LdrLoadDll Crash


LdrLoadDll Crash



I need to load a library via ntdll's LdrLoadDll function, in this case the library I am loading is user32.dll. However, when I try to load user32.dll, an access violation exception is thrown on the call(last line). I am unsure what the cause of this error could be. Am I creating the unicode string incorrectly?


LdrLoadDll


typedef (__stdcall *LdrLoadDll)(
IN PWCHAR PathToFile OPTIONAL,
IN ULONG Flags OPTIONAL,
IN PUNICODE_STRING ModuleFileName,
OUT PHANDLE ModuleHandle);
LdrLoadDll LdrLoadDllStruct = (LdrLoadDll)GetProcAddress(ntdllHandle, "LdrLoadDll");

typedef (__stdcall *RtlInitUnicodeString)(
PUNICODE_STRING DestinationString,
PCWSTR SourceString);
RtlInitUnicodeString RtlInitUnicodeStringStruct = (RtlInitUnicodeString)GetProcAddress(ntdllHandle, "RtlInitUnicodeString");

HMODULE hModule = 0;
UNICODE_STRING unicodestring;
RtlInitUnicodeStringStruct(&unicodestring, L"USER32.dll");
LdrLoadDllStruct(NULL, NULL, &unicodestring, &hModule);





simply use debugger and see
– RbMm
Jul 1 at 6:53





I am surprised if it will even compiles with Visual Studio, at-least I doubt it would without disabling warnings at the least.
– ImmortaleVBR
Jul 1 at 9:40






And you can't use LoadLibrary like a normal person because?
– Anders
Jul 1 at 10:38





Can you provide more details on how do you run the program's output? Is it a driver you're trying to write? Aren't you able to debug your program (true, in that case it will run under "normal" conditions, and probably the error won't be reproducible)? Note: set your 2nd argument to 0 instead of NULL (definitely not the crash cause, just for clarity).
– CristiFati
Jul 2 at 8:54



NULL





Did you check the result of calling GetProcAddress()?
– Paul Sanders
yesterday


GetProcAddress()




1 Answer
1



Here you go, some code that (a) actually compiles, and (b) works. Please excuse the (ahem) error handling:


#include <windows.h>
#include <subauth.h>
#include <assert.h>
#include <iostream>

#pragma comment (lib, "ntdll.lib")

typedef void (__stdcall *LdrLoadDll) (
IN PWCHAR PathToFile OPTIONAL,
IN ULONG Flags OPTIONAL,
IN PUNICODE_STRING ModuleFileName,
OUT HMODULE * ModuleHandle);

typedef void (__stdcall *RtlInitUnicodeString)(
PUNICODE_STRING DestinationString,
PCWSTR SourceString);

int main ()
{
HMODULE ntdllHandle = LoadLibrary (L"ntdll.dll");
assert (ntdllHandle);

LdrLoadDll LdrLoadDllStruct = (LdrLoadDll) GetProcAddress (ntdllHandle, "LdrLoadDll");
assert (LdrLoadDllStruct);
RtlInitUnicodeString RtlInitUnicodeStringStruct = (RtlInitUnicodeString) GetProcAddress (ntdllHandle, "RtlInitUnicodeString");
assert (RtlInitUnicodeStringStruct);

HMODULE hModule = 0;
UNICODE_STRING unicodestring;
RtlInitUnicodeStringStruct (&unicodestring, L"USER32.dll");
LdrLoadDllStruct (NULL, 0, &unicodestring, &hModule);
std::cout << hModule << "n";
}



Output (on my machine, 64 bit build):


00007FFF17C20000



Live demo.



And yet ... just what is wrong with using LoadLibrary()?


LoadLibrary()






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

List of Kim Possible characters

Image
From left to right: Wade (on monitor screen), Dr. James Timothy Possible, Mrs. Dr. Ann Possible, Ron, Rufus, Kim Possible, Shego, Dr. Drakken, Monkey Fist, Señor Senior Sr., Adrena Lynn, and Señor Senior Jr. This is a list of characters appearing in the animated series Kim Possible . Team Possible Kim Possible Main article: Kim Possible (character) Voiced by: Christy Carlson Romano and Dakota Fanning (Preschool Kim; Kim Possible: A Sitch In Time ) Kimberly Ann “Kim” Possible is a crime fighter and high school cheerleading captain who saves the world on a regular basis while dealing with the normal challenges of being a teenager, such as winning cheer competitions, turning in her homework on time, and maintaining a love life. Her name is a play on the word “impossible.” Kim has known Ron Stoppable, her sidekick for most missions, since preschool. She has also completed missions with Wade, Monique, her brothers, and even her mother. In season four, Kim and Ron end up developing romanti
Read more

Audio Livestreaming with Python & Flask

Audio Livestreaming with Python & Flask I'm currently strugling with my implementation of a simple live streaming web application using Python and Flask. It seems that I'm not able to stream my live recorded audio from the servers microphone input to the webpage. server.py from flask import Flask, render_template, Response import cv2 import framework import pyaudio import audio_processing as audioRec FORMAT = pyaudio.paInt16 CHANNELS = 1 RATE = 44100 CHUNK = 1024 audio = pyaudio.PyAudio() app = Flask(__name__) @app.route('/') def index(): """Video streaming home page.""" return render_template('index.html') # Stream routing @app.route('/video_feed') def video_feed(): """Video streaming route. Put this in the src attribute of an img tag.""" return Response(generateVideo(), mimetype='multipart/x-mixed-replace; boundary=frame') @app.route("/audio
Read more

NSwag: Generate C# Client from multiple Versions of an API

Image
NSwag: Generate C# Client from multiple Versions of an API We are versioning our API and generating the Swagger specification using Swashbuckle in ASP.NET Core 1.1. We can generate two API docs based on those JSON specification files: <!-- language: c# --> services.AddSwaggerGen(setupAction => { setupAction.SwaggerDoc("0.1", new Info { Title = "Api", Version = "0.1", Description = "API v0.1" }); setupAction.SwaggerDoc("0.2", new Info { Title = "Api", Version = "0.2", Description = "API v0.2" }); // more configuration omitted } We are including all actions in both spec files, unless it is mapped to a specific version using the [MapToApiVersion] and ApiExplorerSettings(GroupName ="<version>")] attributes. Methods belonging to an older version only are also decorated with the [Obsolete] attribute: [MapToApiVersion] ApiExplorerSettings(GroupName ="<version>&quo
Read more