|
One problem with interpreting an executable is determining how to handle external library calls, such as Windows DLLs. Two possible approaches include:
DOC handles DLLs using the second method. To create a stub DLL for DOC, two files must be created: a .exports and a .asm. The name of the file must match the name of the DLL being stubbed. For example, if you are stubbing the DLL kernel32.dll, the two files must be named kernel32.asm and kernel32.exports. When DOC encounters a call to a function inside the DLL kernel32.dll, it will look for these two files to find the stub for the function. The stubbing process somewhat mimics how real DLLs work. The .exports file contains the listing of exported files. It acts like the exports section of a DLL. It provides a mapping from function name to function address. DOC uses this to find where the stub for a particular function is located within the .asm file. Once the address is known, DOC finds the stub within the .asm file and interprets it. The stub is written in ordinary assembly, with one exception: the addition of the UNDEF instruction. The UNDEF instruction is used in cases where the DLL function returns or writes to memory a value that cannot be determined during abstract interpretation. For example, imagine a function that reads an integer from a socket and returns what it reads. It's not possible to know what it will read during abstract interpretation, so you want it to return an undefined value. In this case, the stub would contain the instruction "UNDEF eax," (eax holds the return address). Take a look at the stub files in DOC_WORKSPACE/Imports for example stubs. These files are by no means complete. I've created these by hand, but there are way too many DLLs out there to do it all by hand. An automated method needs to be developed. |