使用mingw構建一個64位dll與rundll一起使用

Question

即時通訊正在嘗試將我的項目更新爲64位支持。該項目使用i686-w64-mingw32工具鏈構建一個32位dll，該工具鏈可以與rundll一起使用來啓動它。

現在，即時嘗試使用x86_64-w64-mingw32工具鏈來構建它的64位版本。編譯時我也使用-m64。 DLL可以被構建和鏈接，甚至可以執行。但是當在windbg中檢查結果時，我得到了奇怪的結果（參見下面的輸出）。它看起來像它加載我的mmbbq.dll到一個32位地址空間。它也加載一些依賴的32Bit版本。通過查看模塊加載時的基地址，我們可以看到輸出。它開始加載一些64位dll（也許rundll依賴）。然後它開始加載32位的東西，最後是我的64位DLL的一種32位模式。有趣的是，當我檢查它的PE頭時，我的DLL是一個64位版本。

對此行爲的任何解釋或其他我可能已經搞砸了，或者我只是誤解了輸出？我認爲基地址應該與64位模式下的基地址看起來不同。

CommandLine: C:\Windows\SysWOW64\rundll32.exe mmbbq.dll rundll_inject 
Starting directory: E:\cygwin\home\will\praty\reversing\mmbbq\dist 
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols 
Executable search path is: 
ModLoad: 00000000`00530000 00000000`0053e000 rundll32.exe 
ModLoad: 00000000`779a0000 00000000`77b49000 ntdll.dll 
ModLoad: 00000000`77b80000 00000000`77d00000 ntdll32.dll 
ModLoad: 00000000`75200000 00000000`7523f000 C:\Windows\SYSTEM32\wow64.dll 
ModLoad: 00000000`751a0000 00000000`751fc000 C:\Windows\SYSTEM32\wow64win.dll 
ModLoad: 00000000`75190000 00000000`75198000 C:\Windows\SYSTEM32\wow64cpu.dll 
(1870.1660): Break instruction exception - code 80000003 (first chance) 
ntdll!LdrpDoDebuggerBreak+0x30: 
00000000`77a4cb60 cc    int  3 
0:000> g 
ModLoad: 00000000`77720000 00000000`7783f000 WOW64_IMAGE_SECTION 
ModLoad: 00000000`76ce0000 00000000`76df0000 WOW64_IMAGE_SECTION 
ModLoad: 00000000`77720000 00000000`7783f000 NOT_AN_IMAGE 
ModLoad: 00000000`77620000 00000000`7771a000 NOT_AN_IMAGE 
ModLoad: 00000000`76ce0000 00000000`76df0000 C:\Windows\syswow64\kernel32.dll 
ModLoad: 00000000`76c30000 00000000`76c76000 C:\Windows\syswow64\KERNELBASE.dll 
ModLoad: 00000000`75520000 00000000`75620000 C:\Windows\syswow64\USER32.dll 
ModLoad: 00000000`75620000 00000000`756b0000 C:\Windows\syswow64\GDI32.dll 
ModLoad: 00000000`76330000 00000000`7633a000 C:\Windows\syswow64\LPK.dll 
ModLoad: 00000000`77220000 00000000`772bd000 C:\Windows\syswow64\USP10.dll 
ModLoad: 00000000`77170000 00000000`7721c000 C:\Windows\syswow64\msvcrt.dll 
ModLoad: 00000000`76b90000 00000000`76c30000 C:\Windows\syswow64\ADVAPI32.dll 
ModLoad: 00000000`76ae0000 00000000`76af9000 C:\Windows\SysWOW64\sechost.dll 
ModLoad: 00000000`764a0000 00000000`76590000 C:\Windows\syswow64\RPCRT4.dll 
ModLoad: 00000000`75260000 00000000`752c0000 C:\Windows\syswow64\SspiCli.dll 
ModLoad: 00000000`75250000 00000000`7525c000 C:\Windows\syswow64\CRYPTBASE.dll 
ModLoad: 00000000`756b0000 00000000`756da000 C:\Windows\syswow64\imagehlp.dll 
(1870.1660): WOW64 breakpoint - code 4000001f (first chance) 
First chance exceptions are reported before any exception handling. 
This exception may be expected and handled. 
ntdll32!LdrpDoDebuggerBreak+0x2c: 
77c20fab cc    int  3 
0:000:x86> g 
ModLoad: 72cb0000 72cfc000 C:\Windows\SysWOW64\apphelp.dll 
ModLoad: 6a090000 6a11d000 C:\Windows\AppPatch\AcLayers.DLL 
ModLoad: 756e0000 7632a000 C:\Windows\syswow64\SHELL32.dll 
ModLoad: 76c80000 76cd7000 C:\Windows\syswow64\SHLWAPI.dll 
ModLoad: 76340000 7649c000 C:\Windows\syswow64\ole32.dll 
ModLoad: 76b00000 76b8f000 C:\Windows\syswow64\OLEAUT32.dll 
ModLoad: 72d80000 72d97000 C:\Windows\SysWOW64\USERENV.dll 
ModLoad: 72d70000 72d7b000 C:\Windows\SysWOW64\profapi.dll 
ModLoad: 75120000 75171000 C:\Windows\SysWOW64\WINSPOOL.DRV 
ModLoad: 6a320000 6a332000 C:\Windows\SysWOW64\MPR.dll 
ModLoad: 74970000 7497e000 C:\Windows\AppPatch\AcWow64.DLL 
ModLoad: 75180000 75189000 C:\Windows\SysWOW64\VERSION.dll 
ModLoad: 752f0000 75350000 C:\Windows\SysWOW64\IMM32.DLL 
ModLoad: 765a0000 7666c000 C:\Windows\syswow64\MSCTF.dll 
ModLoad: 6c440000 6cdf4000 mmbbq.dll 
ModLoad: 00000000`6c440000 00000000\`6cdf4000 mmbbq.dll 
ModLoad: 00000000`6c440000 00000000\`6cdf4000 mmbbq.dll 
ModLoad: 00000000`6c440000 00000000\`6cdf4000 E:\cygwin\home\will\praty\reversing \mmbbq\dist\mmbbq.dll 
(1870.30c): Break instruction exception - code 80000003 (first chance) 
ntdll!DbgBreakPoint: 
00000000`779f0530 cc    int  3 

UPDATE 使用RUNDLL32從System32下目錄後，它看起來更好。但即時通訊仍然困惑，我的DLL加載到段「0x00000000」。那是正常的64位行爲？

CommandLine: C:\Windows\System32\rundll32.exe "mmbbq.dll",rundll_inject 0,0,0,0 
Starting directory: E:\cygwin\home\will\praty\reversing\mmbbq\dist 
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols 
Executable search path is: 
ModLoad: 00000000`ff350000 00000000`ff35f000 rundll32.exe 
ModLoad: 00000000`779a0000 00000000`77b49000 ntdll.dll 
ModLoad: 00000000`77720000 00000000`7783f000 C:\Windows\system32\kernel32.dll 
ModLoad: 000007fe`fe0c0000 000007fe`fe12c000 C:\Windows\system32\KERNELBASE.dll 
ModLoad: 00000000`77620000 00000000`7771a000 C:\Windows\system32\USER32.dll 
ModLoad: 000007fe`feb10000 000007fe`feb77000 C:\Windows\system32\GDI32.dll 
ModLoad: 000007fe`fe560000 000007fe`fe56e000 C:\Windows\system32\LPK.dll 
ModLoad: 000007fe`ffbe0000 000007fe`ffca9000 C:\Windows\system32\USP10.dll 
ModLoad: 000007fe`fe1d0000 000007fe`fe26f000 C:\Windows\system32\msvcrt.dll 
ModLoad: 000007fe`fe730000 000007fe`fe749000 C:\Windows\system32\imagehlp.dll 
ModLoad: 000007fe`ffb00000 000007fe`ffbdb000 C:\Windows\system32\ADVAPI32.dll 
ModLoad: 000007fe`fe690000 000007fe`fe6af000 C:\Windows\SYSTEM32\sechost.dll 
ModLoad: 000007fe`fe7a0000 000007fe`fe8cd000 C:\Windows\system32\RPCRT4.dll 
(1b24.1b70): Break instruction exception - code 80000003 (first chance) 
ntdll!LdrpDoDebuggerBreak+0x30: 
00000000`77a4cb60 cc    int  3 
0:000> g 
ModLoad: 000007fe`fe270000 000007fe`fe29e000 C:\Windows\system32\IMM32.DLL 
ModLoad: 000007fe`ff9f0000 000007fe`ffaf9000 C:\Windows\system32\MSCTF.dll 
ModLoad: 00000000`6c440000 00000000`6cdf4000 mmbbq.dll 
ModLoad: 00000000`6c440000 00000000`6cdf4000 mmbbq.dll 
ModLoad: 00000000`6c440000 00000000`6cdf4000 mmbbq.dll 
ModLoad: 00000000`6c440000 00000000`6cdf4000 E:\cygwin\home\will\praty\reversing\mmbbq\dist\mmbbq.dll 
ModLoad: 00000000`77b70000 00000000`77b77000 C:\Windows\system32\PSAPI.DLL 
ModLoad: 000007fe`fe6b0000 000007fe`fe721000 C:\Windows\system32\SHLWAPI.dll 
ModLoad: 000007fe`fe750000 000007fe`fe79d000 C:\Windows\system32\WS2_32.dll 
ModLoad: 000007fe`fe550000 000007fe`fe558000 C:\Windows\system32\NSI.dll 
ModLoad: 000007fe`feb80000 000007fe`ff908000 C:\Windows\system32\shell32.dll 

Answer 1

您正在運行c:\Windows\syswow64\rundll32.exe這是RUNDLL32.EXE要運行c:\windows\system32\rundll32.exe 32位版本。

您正在啓動一個32位進程，可以從所有syswow64模塊和0:000:x86>提示中看到。