Introduction
You have been warned not to load an executable with LoadLibrary(), you have probably tried to do so and your application crashed. Therefore you thought that it is not possible.
Actually, it is quite possible. Le't see how.
Disclaimer
This is somewhat against what Microsoft has to say about it. Actually, they never say "don't load it". They just say "don't use LoadLibrary() to run an executable, use CreateProcess() instead". Who said anything about running the EXE? Therefore, what I will present here is compatible enough, at least for the mighty reader. But don't use this stuff in production code unless you know very well what you are doing. You have been warned.
Preparing the Executable
The first required thing to do is to mark the executable as relocatable with the ability to load at any base address (as any DLL). This is done with the /FIXED:NO, and you can improve security by using /DYNAMICBASE (which is on by default) as well. EXE files might be linked with /FIXED:YES in which all relocation information from the executable is stripped and the EXE can only be load in it's prefered base address, which, unless set by the /BASE option is 0x400000.
The next thing to prepare is the exported functions we will call from another EXE, this is of course similar to the DLL way:
extern "C" void __stdcall some_func()
{
...
}
#ifdef _WIN64
#pragma comment(linker, "/EXPORT:some_func=some_func")
#else
#pragma comment(linker, "/EXPORT:some_func=_some_func@0")
#endif
LoadLibrarying the Executable
Do not load the executable with LoadLibraryEx() specifying LOAD_LIBRARY_AS_DATAFILE or LOAD_LIBRARY_AS_IMAGE_RESOURCE. Doing so will not export the exported functions from the EXE and GetProcAddress() to it will fail.
After a call to LoadLibrary(), we get a valid HINSTANCE handle. However, when loading an .EXE file with LoadLibrary() , two important things are NOT happening:
- The CRT is not initialized, including any global variables and,
- The Import Address Table is not correctly configured, which means that all calls to imported functions will crash.
Updating the Import Table
We then first have to update the Import Table for the executable. The following function demonstrates the way, with error-checkind removed from simplicity (in the project file, the function is fully implemented):
void ParseIAT(HINSTANCE h)
{
DWORD ulsize = 0;
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(h,TRUE,IMAGE_DIRECTORY_ENTRY_IMPORT,&ulsize);
if (!pImportDesc)
return;
for (; pImportDesc->Name; pImportDesc++)
{
PSTR pszModName = (PSTR)((PBYTE)h + pImportDesc->Name);
if (!pszModName)
break;
HINSTANCE hImportDLL = LoadLibraryA(pszModName);
if (!hImportDLL)
{
}
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)
((PBYTE)h + pImportDesc->FirstThunk);
for (; pThunk->u1.Function; pThunk++)
{
FARPROC pfnNew = 0;
size_t rva = 0;
#ifdef _WIN64
if (pThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG64)
#else
if (pThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG32)
#endif
{
#ifdef _WIN64
size_t ord = IMAGE_ORDINAL64(pThunk->u1.Ordinal);
#else
size_t ord = IMAGE_ORDINAL32(pThunk->u1.Ordinal);
#endif
PROC* ppfn = (PROC*)&pThunk->u1.Function;
if (!ppfn)
{
}
rva = (size_t)pThunk;
char fe[100] = {0};
sprintf_s(fe,100,"#%u",ord);
pfnNew = GetProcAddress(hImportDLL,(LPCSTR)ord);
if (!pfnNew)
{
}
}
else
{
PROC* ppfn = (PROC*)&pThunk->u1.Function;
if (!ppfn)
{
}
rva = (size_t)pThunk;
PSTR fName = (PSTR)h;
fName += pThunk->u1.Function;
fName += 2;
if (!fName)
break;
pfnNew = GetProcAddress(hImportDLL,fName);
if (!pfnNew)
{
}
}
auto hp = GetCurrentProcess();
if (!WriteProcessMemory(hp,(LPVOID*)rva,&pfnNew,sizeof(pfnNew),NULL) && (ERROR_NOACCESS == GetLastError()))
{
DWORD dwOldProtect;
if (VirtualProtect((LPVOID)rva,sizeof(pfnNew),PAGE_WRITECOPY,&dwOldProtect))
{
if (!WriteProcessMemory(GetCurrentProcess(),(LPVOID*)rva,&pfnNew,sizeof(pfnNew),NULL))
{
}
if (!VirtualProtect((LPVOID)rva,sizeof(pfnNew),dwOldProtect,&dwOldProtect))
{
}
}
}
}
}
}
This function loops through the entire IAT, replacing invalid references to the imported functions with the correct references got from our OWN IAT table (which are simply taken with LoadLibrary() and GetProcAddress()).
Initializing the CRT
As you know, the entry point of the executable is not WinMain but WinMainCRTStartup(). This function initializes the CRT (assuming that it was linked against the CRT), sets up exception handlers, loads argc and argv and calls WinMain. When WinMain returns, WinMainCRTStartup calls exit().
Therefore you have to export a function from your EXE that calls WinMainCRTStartup:
extern "C" void WinMainCRTStartup();
extern "C" void __stdcall InitCRT()
{
WinMainCRTStartup();
}
The problem with this call is that your WinMain will be called. So you might put a global flag that allows WinMain to do nothing if it is set:
extern "C" void WinMainCRTStartup();
bool DontDoAnything = false;
extern "C" void __stdcall InitCRT()
{
DontDoAnything = true;
WinMainCRTStartup();
}
int __stdcall WinMain(...)
{
if (DontDoAnything)
return 0;
}
But you have another problem. When WinMain returns, WinMainCRTStartup will call exit(), and you don't want that. Therefore you don't want WinMain to return:
int __stdcall WinMain(...)
{
if (DontDoAnything)
{
for(;;)
{
Sleep(60000);
}
}
}
But doing this will block for ever your initialization - therefore you must put it in some thread:
std::thread t([] ()
{
InitCRT();
}
);
t.detach();
But you also want to know when the CRT has finished it's initialization, so the final solution would be to use an event:
HANDLE hEv = CreateEvent(0,0,0,0);
void(__stdcall * InitCRT)(HANDLE) = (void(__stdcall*)(HANDLE)) GetProcAddress(hL,"InitCRT");
if (!InitCRT)
return 0;
std::thread t([&] (HANDLE h)
{
InitCRT(h);
}
,hEv);
t.detach();
WaitForSingleObject(hEv,INFINITE);
And then your other code would be:
extern "C" void WinMainCRTStartup();
HANDLE hEV = 0;
extern "C" void __stdcall InitCRT(HANDLE hE)
{
hEV = hE;
WinMainCRTStartup();
}
int __stdcall WinMain(...)
{
if (hEV)
{
SetEvent(hEV);
for(;;)
{
Sleep(60000);
}
}
}
What is the catch in all this? All your globals are initialized within the context of another thread, and not the main one. If initializing global stuff must be in the main thread, then you can have your WinMain call again your own callback and never return; and then return execution from that callback.
You also run the risk of calling WinMainCRTStartup() twice (the first was from your own executable) in the same address space. Are there any side effects? Who knows.
Calling the EXE functions
After that, calling directly the executable functions should work as expected. I use that technique in my HotPatching article.
Linking to the EXE without LoadLibrary/GetProcAddress
Fortunately, LINK.EXE generates a .lib file for our DLLEXE.EXE and therefore, we can use it to link to the EXE from our EXE as if it was another DLL:
#pragma comment(lib,"..\\dllexe\\dllexe.lib")
extern "C" void __stdcall e0(HANDLE);
extern "C" void __stdcall e1();
We still have to patch the IAT and call the CRT init, but we don't anymore need to GetProcAddress() the functions we need. I like this entry listing from DUMPBIN.EXE:
dllexe.exe
14017B578 Import Address Table
14017BC18 Import Name Table
0 time date stamp
0 Index of first forwarder reference
0 e0
1 e1
Code
The code contains 2 EXE projects in which the one loads the other. Have fun with it.
History
01 - 11 - 2015 : First Release