Primary version
Twitter Github NEW! Black Hat Ruby Buy Me a Coffee

Calling Windows APIs

Due playing with MS-Windows Exploitation development, I was using some C applications that calling Windows APIs and I wanted to give it a try and take it step by step.

The simplest example came to my mind is calling the MessageBoxA function. If we take a look at the MSDN of MessageBoxA function, we'll find at very beginning the function description and its arguments and returns. At the Requirements section, we'll find the required DLL to call MessageBoxA function which is User32.dll library.

int WINAPI MessageBox(
  _In_opt_ HWND    hWnd,
  _In_opt_ LPCTSTR lpText,
  _In_opt_ LPCTSTR lpCaption,
  _In_     UINT    uType
);

Let's do it,

require "Win32API"

title = "Rubyfu!"
message = "You've called the Windows API Successfully! \n\n@Runyfu"

api = Win32API.new('user32', 'MessageBoxA',['L', 'P', 'P', 'L'],'I')
api.call(0,message,title,0)

Source and explaination

That's was really easy! but, Win32API is going to be deprecated or it's already deprecated at the moment you read this part. Ruby have moved all dealing with C, dll functions to Fiddle class which is a wrapper of libffi C library which provides a portable interface to allow languages to call code from another language.

If we build our MessageBoxA script again using Fiddle it will be like

# Load importer part of fiddle (ffi) library
require 'fiddle/import'

# int WINAPI MessageBox(
#   _In_opt_ HWND    hWnd,
#   _In_opt_ LPCTSTR lpText,
#   _In_opt_ LPCTSTR lpCaption,
#   _In_     UINT    uType
# );
# Create module as body for an importer instance
module User32
    # Extend this module to an importer
    extend Fiddle::Importer
    # Load 'user32' dynamic library into this importer
    dlload 'user32'
    # Set C aliases to this importer for further understanding of function signatures
    typealias 'HWND', 'HANDLE'
    typealias 'LPCSTR', 'const char*'
    typealias 'LPCWSTR', 'const wchar_t*'
    typealias 'UINT', 'unsigned int'
    typealias 'HANDLE', 'void*'
    # Import C functions from loaded libraries and set them as module functions
    extern 'int MessageBoxA(HWND, LPCSTR, LPCSTR, UINT)'
end

title = "Rubyfu!"
message = "You've called the Windows API Successfully! \n\n@Runyfu"
User32::MessageBoxA(nil, message, title, 0)

Source

As you can the script is getting much bigger but, important thing to mention is, Using Win32API is going to be a real pain for bigger or more complicated tasks, in another hand Fiddle is more elegant and readable than Win32API

At that point, I was wondering if I can write something like an old frind application call arwin which finds a Function location in a Windows library. With the help of MSDN [LoadLibrary](https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175(v=vs.85.aspx) and [GetProcAddress](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683212(v=vs.85.aspx) documentations let's do it.

arwin.rb

require 'fiddle/import'
#
# KING SABRI | @KINGSABRI
#
if ARGV.size == 2
  lpfilename  = ARGV[0] # Library Name
  lpprocname  = ARGV[1] # Function Name
else
  puts "ruby arwin.rb <Library Name> <Function Name>"
  puts "example:\n arwin.rb user32.dll MessageBoxA"
  exit 0
end


module Kernel32

  # Extend this module to an importer
  extend Fiddle::Importer
  # Load 'user32' dynamic library into this importer
  dlload 'kernel32'

  # HMODULE WINAPI LoadLibrary(
  #   _In_ LPCTSTR lpFileName
  # );
  typealias 'lpfilename', 'char*'
  extern 'unsigned char* LoadLibrary(lpfilename)'

  # FARPROC WINAPI GetProcAddress(
  #   _In_ HMODULE hModule,
  #   _In_ LPCSTR  lpProcName
  # );
  typealias 'lpfilename', 'char*'
  typealias 'lpprocname', 'char*'
  extern 'unsigned char* GetProcAddress(lpfilename, lpprocname)'

end
address = Kernel32::GetProcAddress(Kernel32::LoadLibrary(lpfilename), lpprocname).inspect.scan(/0x[\h]+/i)[1]
unless address.hex.zero?
  puts "\n[+] #{lpprocname} is location at #{address} in #{lpfilename}\n"
else
  puts "[!] Could find #{lpprocname} in #{lpfilename}!"
  puts "[-] Function's name is case sensitive"
end

Results

[+] MessageBoxA is location at 0x77d8050b in user32.dll
PreviousFuzzerNextMetasploit

Last updated