Converting an EXE to a DLL

I’ve been doing some crazy experiments on running an EXE as a DLL. Here are some parts of my research.

Case #1

Let’s take a simple example like a MessageBox.

After compiling to an EXE we have to change the characteristics under NT Header->File Header to a DLL file. I will use the value 0x2000 | 0x2| 0x100 = 0x2102.


Next, I created an export table manually. So I added a new section as ‘.edata’ with 0x40300040 as the characteristics since I only want it to be readable. You can call the name of the section as whatever you want.

Make sure to point the RVA on the Export Directory RVA and enter the Export Directory Size.

Now we have to create an Export Directory with an EAT. In this case, I manually created using the hex editor by giving the exact offsets and addresses. You can, of course, come up with a nice tool to automate this painful process.

Here’s a diagram explaining the Export Directory inside the raw file. I hope this helps. I am creating an export function name as ‘Run’, the DLL name is ‘abc.dll’ and it doesn’t really matter in this specific case. If you have a look at the offset of AddressOfNames which has the LSB as 0x2C and at the raw offset, 0x1962C contains the Name RVA 0x1E03A which then again points to 0x1963A which contains the string “Run”. Likewise, if you understand the relationship it’s easy to manually tweak this directory and create your own entries in the raw file.

The EAT must look like this if all goes well in order. Now point the Function RVA to the OEP or to the DLL Entry point. Our exported function name is ‘Run’.

We need to create a new DLLEntry point and point the AddressOfEntryPoint to our newly created DLLEntry point. DLLEntry can be something simple like this. Once the process is attached we will call the OEP. I will use a code cave in this case. You can add a separate section if you prefer.

Let’s write this in raw assembly.

That’s it! Now we can run our DLL using Rundll32 by calling our exported function.

You can play download the file from here.

Case #2

I was experimenting with apps which has a GUI. For this, we will have to perform function redirection to redirect the GetModuleHandle API of the target in our loading EXE and then call the OEP. I’ve created an export table manually and exported the RVA of the OEP as “Run”. Like before first I made the EXE a DLL by adding the DLLEntry and changing the PE headers.

For this example, I used the game Minesweeper.

These are 2 simple examples. I hope these might come in handy in you know 😉

Advertisements

One thought on “Converting an EXE to a DLL

Leave a Reply