Search code examples
gccdll64-bitmingwrundll32

building a 64bit dll using mingw to be used with rundll

im currently trying to update my project to 64bit support. The project used to build a 32bit dll using i686-w64-mingw32 toolchain that could be used with rundll to start it.

now, im trying to use the x86_64-w64-mingw32 toolchain to build a 64bit version of it. i also use -m64 when compiling. The DLL can be build and linked and even executed. But im having strange results when checking the result in windbg (see output below). It looks like it loads my mmbbq.dll into a 32bit address space. Also it loads 32Bit versions of some depencies. We can see that in the output by looking at the base addresses when the modules get loaded. It starts by loading some 64bit dlls (maybe rundll depencies). And then its starts to load32 bits stuff and finally my 64bit dll in kind of a 32bit mode. Funny thing is that my DLL is a 64bit version when i check the PE header of it.

Any explanations for this behaviour or what else i might have messed up, or am i just misunderstanding the output? I thought the base addresses should look different than that in 64bit mode.

CommandLine: C:\Windows\SysWOW64\rundll32.exe mmbbq.dll rundll_inject
Starting directory: E:\cygwin\home\will\praty\reversing\mmbbq\dist  
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
ModLoad: 00000000`00530000 00000000`0053e000   rundll32.exe
ModLoad: 00000000`779a0000 00000000`77b49000   ntdll.dll
ModLoad: 00000000`77b80000 00000000`77d00000   ntdll32.dll
ModLoad: 00000000`75200000 00000000`7523f000   C:\Windows\SYSTEM32\wow64.dll
ModLoad: 00000000`751a0000 00000000`751fc000   C:\Windows\SYSTEM32\wow64win.dll
ModLoad: 00000000`75190000 00000000`75198000   C:\Windows\SYSTEM32\wow64cpu.dll
(1870.1660): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00000000`77a4cb60 cc              int     3
0:000> g
ModLoad: 00000000`77720000 00000000`7783f000   WOW64_IMAGE_SECTION
ModLoad: 00000000`76ce0000 00000000`76df0000   WOW64_IMAGE_SECTION
ModLoad: 00000000`77720000 00000000`7783f000   NOT_AN_IMAGE
ModLoad: 00000000`77620000 00000000`7771a000   NOT_AN_IMAGE
ModLoad: 00000000`76ce0000 00000000`76df0000   C:\Windows\syswow64\kernel32.dll
ModLoad: 00000000`76c30000 00000000`76c76000   C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 00000000`75520000 00000000`75620000   C:\Windows\syswow64\USER32.dll
ModLoad: 00000000`75620000 00000000`756b0000   C:\Windows\syswow64\GDI32.dll
ModLoad: 00000000`76330000 00000000`7633a000   C:\Windows\syswow64\LPK.dll
ModLoad: 00000000`77220000 00000000`772bd000   C:\Windows\syswow64\USP10.dll
ModLoad: 00000000`77170000 00000000`7721c000   C:\Windows\syswow64\msvcrt.dll
ModLoad: 00000000`76b90000 00000000`76c30000   C:\Windows\syswow64\ADVAPI32.dll
ModLoad: 00000000`76ae0000 00000000`76af9000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 00000000`764a0000 00000000`76590000   C:\Windows\syswow64\RPCRT4.dll
ModLoad: 00000000`75260000 00000000`752c0000   C:\Windows\syswow64\SspiCli.dll
ModLoad: 00000000`75250000 00000000`7525c000   C:\Windows\syswow64\CRYPTBASE.dll
ModLoad: 00000000`756b0000 00000000`756da000   C:\Windows\syswow64\imagehlp.dll
(1870.1660): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ntdll32!LdrpDoDebuggerBreak+0x2c:
77c20fab cc              int     3
0:000:x86> g
ModLoad: 72cb0000 72cfc000   C:\Windows\SysWOW64\apphelp.dll
ModLoad: 6a090000 6a11d000   C:\Windows\AppPatch\AcLayers.DLL
ModLoad: 756e0000 7632a000   C:\Windows\syswow64\SHELL32.dll
ModLoad: 76c80000 76cd7000   C:\Windows\syswow64\SHLWAPI.dll
ModLoad: 76340000 7649c000   C:\Windows\syswow64\ole32.dll
ModLoad: 76b00000 76b8f000   C:\Windows\syswow64\OLEAUT32.dll
ModLoad: 72d80000 72d97000   C:\Windows\SysWOW64\USERENV.dll
ModLoad: 72d70000 72d7b000   C:\Windows\SysWOW64\profapi.dll
ModLoad: 75120000 75171000   C:\Windows\SysWOW64\WINSPOOL.DRV
ModLoad: 6a320000 6a332000   C:\Windows\SysWOW64\MPR.dll
ModLoad: 74970000 7497e000   C:\Windows\AppPatch\AcWow64.DLL
ModLoad: 75180000 75189000   C:\Windows\SysWOW64\VERSION.dll
ModLoad: 752f0000 75350000   C:\Windows\SysWOW64\IMM32.DLL
ModLoad: 765a0000 7666c000   C:\Windows\syswow64\MSCTF.dll
ModLoad: 6c440000 6cdf4000   mmbbq.dll
ModLoad: 00000000`6c440000 00000000\`6cdf4000   mmbbq.dll
ModLoad: 00000000`6c440000 00000000\`6cdf4000   mmbbq.dll
ModLoad: 00000000`6c440000 00000000\`6cdf4000   E:\cygwin\home\will\praty\reversing    \mmbbq\dist\mmbbq.dll
(1870.30c): Break instruction exception - code 80000003 (first chance)
ntdll!DbgBreakPoint:
00000000`779f0530 cc              int     3

UPDATE After using rundll32 from the System32 dir it looks better. But im still confused that my dll loads into the segment "0x00000000". Is that regular 64bit behaviour?

CommandLine: C:\Windows\System32\rundll32.exe "mmbbq.dll",rundll_inject 0,0,0,0
Starting directory: E:\cygwin\home\will\praty\reversing\mmbbq\dist
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
ModLoad: 00000000`ff350000 00000000`ff35f000   rundll32.exe
ModLoad: 00000000`779a0000 00000000`77b49000   ntdll.dll
ModLoad: 00000000`77720000 00000000`7783f000   C:\Windows\system32\kernel32.dll
ModLoad: 000007fe`fe0c0000 000007fe`fe12c000   C:\Windows\system32\KERNELBASE.dll
ModLoad: 00000000`77620000 00000000`7771a000   C:\Windows\system32\USER32.dll
ModLoad: 000007fe`feb10000 000007fe`feb77000   C:\Windows\system32\GDI32.dll
ModLoad: 000007fe`fe560000 000007fe`fe56e000   C:\Windows\system32\LPK.dll
ModLoad: 000007fe`ffbe0000 000007fe`ffca9000   C:\Windows\system32\USP10.dll
ModLoad: 000007fe`fe1d0000 000007fe`fe26f000   C:\Windows\system32\msvcrt.dll
ModLoad: 000007fe`fe730000 000007fe`fe749000   C:\Windows\system32\imagehlp.dll
ModLoad: 000007fe`ffb00000 000007fe`ffbdb000   C:\Windows\system32\ADVAPI32.dll
ModLoad: 000007fe`fe690000 000007fe`fe6af000   C:\Windows\SYSTEM32\sechost.dll
ModLoad: 000007fe`fe7a0000 000007fe`fe8cd000   C:\Windows\system32\RPCRT4.dll
(1b24.1b70): Break instruction exception - code 80000003 (first chance)
ntdll!LdrpDoDebuggerBreak+0x30:
00000000`77a4cb60 cc              int     3
0:000> g
ModLoad: 000007fe`fe270000 000007fe`fe29e000   C:\Windows\system32\IMM32.DLL
ModLoad: 000007fe`ff9f0000 000007fe`ffaf9000   C:\Windows\system32\MSCTF.dll
ModLoad: 00000000`6c440000 00000000`6cdf4000   mmbbq.dll
ModLoad: 00000000`6c440000 00000000`6cdf4000   mmbbq.dll
ModLoad: 00000000`6c440000 00000000`6cdf4000   mmbbq.dll
ModLoad: 00000000`6c440000 00000000`6cdf4000   E:\cygwin\home\will\praty\reversing\mmbbq\dist\mmbbq.dll
ModLoad: 00000000`77b70000 00000000`77b77000   C:\Windows\system32\PSAPI.DLL
ModLoad: 000007fe`fe6b0000 000007fe`fe721000   C:\Windows\system32\SHLWAPI.dll
ModLoad: 000007fe`fe750000 000007fe`fe79d000   C:\Windows\system32\WS2_32.dll
ModLoad: 000007fe`fe550000 000007fe`fe558000   C:\Windows\system32\NSI.dll
ModLoad: 000007fe`feb80000 000007fe`ff908000   C:\Windows\system32\shell32.dll
Solution

  • You are running c:\Windows\syswow64\rundll32.exe this is the 32-bit version of rundll32.exe you want to run c:\windows\system32\rundll32.exe.

    You are launching a 32-bit process, as can be seen from all the syswow64 modules and the 0:000:x86> prompt.