Change imported Dll name?

2019-08-29 10:19发布

问题:

In a Portable-Executable ,we can change the imported dll name ,by editing PE file , here , i had changed in one imported dll name of application exe,that time it changed normally ....e.g advapi32.dll to ^dvapi32.dll ,so here system32 or any other PATH location doesnt have ^dvapi32.dll ..this time simply i changed the real advapi32.dll into ^dvapi32.dll and put in the application directory ,this time its work fine ....but when i am trying with ntdll & gdi32.dll ,it doesnt supported ,i cant resolve the problem ,pls help me towards the problem ..thanks.

回答1:

System Dlls like GDI32.DLL are loaded into memory when Windows starts as they provide essential Windows OS functions (in this case, graphical functions). Some DLLs are built with a fixed ImageBase (suspect this applies to the most essential system DLLs e.g KERNEL32, GDI32.DLL, USER32.DLL) and copying and renaming this type of DLLs and referencing them will not work, not without modifying their ImageBase in the PE header.

This occurs because they will attempt to load themselves into memory specified by ImageBase and fail, since the particular memory location is already occupied by the original DLL already in memory and their fixed ImageBase prevents them from loading at alternative memory locations. DLLs without a fixed ImageBase will be relocated by Windows to use another memory location and run without problems.

If the ImageBase of the DLL copy is changed to a different value, DLLs with a fixed ImageBase will work properly provided that the memory location pointed by ImageBase is unoccupied.

While I have tested this approach successfully on a copy of Notepad and then changing the imported DLL names and ImageBases of the DLL copies on Windows XP, I STRONGLY DISCOURAGE this fiddling with imports and tampering of Windows system DLLs in this manner.