection_c connection_c = (f_connection_c)GetProcAddress(hGetProcIDDLL, "connection_c");
As you can see, this gets cumbersome quickly as you have to define every DLL function like this. Is there a way to load all DLL functions instead of having to list them?
Since here the "connection_*" are only a variables, there is no way to initialize them other than to run a code such as calling a function to get an address of a function. WinAPI doesn't have bulk method for binding functions at run time. This is limitation of WinAPI. The intention of this method was to check the presence of a functions individually and to delay loading library up to the point when it will actually be needed (or to avoid loading at all if it is not used).
But you can avoid such messy code by binding DLL at program loading stage using Import Table feature. In this case Windows loads executable image into memory, then loads all dependent DLLs and automatically binds the imported functions before launching executable code. For this you need:
Prepare *.def file for the library you need to load. The simplest method is to launch "impdef.exe my.dll" command on dll file. You may find tiny impdef.exe that doesn't need installation in TinyC package (see https://bellard.org/tcc/).
Then prepare corresponding *.lib file by launching "lib /def:my.def /out:my.lib"
After that link produced library with your project as regular library.
The drawback of this method is that if DLL is absent or corrupted, your executable file won't start at all. But this is a small payment for the convenience of importing functions.
This may be too broad a question, but I have a DLL that contains a UI. It is currently invoked by an EXE. What steps would I do to try and invoke the UI within the DLL? Or put another way, how would I go about teasing out the code that would invoke the UI as it happens in the EXE?
Looks like you have access to source for both dll and executable that uses it. so what you are doing is writing a host for that dll from scratch.
Create a MFC application from VS project templates (make it the same kind as main executable, dialog, single document, multiple document, etc).
Look at what function dll exports, also look at its headers and best of all -- documentation.
Search source code of main exe and find the places the dll functions are called.
Figure out what is being done and why.
Narrow down scenarios you want to reproduce (initialize dll, show basic UI and tear down)
Start reproducing that code in your example app.
Copy the dll call, see what parameters it takes, see how those are initialized, etc.
Fix errors as they come up.
I'm working on debugging a legacy Visual Basic 6.0 application; the application was built into native code, but unfortunately we just have the binaries, but no source code. So I'm rather limited as far as modifications to the program go.
My final goal is to get the value of the 'Name' property of some controls given their HWND. I can easily write VisualBasic code to do this, but unfortunately I don't see how to execute this code in the context of the running application.
My first attempt was to create an ActiveX DLL in VisualBasic which exposes my 'controlNameForHWND' function. At runtime, I then had a little utility injected a second helper DLL into the VB running process, and that helper DLL then called CoCreateInstance so that my ActiveX control (which features the 'controlNameForHWND' function I wrote in VB) is instantiated inside the process of the application.
This worked well, but unfortunately the ActiveX control is apparently not executed in the same context as the application to be debugged. For instance, the global App.hInstance value is different, the array returned by the global Forms array is always empty, and so on. So all my VisualBasic script code is running in a parallel universe. Bad luck. :-/
Does anybody else have ideas how to be able to "inject" VisualBasic code into a VB6 process? Looking at the process using Process Explorer shows that the library MSVBVM60.DLL is loaded (the Microsoft Visual Basic Virtual Machine), but not e.g. VBA.DLL. The latter would be interesting since it exports an undocumented EbExecuteLine function to execute script statements.
I'm running a bit low on ideas, so I'm grateful for the craziest ideas, too. :-)
A VB6 ActiveX DLL will run in the client process, but it won't have access to the Forms collection of the client process. I think the App.hInstance should return the same value though.
If you are debugging your DLL in the VB6 IDE debugger, that will cause it to run in a separate process. That debugger does some crazy things. You might be better to build a PDB file from the ActiveX DLL and debug in the Visual C++ debugger.