Menu
IT Security

LoadLibrary and the PE Loader

by christian

I recently stumbled upon an interesting behaviour of the PE loader. Before releasing a new Hyperion version, I usually test it with several executables on different Windows platforms. In my old XP VM, everything went fine. Therefore, I started a Windows 7 instance and encrypted calc.exe with the following command:

hyperion -k 2 -s 2 -l c:\windows\system32\calc.exe test.exe

The options k and s reduce our key space to four and speed up the brute forcing process. Due to l, a log file is generated upon execution of test.exe. Unfortunatly, the calculator doesn’t show up when we double click on the encrypted file. Log.txt shows the following results:

Processing Import Directory:
COMCTL32.dll
Name: ImageList_Destroy
Name: ImageList_Add
Name: ImageList_Create
Ordinal: 0000019D
Name: CreatePropertySheetPageW
Name: PropertySheetW
Ordinal: 0000017C

Error

According to the log file, an API couldn’t been loaded. It is located in the comctl32.dll and has the ordinal 0x17c. This is kinda strange. Therefore, I started LordPE and took a look into the export table of comctl32.dll. Indeed, there is no API which uses the ordinal 0x17c. I also analyzed the import table of calc.exe and found the entry 0x17c. So there must be a difference between Hyperion (which uses LoadLibrary()) and the Windows PE-Loader. As a next step, I started OllyDbg. My goal was to compare the memory maps of calc.exe and test.exe:

  • The memory map of the genuine calc.exe is available here.
  • The memory map of the encrypted test.exe is available here.

According to both memory maps, two different versions of comctl32.dll have been loaded. The packed executable gets 5.82 from a LoadLibrary() call. The unmodified calc.exe uses the PE loader and receives comctl32.dll version 6.10.

Conclusion

There seems the be a difference between LoadLibrary() and the Windows PE-loader. LoadLibrary() maps older versions of some system libraries into memory which can cause trouble because of missing or wrong API ordinals. I haven’t yet found out the reason for this behaviour. The import table of PE files does not provide version informations at all. If anybody knows, please let me know.

christian

christian

View articles

You might be interested in …

Writeup for Pwnable.tw #3

Read More

Writeup for Pwnable.tw #6

Read More

Microsoft x64 Calling Convention with FASM

Read More
Close Menu