Nov 5, 2009 (last update: Nov 9, 2009)

DLL Symbols

Score: 3.5/5 (48 votes)
*****
What is a DLL? A DLL is a dynamic-linking library. It acts as a shared object in which multiple programs can call the same DLL more than once.

Why use a DLL? It's not much different from the concept of Linux shared objects and libraries. A little bit different in design though. In short terms, it saves space and allows extensive code reuse.

Facts about the DLL: When a DLL is compiled, it's functions are referenced by symbols. These symbols directly relate to the functions name (the symbols are represented by visible and readable strings), its return type, and it's parameters. The symbols can actually be read directly through a text editor although difficult to find in large DLLs. These symbols may also be extracted using functions from the WinAPI. BREAKPOINT: Insert screenshot or example here. DEF files also come in use for reference although these maybe avoided. Also, with a DLL, an implementation exists. Using the DLL, we may generate a .lib file provided you have the DLL at least. Now using the symbols and the libary that you may generate from the DLL, you can actually create your own simple headers to call functions implicity from the DLL. Cool huh?

Why should I care? Normally you wouldn't. It's often used in basic hacking. But it may also be used as a good reference and a good recovery tool, especially if you know how you designed the DLL. Say you have a DLL that you implemented a while back. It's simple, has four or five functions to it. But you no longer have the headers, the library, and you don't remember the function names. Using this method, you can easily recover all of this. Although this can also be true for DLLs that are not yours and weren't meant to have third-parties call.

I don't care about all that! I never implement DLLs anyways! You say that, but in a sense you do. DLLs are very similar to a Windows executable file. As a result, you can actually load an executable and explicitly call an executable the same you do a DLL (thanks Null). You may also implecitly call a executable as well but we do that every time we make an executable. BREAKPOINT: Do executables use the symbol system?

Your a liar! Oh yeah? When ever I tried making a UT2004 anti-cheat by manipulating the DLLs, I failed miserably and I noticed that a lot of people thought it was because you can't use this method as it doesn't work at all. Well, they are wrong! As a response to this, I will implement a basic DLL, delete any reference to it except the DLL itself, and recover everything use step by step instructions in this article. BREAKPOINT: Should I use C for clear symbols or C++ even though a little bit longer in steps?

The Process!
The DLL to hack: http://computerquip.com/BasicDLL.dll
The process of doing this is simple. First we need to extract the public functions that are callable by the client. Now don't get me wrong guys, symbols are complex and they aren't there just for the exported functions. So as a result, we simply need to extract the functions we want which coincidentally are 90% of the time publicly exported functions. For example of all symbols:

http://img38.imageshack.us/img38/7575/exportedsymbols.png

First we need to make a .DEF file. In MinGW, this is done using pexports which even gives it in a format compatible with DEF files. We can place it in a file using pexports BasicDLL.dll. In VC++ console you can use dumpbin /exports (I could have sworn you could export def files with dumpbin) shown:

http://img682.imageshack.us/img682/5596/symbols.png This is just what I knew off hand. I spent nearly an hour yesterday getting my Windows environment setup without success. I was trying to avoid Code::Blocks but I guess that won't be the case.

Though I've done a lot of research on how to hack into and take advantage of a common DLL, I don't know much about it's background or internals. I'm currently researching that and posting as I go.