Hi all,

I have a program that loads a dll, uses it for some time and then it unloads it. I have no idea where dll is located or from where it is loaded but I know where dll is unloaded. Loading of the dll is very hardcoded and I simple can't find where it happens. My question is if I find the memory where the loaded dll is stored, can i create the .dll file from that memory. So what I have tried is this:

int main()
{
    HMODULE handle = LoadLibrary(TEXT("test.dll"));
    std::ofstream file;// can be merged to std::ofstream file("file.txt");
    file.open("file.dll");
    for(int i = 0;;i++)
	file << (unsigned char*)(handle+i);
    return 0;
}

Program crashes when it tries to read outside of the loaded library's memory thats why I don't done anything that terminates the loop. If I was doing it right it should put the memory of "handle" in to "file.dll" and that should create a usable dll, but it does not. Anyone know how to create a dll from a loaded dll's memory?

Thanks in advance.

For starters, I don't know how to do what you want. But I do know that the code you have there is completely wrong because of the fact that the handle that is outputted by the LoadLibrary function is not by any means a pointer to the memory where the DLL is loaded into. It is some identifier that the operating system uses to handle that DLL. Loading a DLL is more complicated and intricate than a simple dump of the content of the DLL file into RAM.

Even if you could find some sort of pointer to, say, the entry point function of the DLL or its symbol table (can't remember what it is called in windows), I doubt that you could find a contiguous chunk of memory that has the exact DLL file content (their are things like process contexts, virtual addressing, static memory, pointer translation tables, etc.). When a DLL is loaded, it gets sort of split into parts that are code shared by all processes that use that DLL, parts that are process-specific and a bunch of constructs that put those together.

If all you want at the end is to find that DLL file, wherever it might be in your computer. I would suggest you just do a file search (i.e. search through all the source files for the keyword "LoadLibrary") or if you know the name of the dll, just search through system and system32 folders (and don't forget to tune the folder options such that windows doesn't hide system files like DLLs). It is also possible that the dll was embedded in the resource section of the executable, in this case you should be able to get its resource address and dump the content to a file (how to do that is out of my realm of knowledge, but I know it's possible).

Edited 6 Years Ago by mike_2000_17: n/a

Thanks for the reply.
The file created by my code, has some lines that are almost the same as the dll when I open it with notepad. File loaded by the program is not from system32, its somewhere in the program files. I actually know the name of the dll, however searching it in the source files I don't find that file name. The loadlibrary search was one of the first thing I tried. In some parts I see what dlls it load but in other I have to trace back many functions to see actually the name of the dll it passes into loadlibrary() witch is really hard when you don't have source code. This program is a game actually and its 10+ gb and looks like dll is somewhere in the game files (not the folders) so digging there will take much time to find the files, and most things are encrypted actually. I will try this thing about resource section you said.

I think these functions should be a good starting point:

FindResource

LoadResource

LockResource

SizeOfResource

And to actually save this to a file, the function you have posted earlier is not good at all. Say you use the above to get a pointer (ptr) and a size in bytes (size), then you save with:

std::ofstream file;
file.open("myfile.dll",ios::out | ios::binary);
file.write((char*)ptr, size);
file.close();

Edited 6 Years Ago by mike_2000_17: n/a

Hi,

Yes looks like this resources functions are useful, thanks. I used this code in here:
http://msdn.microsoft.com/en-us/library/ms648008%28v=VS.85%29.aspx#_win32_Updating_Resources
under the "Creating a Resource List" to create a list of the resources, however I didn't see the file I was looking for in that list. I am getting good at ASM and IDA right now and its useful for such things. What I did was put "write" breakpoint at the address where the pointer to the loaded dll was so it pointed me in some direction.

// :IDEA:

if you can find the DLL name then you could go to the http://www.sysinternals.com/
and download the process explore.Don't worry about Process Explore for viruses because
sysinternals is a microsoft's friendly site.

Then open it (procexp.exe) and view menu->Lower Plane View->DLL's

Then select the dll and right click and properties.


And not only the Process Explore by sysinternals do show the paths to the dll's.
Any other tool like dependency walker, soft ICE, ollydebug show it too.


sorry use this is http://technet.microsoft.com/en-us/sysinternals/bb896656.aspx
it shows the pathname directly ,

and don't worry to download programs and give them priviledge from sysinternals.

Edited 6 Years Ago by NicAx64: n/a

NicAx has a good point, just to add my thought: If that DLL is, as you say, tehmarto, in an encrypted resource-file in the game-data folder (and that is why you can't just do a file search for it). There is at least a chance that the game extracts the DLL to a temporary (hidden) location and then loads it from there. In that case, that program NicAx suggested might be able to find that temporary DLL while the game is running (or at least while it is loading up, because they might just delete the temporary file after loading it).

Hello again,
Thanks for the infos. http://technet.microsoft.com/en-us/sysinternals/bb896656.aspx I have tried that and it don't shows the dll's location again, the other link got many tools and don't know witch to use. Anyway if any of you want, you can pm me with skype or other way I can contact you and I can show you the game. Got it dissembled and pseudocode with hex-rays, also got function names related to the dll. Should be interesting to you too how a dll can be hidden so a guy can't find it for days :) .
Edit: I'm thinking about putting breakpoints in the game everywhere there is "loadlibrary" , thats the only way to load dll right? However now its sleeping time here so I will do that tomorow :D .

Edited 6 Years Ago by tehmarto: n/a

This article has been dead for over six months. Start a new discussion instead.