- \n
- c:\\test\\dll1_attached – DLL is loaded (attached)<\/li>\n
- c:\\test\\dll1_detached – DLL is unloaded (detached)<\/li>\n
- c:\\test\\dll1_function – ‘function’ is called<\/li>\n<\/ul>\n<\/li>\n
- DLL2.DLL\n
- \n
- c:\\test\\dll2_attached – DLL is loaded (attached)<\/li>\n
- c:\\test\\dll2_detached – DLL is unloaded (detached)<\/li>\n
- c:\\test\\dll2_function – ‘function’ is called<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
I then modified the section attributes for dll2.dll so that its .text section doesn’t have code execution rights.<\/p>\n
Name: .text\r\n VirtualSize: 0x00000070\r\n VirtualAddress: 0x00001000\r\n SizeOfRawData: 0x00000200\r\n PointerToRawData: 0x00000400\r\n PointerToRelocations: 0x00000000\r\n PointerToLinenumbers: 0x00000000\r\n NumberOfRelocations: 0x0000\r\n NumberOfLinenumbers: 0x0000\r\n Characteristics: 0x00000000 <---- no flags<\/pre>\n
The dll1.dll .text section looks like this:<\/p>\n
Name: .text\r\n VirtualSize: 0x00000070\r\n VirtualAddress: 0x00001000\r\n SizeOfRawData: 0x00000200\r\n PointerToRawData: 0x00000400\r\n PointerToRelocations: 0x00000000\r\n PointerToLinenumbers: 0x00000000\r\n NumberOfRelocations: 0x0000\r\n NumberOfLinenumbers: 0x0000\r\n Characteristics: 0x60000020 <---- (CODE, EXECUTE, READ)<\/pre>\n
I then tested this file set on on Win 10 x64. After dropping the files into VM I ran the test.exe.<\/p>\n
The first run shows the expected behaviour – i.e. the application crashes:<\/p>\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/12\/dll1.png\")
<\/a><\/p>\nThere is an event logged in the Event Logs as well:<\/p>\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/12\/dllcrash.png\")
<\/a><\/p>\nTo my surprise, when I re-run the test.exe it… actually works:
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/12\/dll2.png\")
<\/a><\/p>\nRunning it again and again I am getting inconsistent results. I drop the files into a win10 VM and sometimes it crashes with the first run, same as described above. And sometimes it runs smoothly.<\/p>\n
For the same set of files tested on Win7 x64 – I get the ‘dll1_attached’ created, but then the test.exe crashes.<\/p>\n
When dropped into XP VM, it works w\/o any issues (files are created).<\/p>\n
When I manipulate .text section attributes for dll1.dll the application always crashes. So, it would seem that the section of the first DLL cannot be modified, but the second one can.<\/p>\n
I am now scratching my head… Looks like a potential DLL mapping bug?<\/p>\n
The memory layout looks like this:<\/p>\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/12\/dllmem.png\")
<\/a><\/p>\nIdeas?<\/p>\n
You can grab the files here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
I was toying around with the static DLL loading and came across a very strange behavior. So… I created a small .exe file that depends on dll1.dll and dll2.dll, linked statically, and calls function1 and function2 from each DLL respectively. … Continue reading