Tutorial :Why loading Ntdll from local folder produces exception?



Question:

My exe depends on ntdll, user32 and kernel32. I save these dlls as a local copy and change the first letter as "V". I then edit the exe's Import dll name as Vernel32.dll from kernel32. The application works fine by loading vernel32.dll in local space. Next i edit the exe's import dll spec as vtdll as ntdll, the process loads vtdll from local, runs its code and throws an _stackhash exception on vtdll instructions.

I need this for developing my appliction to bundle all windows dependencies. Does any body have any idea, Why ntdll cant be run in local space.


Solution:1

No! You cannot try to replace ntdll. It is mapped by the kernel into every single process, probably before any of your code is even loaded. It has an intricate connection with the kernel. It knows all the correct system call numbers. Try using ntdll from NT 5.1 and it will crash on NT 6.1. ntdll hosts the system call entry and exit code. The kernel-user callback dispatcher code. The thread start function which the kernel knows the address of. The user exception dispatcher. The user APC handler. I could go on, but I won't.

I don't see why you're trying to "bundle" these DLLs with your program. There is no way a Windows install won't have these DLLs. And that's ZERO chance for ntdll.dll since I don't see how without the session manager and CSR you are going to run your program in the first place.


Solution:2

I find the idea to "bundle" system DLL as not a good idea.

First of all it is illegal to redistribute this DLLs together with your application. Seconds you should understand that a DLL can create some global objects and the usage of two copies of the same DLL (vtdll.dll and ntdll.dll) can not work. You don't wrote how you modified imports of the dlls. If you do it on the disk it is illegal and moreover it break the signature of the files (open file properties of any of the dlls and look at "Digital Signatures" tab).

If you do want to experiment with different copies of system dlls you can better use DLL redirection (see http://msdn.microsoft.com/en-us/library/ms682600.aspx) through creating of files with the name myapp.exe.local where myapp.exe is the name of your application. It can be required to delete some entries from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs to do this. You should understand that your computer will run slowly after this and I recommend to make such experiments better inside a virtual machine which you can easy restore if it will be no more booted.


Solution:3

Thanks for the information. It helped me to do a research on it.

I am not bundling the dlls for my own application. I am doing it for existing applications to provide a windows cross platform independence solution.

I tried the dll redirection technique which you have posted, with all applications. It works well with all dlls except NTdll and User32.dll

User32.dll: It loads user32.dll from local space only and not kernel space. I confirmed it. But on executing its instructions, it results in the null address access exception (c0000005) with fault module name StackHash_5964

ntdll: The application on booting, it loads ntdll from system32 and again loads ntdll from local space, which may cause the error as you said (global object sharing violation) This happens only for ntdll and not for user32.dll.

Is there any way we can make load ntdll once(only form local space) and avoid the errors caused by user32.dll in local space.


Solution:4

I tried the references sent by you and here are the results.

User32.dll

I couldnot build user32.dll having these below functions. IsThreadDesktopComposited = user33.IsThreadDesktopComposited, User32InitializeImmEntry = user33.User32InitializeImmEntry It produces a linker error (Unreolved external symbol "IsThreadDesktopComposited")

Hence i left 100 such functions out of 800 functions in user32.dll. The DLL was built finally. I then placed the dll in local space along with user33.dll. On running the application, it says the 100 missed functions procedure entry points are not found.

Ntdll.dll

I tried removing known dlls. But its inacccesible for modify or delete operations. I could just read. I am the admin and ran regedit as administrator.

Is it possible to do such implementatipons for ntdll or user32.dll. I guess, am coming with repeated times. Thanks for all your help. But, If you have any other ways or any suggestions you can make, that would be grateful


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »