Debugging DLL’s – 3 techniques to help you get started

0

One day of some redteam engagements, we discover ourselves in the need of writing DLL’s. On the opposite hand, debugging DLL’s is no longer as easy because it appears to be, as a DLL isn’t built to scramble on its own.

On this article, we will give you the option to explore the model to debug a DLL successfully.

What’s a DLL?

A DLL is transient for a dynamically linked library. It’s a modular approach of writing code. DLL’s are written in C or C++ and, beneath odd conditions, aid as a library which functions can entry to make functions out of. To some extent, that you too can examine a DLL with a python kit, or an npm kit, any library with out a doubt. The next image illustrates the conception that of a DLL vs an EXE reasonably wisely:

DLL vs EXE – A comparability – image courtesy of Pediaa.com

As already talked about in the preamble, a DLL is no longer made to be carried out on its own, which skill the feeble approach of debugging can’t be performed out of the sector.

Debugging manner 1: The utilization of OutputDebugString

Microsoft has a function in kernel32.dll (oh procure out a few DLL!) known as OutputDebugString which is in a discipline to print the contents of the string into a diagram debugger. Visible Studio has inbuilt capabilities to determine on these outputs (extra about that later). My diagram debugger of alternative is Dbgview.exe of the sysinternals suite. For instance how OutputDebugString works, I even bear ready a bit fragment of demo code:

// dllmain.cpp : Defines the entry point for the DLL utility.
#contain "pch.h"

void DemoFunction()
{
#ifdef _DEBUG
    OutputDebugStringA("[DBG] hi there from demofunction!n");
#endif
    MessageBoxA(NULL, "That is a demo!", "DLLDEMO", MB_OK);
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    swap (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
#ifdef _DEBUG
        OutputDebugStringA("[DBG]hi there from DllMain!");
#endif
        DemoFunction();
        spoil;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        spoil;
    }
    return TRUE;

}

As proof that a DLL cannot scramble by itself I are trying to initiating the DemoDLL the utilization of the scramble button in Visible Studio and accumulate greeted by this puny man:

DLL’s don’t scramble on their own…

Happily, Microsoft has a built-in DLL loader known as rundlll32.exe, but rundll32.exe can also furthermore be stressful while you happen to don’t bear any exported functions (= functions to be dilapidated by other functions) on your DLL. My colleague Didier Stevens explains DLL entrypoints reasonably wisely in his own blogpost. Within the event that you too can be fascinated by studying extra about that, please test it out!

As a result of pains of coping with entry functions, I even bear made a skeleton DLL loader program, without issues modifiable to fit your individual needs, it will also furthermore be realized here: https://github.com/NVISO-BE/DLLoader

As you’re going to be in a discipline to look in the Demo code, all my ouput debug strings bear “[DBG]” in them, this became no longer carried out without reason.

Dbgview is a diagram debugger, which is in a discipline to make a ton of noise, looking on what that you too can bear achieve apart in on the diagram. On the opposite hand, Dbgview has filter alternate choices. Because all debug strings bear “[DBG]” we can deliver Dbgview to handiest display hide us these messages like so:

The DebugViewer filter to handiest display hide strings containing [DBG]

The entirety is setup, time to scramble our DLL and procure out about on the DebugView output:

The conclude results of the utilized filter and running the DLL

As expected, the DebugView output presentations our debug strings completely!

Debugging manner 2: the utilization of Printf

This form makes expend of printf as but every other of OutputDebugString so let us adapt our code:

// dllmain.cpp : Defines the entry point for the DLL utility.
#contain "pch.h"
#contain 

void DemoFunction()
{
#ifdef _DEBUG
   printf("[DBG] hi there from demofunction!rn");
#endif
    MessageBoxA(NULL, "That is a demo!", "DLLDEMO", MB_OK);
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    swap (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
#ifdef _DEBUG
        printf("[DBG]hi there from DllMain!rn");
#endif
        DemoFunction();
        spoil;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        spoil;
    }
    return TRUE;

}


The utilization of the DLL loader, we will give you the option to look all output of printf written to the DLL loader program’s odd output, which on this case is our console window.

Demo of the DLL loader program

Debugging manner 3: The utilization of the DLL Loader to debug in Visible Studio

Now that now we bear a surrogate DLL loader mechanism, we can deliver Visible Studio to make expend of it as a parent job, this approach we can scramble the DLL in the Visible Studio debugging atmosphere, and we will give you the option to be in a discipline to debug DLL’s loyal like that it’s possible you’ll well well be in a discipline to debug EXE’s.

Crawl to mission properties and gain the Debugging tab

How to construct up to the debugging property window in Visible Studio

Within the Notify discipline, specify the move to the DLL loader executable, in the Notify Arguments discipline, specify the arguments for the DLL loader, on this case the move to the debug demo DLL, as we conclude no longer bear any exported function, we’re no longer the utilization of a second argument. Within the event that you too can be looking to make expend of a second argument, you’re going to be in a discipline to, loyal like that it’s possible you’ll well well in the console.

The debug property window in Visible Studio

Now we can setup some breakpoints in Visible Studio:

Instance of environment breakpoints in Visible Studio

Launching the DLL can now be carried out the utilization of the fairway play button in Visible studio itself, this can deliver the DLL loader to initiating with the arguments specified in the mission properties internet page.

As you’re going to be in a discipline to look, Visible Studio will now accurately hit and take care of breakpoints as odd:

Displaying that spoil functions are being hit now that DLL loader is being dilapidated as a surrogate program

Because the printf statements are serene there, they’re going to serene accumulate printed to the Console as successfully:

Displaying printf output logging to console as a result of the DLL loader,whereas debugging in Visible Studio

Conclusion

Looking on the complexity of your DLL code, extra in most cases than no longer you’re going to bear to serene be in a discipline to construct up away with the utilization of the DLL loader in Visible Studio so you’re going to be in a discipline to debug like that it’s possible you’ll well well debug every other program. Optionally you’re going to be in a discipline to mix the DLL loader with printf statements so you’ll look a genuine-time overview of what’s occurring by the console output of the DLL loader.

On the opposite hand, if your DLL is doing advanced operations equivalent to growing unusual threads or doing asynchronous calls, OutputDebugString is a more in-depth option, as the DLL loader obtained’t gain any unusual threads or async calls in consideration.

This concludes our day out into the debugging world of DLL’s. I hope this blogpost became instructive and has taught you one thing functional!

About the author

Jean-François Maes is a crimson teaming and social engineering professional working in the NVISO Cyber Resilience crew. When he’s no longer working, you’re going to be in a discipline to doubtlessly procure Jean-François in the Gymnasium or conducting examine. Other than his work with NVISO, he is furthermore the creator of redteamer.pointers, a internet residing dedicated to aid crimson teamers.

He became furthermore ranked #1 on the Belgian leaderboard of Hack The Box (a favored penetration testing platform).

You too can procure Jean-François on LinkedIn , Twitter , GitHub and on Hack The Box.

Read More

Leave A Reply

Your email address will not be published.