.I'm trying to use a Proxy DLL to investigate MSN Messenger internals. I know msimg32.dll is loaded by Msnmsgr and seems fairly easy since it only exports 5 functions.
The original MSIMG32.DLL (on /windows/system32) dumped exports is:
Microsoft (R) COFF/PE Dumper Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file C:\Windows\System32\msimg32.dll
File Type: DLL
Section contains the following exports for MsImg32.dll
00000000 characteristics
489C993E time date stamp Fri Aug 08 16:06:38 2008
0.00 version
1 ordinal base
5 number of functions
5 number of names
ordinal hint RVA name
2 0 00001410 AlphaBlend
3 1 00001000 DllInitialize
4 2 00001460 GradientFill
5 3 00001470 TransparentBlt
1 4 00001400 vSetDdrawflag
Summary
2000 .data
3000 .rdata
2000 .reloc
1000 .rsrc
8000 .text
Now my code, but first my DEF file:
LIBRARY "msimg32"
EXPORTS
vSetDdrawflag @1
AlphaBlend @2
DllInitialize PRIVATE
GradientFill @4
TransparentBlt @5
Here's my source :
#ifndef MSIMG_PROXY
#define MSIMG_PROXY
// Function prototypes
#pragma warning( disable:4273 )
#ifdef __cplusplus
extern "C"
{
#endif
BOOL WINAPI TransparentBlt(HDC, int, int, int, int, HDC, int, int, int, int, UINT);
BOOL WINAPI AlphaBlend (HDC, int , int, int, int, HDC, int , int, int, int, BLENDFUNCTION);
BOOL WINAPI GradientFill (HDC, PTRIVERTEX, ULONG, PVOID, ULONG, ULONG);
DWORD WINAPI DllInitialize (DWORD,DWORD);
VOID WINAPI vSetDdrawflag (VOID);
#ifdef __cplusplus
}
#endif
#endif
/*****************************************************************************
MSIMG32 forwarding proxy for injecting Live Messenger
******************************************************************************/
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <cassert>
#include <tchar.h>
#include "msimgproxy.h"
// Function pointers for exported functions
typedef BOOL (WINAPI *PFNTRANSPARENTBLT) (HDC,int,int,int,int,HDC,int,int,int,int,UINT);
typedef VOID (WINAPI *PFNVSETDDRAWFLAG) (VOID);
typedef BOOL (WINAPI *PFNALPHABLEND) (HDC,int,int,int,int,HDC,int,int,int,int,BLENDFUNCTION);
typedef BOOL (WINAPI *PFNGRADIENTFILL) (HDC,PTRIVERTEX,ULONG,PVOID,ULONG,ULONG);
typedef DWORD (WINAPI *PFNDLLINITIALIZE)(DWORD, DWORD);
PFNTRANSPARENTBLT pfnTransparentBlt = NULL;
PFNALPHABLEND pfnAlphaBlend = NULL;
PFNDLLINITIALIZE pfnDllInitialize = NULL;
PFNGRADIENTFILL pfnGradientFill = NULL;
PFNVSETDDRAWFLAG pfnVSetDdrawFlag = NULL;
void GetMsimg32FnAddr();
HMODULE hMsimg32;
// ----------------------------------------------------------------------------
// DLL Entry Point
// ----------------------------------------------------------------------------
BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call,
LPVOID lpReserved )
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
GetMsimg32FnAddr();
OutputDebugString(TEXT("PROXY DLL LOADED."));
break;
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
{
FreeLibrary(hMsimg32);
break;
}
}
return TRUE;
}
// Get original MSIMG32.DLL functions VA
//
void GetMsimg32FnAddr()
{
/*TCHAR libName[MAX_PATH];
GetSystemDirectory (libName, MAX_PATH);
_tcscat_s (libName, MAX_PATH*sizeof(TCHAR), TEXT("\\msimg32.dll"));
OutputDebugString (libName);*/
SetDllDirectory(L"");
hMsimg32 = LoadLibrary (TEXT("C:\\Windows\\System32\\msimg32.dll"));
if (hMsimg32)
OutputDebugString(L"MSIMGPROXY *** System MSIMG32.DLL loaded OK\n");
pfnVSetDdrawFlag = (PFNVSETDDRAWFLAG) GetProcAddress(hMsimg32, "vSetDdrawflag");
pfnAlphaBlend = (PFNALPHABLEND) GetProcAddress(hMsimg32, "AlphaBlend");
pfnDllInitialize = (PFNDLLINITIALIZE) GetProcAddress(hMsimg32, "DllInitialize");
pfnGradientFill = (PFNGRADIENTFILL) GetProcAddress(hMsimg32, "GradientFill");
pfnTransparentBlt = (PFNTRANSPARENTBLT) GetProcAddress(hMsimg32, "TransparentBlt");
}
/**** Exported functions *****/
BOOL WINAPI TransparentBlt(HDC p1, int p2, int p3, int p4, int p5, HDC p6, int p7, int p8,
int p9, int p10, UINT p11)
{
return pfnTransparentBlt (p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11);
}
BOOL WINAPI AlphaBlend(HDC p1, int p2, int p3, int p4, int p5, HDC p6, int p7 , int p8,
int p9, int p10, BLENDFUNCTION dw)
{
return pfnAlphaBlend (p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,dw);
}
BOOL WINAPI GradientFill (HDC p1, PTRIVERTEX p2, ULONG p3, PVOID p4, ULONG p5, ULONG p6)
{
return pfnGradientFill (p1, p2, p3, p4, p5, p6);
}
DWORD WINAPI DllInitialize (DWORD d1,DWORD d2)
{
OutputDebugString (L"Called DllInitialize.\n");
return pfnDllInitialize (d1, d2);
}
VOID WINAPI vSetDdrawflag (VOID) { (*pfnVSetDdrawFlag)(); }
Well I've debugged the program and continues crashing msimg32.dll with an access violation after AlphaBlend call (which goes on uninitialized memory).
But seems GetProcAddress and function pointers are handled properly.
Another thing is that I'm generating __stdcall functions and exporting them with no decoration, but the dump of my release DLL is showing:
Microsoft (R) COFF/PE Dumper Version 9.00.30729.01
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file msimg32.dll
File Type: DLL
Section contains the following exports for msimg32.dll
00000000 characteristics
48D2960F time date stamp Thu Sep 18 14:55:27 2008
0.00 version
1 ordinal base
5 number of functions
5 number of names
ordinal hint RVA name
2 0 00001140 AlphaBlend = _AlphaBlend@44
3 1 000011B0 DllInitialize = _DllInitialize@8
4 2 00001180 GradientFill = _GradientFill@24
5 3 00001100 TransparentBlt = _TransparentBlt@44
1 4 000011D0 vSetDdrawflag = _vSetDdrawflag@0
Summary
2000 .data
2000 .rdata
1000 .reloc
1000 .rsrc
7000 .text
I don't think this is a problem since it's mapping undecorated names to stdcall decorated types, this shouldn't bring me any problem I believe.
Any help?
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}