How to add code to a DLL?

[RHenningsgard]

I just spent a day debugging my way through a 2.7Mb DLL to find and repair a bug.  The disassembly listing from PEExplorer made it infinitely easier than it might otherwise have been.

Anyhow, my repair works, but it's a lame hack.  To truly repair the bug, I need to add some code to the DLL.  So my question is this:  How difficult is it to increase the executable code size of a DLL (no source, obviously)?  I assume I'll have to update offset pointers in the header, for stuff that appears after the executable code section of the physical DLL file, but I don't know what else is involved.

I'm fully capable of hand-coding the routines I need (raw opcodes, hand-computed offsets, etc.), but I'm not a DLL file structure guru.  That's why I'm asking the question here.  Any and all advice is appreciated!

Rob---

[TechMan]

There are 2 ways to resolve this problem.
The first one is what you refer to. You have to add an extra section with some code to the DLL, etc. However, this is a "bad" method. It's laborious and involves the modification of a original file.

The second, most popular way is through forwarding. Rename the original DLL, write a wrapper DLL that imports the original DLL, exports functions with the same prototypes and redirects the calls. Forward each call to the original DLL, passing the results back duly, your new wrapper DLL will be completely transparent, but you have a hand in each function. You can intercept one of the exports and make it do something entirely different, you can modify the input and pass that to the original DLL, you can modify the output of this DLL before passing it back.

Disclaimer: This may violate the copyright of the modified DLL. It is your responsibility to respect all legal aspects.

[RHenningsgard]

Yes, forwarding would be an option, but it would be hellishly difficult in this case:  The function whose behavior I must tweak is enormous, with multiple threads, messages flying all over the place, and calls into half a dozen other DLLs.

The modification I must make is to simply modify a character string in memory, to properly escape quotation marks for output as comma-delimited CSV.  Then I've got to do the reverse on input.  So these really are two atomic functions nested deep inside this monster DLL.

So you say I'd have to add a section.  OK, any advice on where to start?

Thanks,

Rob---

[TechMan]

There's no all-in-one tool which could quickly and easily help resolve this issue. Each task is quite unique, and you have to do almost all manually.

For a start, read the documentation on the PE file structure, and how a PE file loads into memory. For a detailed description of the PE file format, refer to the official specification from Microsoft:
http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx
and Matt Pietrek's An In-Depth Look into the Win32 Portable Executable File Format:
http://msdn.microsoft.com/msdnmag/issues/02/02/PE/

Then, follow these steps:

1) Write your code. You will have to use assembler.

2) Add a section into the Section Header using a hex editor. The section's size of Raw Data must be equal to the code size aligned on the File Alignment value. Virtual Size must be equal to the code size.

3) Physically add this section to your file. The section's size must be equal to the code size aligned on the File Alignment value.

4) Insert the code into the added section.

5) Adjust the Number of Sections value in the PE Header (increase by 1)

6) If there are refers in the added code which may need fixups when your DLL is loaded to the preferred load address ImageBase, you have to modify the relocation table.

7) Correct the Checksum in the PE Header if not zero.

This is a common algorithm. There may be nuances for every case, and no manual can be written. Chances are you won't achieve any result you desire.
Once again, this is stuff that you have to do by hand. PE Explorer can only be used for verification and correction.

It can be more complicated than it might appear. A lot of the time it just seems simpler to write a Wrapper.

[RHenningsgard]

Doesn't it just figure that Matt Pietrek would be the guy to write the definitive article on something as down and dirty as PE internals!  Thanks for putting me on the trail of the information I need to get this accomplished.

"It can be more complicated than it might appear."  I hope not, because it appears to be an incredible, thorny basket of snakes, with many ways to screw it up.  On the other hand, if I master it, I'll have a pretty powerful new weapon for making stuff work.

"A lot of the time it just seems simpler to write a Wrapper."  Absolutely.  If I had any choice at all, I would.  I'll post to this thread with my progress (if any) and perhaps a question or two.  Thanks again very much for taking the time to give me the outline of how to attack it.

Cheers,

Rob---