由于未知错误,使用 DLL 代理失败

逆向工程 C++ dll
2021-07-02 20:01:19

我正在使用带有此处描述代码的 dll 代理,但遇到了很多麻烦。

首先,我在 Windows 7 上使用 VS2012,目标是在 Windows XP 上。所以我需要:

  1. 在目标计算机上安装 VCRedist(如果可能的话,我想解决这个问题,建议将非常有用)
  2. 将我的 VS 更新到至少更新 1(我已经更新到更新 4)以获得 XP 编译支持。

我做了这两个,错误已经改变。但是当程序启动时我仍然收到这个错误:

The application failed to initialize properly (0xc000007b)

它不会运行。

我使用的 DLL 代理基本上是代码项目文章中的默认示例。我在 DllMain 上添加了一个消息框和一个日志文件,但它没有显示,这意味着 dll 甚至没有加载 - 但我不明白为什么。

我该如何调试?这是编译配置问题吗?

编辑:我写了一个测试程序,用我的 dll 代理调用 LoadLibrary,它工作正常。所以我认为这不是 CRT dll 的事情。无论如何,这是我用 /MT 编译后来自 WinDbg 的信息(对不起,我不得不删除公司和应用程序名称):

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\AppName\AppName.exe"
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is: 
ModLoad: 12400000 12bdb000   AppName.exe
ModLoad: 7c900000 7c9b2000   ntdll.dll
ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 60000000 6006d000   C:\WINDOWS\cdmapi32.dll
ModLoad: 73dd0000 73ece000   C:\WINDOWS\system32\MFC42.DLL
ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77f10000 77f59000   C:\WINDOWS\system32\GDI32.dll
ModLoad: 7e410000 7e4a1000   C:\WINDOWS\system32\USER32.dll
ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f02000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000   C:\WINDOWS\system32\Secur32.dll
ModLoad: 5d090000 5d12a000   C:\WINDOWS\system32\COMCTL32.dll
ModLoad: 774e0000 7761e000   C:\WINDOWS\system32\ole32.dll
ModLoad: 77120000 771ab000   C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 76080000 760e5000   C:\WINDOWS\system32\MSVCP60.dll
ModLoad: 77c00000 77c08000   C:\WINDOWS\system32\VERSION.dll
ModLoad: 76b40000 76b6d000   C:\WINDOWS\system32\WINMM.dll
ModLoad: 76390000 763ad000   C:\WINDOWS\system32\IMM32.dll
ModLoad: 76380000 76385000   C:\WINDOWS\system32\MSIMG32.dll
ModLoad: 763b0000 763f9000   C:\WINDOWS\system32\comdlg32.dll
ModLoad: 7c9c0000 7d1d7000   C:\WINDOWS\system32\SHELL32.dll
ModLoad: 77f60000 77fd6000   C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 73000000 73026000   C:\WINDOWS\system32\WINSPOOL.DRV
ModLoad: 00340000 00356000   C:\Program Files\AppName\DllName.dll
(dc8.68c): Unknown exception - code c000007b (first chance)
(dc8.68c): Unknown exception - code c000007b (!!! second chance !!!)
eax=0012fc54 ebx=00000000 ecx=0012fc80 edx=7c90e514 esi=7ffdc000 edi=c000007b
eip=7c9673be esp=0012fc54 ebp=0012fca4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
ntdll!RtlRaiseStatus+0x26:
7c9673be c9              leave

我检查了 procmon,这是最后几行:

9:56:07.8699734 PM  AppName.exe 496 QueryOpen   C:\Program Files\AppName\DllName.dll    SUCCESS CreationTime: 8/31/2014 2:14:39 PM, LastAccessTime: 8/31/2014 9:55:22 PM, LastWriteTime: 8/31/2014 7:14:29 PM, ChangeTime: 8/31/2014 7:14:29 PM, AllocationSize: 73,728, EndOfFile: 70,656, FileAttributes: A
9:56:07.8704646 PM  AppName.exe 496 QueryOpen   C:\Program Files\AppName\DllName.dll    SUCCESS CreationTime: 8/31/2014 2:14:39 PM, LastAccessTime: 8/31/2014 9:55:22 PM, LastWriteTime: 8/31/2014 7:14:29 PM, ChangeTime: 8/31/2014 7:14:29 PM, AllocationSize: 73,728, EndOfFile: 70,656, FileAttributes: A
9:56:07.8709551 PM  AppName.exe 496 CreateFile  C:\Program Files\AppName\DllName.dll    SUCCESS Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened
9:56:07.8713057 PM  AppName.exe 496 CreateFileMapping   C:\Program Files\AppName\DllName.dll    SUCCESS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
9:56:07.8714685 PM  AppName.exe 496 CreateFileMapping   C:\Program Files\AppName\DllName.dll    SUCCESS SyncType: SyncTypeOther
9:56:07.8718270 PM  AppName.exe 496 CloseFile   C:\Program Files\AppName\DllName.dll    SUCCESS 
9:56:07.8724308 PM  AppName.exe 496 Load Image  C:\Program Files\AppName\DllName.dll    SUCCESS Image Base: 0x340000, Image Size: 0x16000
9:56:07.8737372 PM  AppName.exe 496 CreateFile  C:\Program Files\AppName\DllName.dll.2.Manifest NAME NOT FOUND  Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
9:56:07.8746961 PM  AppName.exe 496 CreateFile  C:\Program Files\AppName\DllName.dll.2.Config   NAME NOT FOUND  Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
9:56:09.0143355 PM  AppName.exe 496 Thread Exit     SUCCESS Thread ID: 4064, User Time: 0.0000000, Kernel Time: 0.0468750
9:56:09.0151822 PM  AppName.exe 496 Process Exit        SUCCESS Exit Status: -1073741701, User Time: 0.0156250 seconds, Kernel Time: 0.0468750 seconds, Private Bytes: 2,572,288, Peak Private Bytes: 2,588,672, Working Set: 1,761,280, Peak Working Set: 1,765,376
9:56:09.0158711 PM  AppName.exe 496 CloseFile   C:\Program Files\AppName    SUCCESS

它似乎无法搜索清单和配置文件。这是一个问题吗?

1个回答

该问题的发生是由于目标计算机上缺少所需的 CRT DLL。为避免这种情况,您可以静态链接 CRT。在 VS 中使用多线程 (/MT)链接器标志。这样你也不需要在目标计算机上安装VCRedist

更多信息在这里

另一种方法是在目标机器上安装Dependency Walker,打开所需的 PE 文件并注意缺少哪些依赖项,然后将所需的依赖项复制到那里。

其它你可能感兴趣的问题
上一篇重建的可执行文件中的 iat 错误 下一篇如何确定病毒中哪些导入的函数决定了它的行为?