Red Team Notes logo Red Team Notes

Maldev-Basis

Compilation and Checks

In this section we are going to see how to compile PE, DLLs and the different checks that we can see.

PE Compiling

Here we have a simply program:

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(void) {

	printf("Hi RT Notes!\n");
	
	getchar();
    
	return 0;
}

With cl.exe (Windows Visual Studio Command Line compiler) we can compile cpp projects.

cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tp *.cpp /link /OUT:rtnotes.exe /SUBSYSTEM:CONSOLE /MACHINE:x64

DLL Compiling

To create a DLL we need to specify a dllexport:

#include <Windows.h>
#pragma comment (lib, "user32.lib")


BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  fdwReason, LPVOID lpReserved) {

    switch (fdwReason)  {
    case DLL_PROCESS_ATTACH:
      Go();
      break;
    case DLL_PROCESS_DETACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
      break;
    }
    return TRUE;
}

extern "C" {
__declspec(dllexport) BOOL WINAPI Go(void) {
	
	MessageBox(
		NULL,
		"Hi RT Notes!",
		"HI",
        MB_OK
	);
	 
		 return TRUE;
	}
}

It can be compiled with:

cl.exe /D_USRDLL /D_WINDLL rtnotes.cpp /MT /link /DLL /OUT:rtnotes.dll

Note: To run a dll we can use rundll32.exe rtnotes.dll,Go.

Checking imports

c:\Tools\rtnotes>dumpbin /imports rtnotes.dll
Microsoft (R) COFF/PE Dumper Version 9.00.30729.01
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file rtnotes.dll

File Type: DLL

  Section contains the following imports:

    USER32.dll
             1800071E8 Import Address Table
             180008B50 Import Name Table
                     0 time date stamp
                     0 Index of first forwarder reference

                         212 MessageBoxA

    KERNEL32.dll
             180007000 Import Address Table
             180008968 Import Name Table
                     0 time date stamp
                     0 Index of first forwarder reference

                         1CB GetCurrentThreadId
                         15B FlsSetValue
...
                         270 GetStringTypeW
                         32D LCMapStringA
                         32F LCMapStringW
                         2DC HeapSize

  Summary

        3000 .data
        1000 .pdata
        3000 .rdata
        1000 .reloc
        6000 .text

Checking exports

c:\Tools\rtnotes>dumpbin /exports rtnotes.dll
Microsoft (R) COFF/PE Dumper Version 9.00.30729.01
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file rtnotes.dll

File Type: DLL

  Section contains the following exports for rtnotes.dll

    00000000 characteristics
    675D6089 time date stamp Sat Dec 14 11:40:09 2024
        0.00 version
           1 ordinal base
           1 number of functions
           1 number of names

    ordinal hint RVA      name

          1    0 00001030 Go

  Summary

        3000 .data
        1000 .pdata
        3000 .rdata
        1000 .reloc
        6000 .text