floating point support and ManualMap

[wanyancan]

Why is manualmap causing this error?

Code:

Runtime Error!

R6002
 - floating point support not loaded

It's been asked for once, and I've tried to backtrack where this error comes from. This error is generated from _output_s_l() in 'crt\src\output.c' while it is calling __decode_pointer() function. However, I really can't understand why would TLS be related with this problem? It's been pointed many times by Cypher, but would you give more detailed explanation about this?

To be more specific,
1. How is floating point support getting loaded at runtime? In MSDN, it only states that 'perform a floating-point assignment' will cause it be loaded. But how can I explicitly load it?

2. If I put sprintf in myHookedEndScene, and it is called by render() in the main thread of host process, it should have floating point support loaded already, but why the error still pops out?

2. Why would TLS support to ManualMap solve this problem? How do these two things relate with each other? In w2k's code, I can't see anything special in LdrpLoadDll(). What's the new TLS stuff introduced in later Vista OS? In Windows Vista support for __declspec(thread) in demand loaded DLLs it seems that the LoadLibrary is rather complicated.

3. How to add TLS support ? I've tried to set _tls_index during the mapping, but it seems not working at all.

I know there's a lot judgement to describe it as shit or incomplete or "WTF if yours is private" or too many assumption and too many brief introduce to the TLS problem. If you just still want to say that only, please skip.
Thank you!

[Cypher]

Short answer: TLS callbacks.

[kynox]

Long answer: TTTTTTTTTTLLLLLLLLLLLLLLLSSSSSSSSSS CAAAAAAAAAAAAAALLLLLLLLLLLLLLBBBBBBBBBBBBBBBAAAAAAAAAAAACCCCCCCCCCKKKKKKKKKKKKKK KSSSSSSSSS

[wanyancan]

But the Tls table contents

Code:

typedef struct _IMAGE_TLS_DIRECTORY32 {
    DWORD   StartAddressOfRawData;
    DWORD   EndAddressOfRawData;
    DWORD   AddressOfIndex;             // PDWORD
    DWORD   AddressOfCallBacks;         // PIMAGE_TLS_CALLBACK *
    DWORD   SizeOfZeroFill;
    DWORD   Characteristics;
} IMAGE_TLS_DIRECTORY32;

has already been fixed by FixRelocs(), what else needs to be done with the CALLBACKs array?
Should I call all these callbacks in DllMain() or in the same way as DllMain being called in the DllCall_stub? Before DllMain or after ?
I really appreciate any further information.

[lanman92]

Maybe start reversing LoadLibrary. It will give you the absolutely correct answers. Just see how they do it, when they call the callback and re-implement it.

[wanyancan]

I've already tried. And finally it goes to ntdll:LdrpFindOrMapDll. Then it seems to send dll notification when it finishes and I get lost in nowhere..

[lanman92]

You'll have to reverse into the kernel to find it. Threads, modules, and processes are all handled in kernel mode, for good reason.

[wanyancan]

I tried to call TLS callback before DLLMain after it's been mapped using the following code.

Code:

CPU Disasm
Address   Hex dump          Command                                  Comments
04300000    55              PUSH EBP
04300001    89E5            MOV EBP,ESP
04300003    6A 00           PUSH 0
04300005    6A 01           PUSH 1
04300007    FF75 08         PUSH DWORD PTR SS:[EBP+8]
0430000A    B8 5C348604     MOV EAX,486345C               <<< modified on-fly, PIMAGE_CALLBACK array
0430000F    8B00            MOV EAX,DWORD PTR DS:[EAX]     <<< the first callback,  my dll only has one callback
04300011    FFD0            CALL EAX
04300013    6A 00           PUSH 0
04300015    6A 01           PUSH 1
04300017    FF75 08         PUSH DWORD PTR SS:[EBP+8]
0430001A    B8 90E47F04     MOV EAX,47FE490              << modified on-fly
0430001F    FFD0            CALL EAX                      <<< call DllMain
04300021    89EC            MOV ESP,EBP
04300023    5D              POP EBP
04300024    C3              RETN

However, nothing changes.. Still no floating point support. Why would this tls callback be related with it? By looking at the callback function itself, there's nothing obviously connected..

[Cypher]

I'm almost certain that TLS callbacks are used to initialize FPU support, though it's been a long time since I've looked.

Also, are you sure that you're calling TLS callbacks not only on your own module, but also on any dependent modules that you're manually mapping? (I know that Darawk's original code works recursively, manually mapping each dependent module that isn't already loaded)

The CRT module would be the obvious one I'm talking about in this situation.

[wanyancan]

Here's my log file

Code:

[03:01:31]: Logging started at 2010-02-27
[03:01:31]: In DllMain of ManualMap [.\MMDll.cpp] @ 36
[03:01:31]: ManualMap Attached [.\MMDll.cpp] @ 45
[03:01:32]: ManualMap MapModule, instance a new ManualMap to load: gdh.dll [.\MMDll.cpp] @ 62   
<<< my dll


[03:01:32]: in ManualMap::Load with pid 4876 to load gdh.dll [..\Main\ManualMap.cpp] @ 53
[03:01:32]: Initialize some data: m_module, m_pid [..\Main\ManualMap.cpp] @ 58
[03:01:32]: openprocess first fail [..\Main\ManualMap.cpp] @ 92
[03:01:32]: sucess at open process the second time [..\Main\ManualMap.cpp] @ 114
[03:01:32]: stubBase is 0x69664768 [..\Main\ManualMap.cpp] @ 122
[03:01:32]: Fix imports for KERNEL32.dll [..\Main\ManualMap.cpp] @ 407
[03:01:32]: Fix imports for USER32.dll [..\Main\ManualMap.cpp] @ 407
[03:01:32]: Fix imports for dbghelp.dll [..\Main\ManualMap.cpp] @ 407
[03:01:32]: recursively load module: dbghelp.dll [..\Main\ManualMap.cpp] @ 410   
<<< recursively loading another dll


[03:01:32]: in ManualMap::Load with pid 4876 to load dbghelp.dll [..\Main\ManualMap.cpp] @ 53
[03:01:32]: Initialize some data: m_module, m_pid [..\Main\ManualMap.cpp] @ 58
[03:01:32]: stubBase is 0x69730304 [..\Main\ManualMap.cpp] @ 122
[03:01:32]: Fix imports for msvcrt.dll [..\Main\ManualMap.cpp] @ 407
[03:01:32]: Fix imports for KERNEL32.dll [..\Main\ManualMap.cpp] @ 407
[03:01:32]: Fix imports for ADVAPI32.dll [..\Main\ManualMap.cpp] @ 407
[03:01:32]: Fix imports for RPCRT4.dll [..\Main\ManualMap.cpp] @ 407
[03:01:32]: import table fixed [..\Main\ManualMap.cpp] @ 143
[03:01:32]: successfully loaded : dbghelp.dll [..\Main\ManualMap.cpp] @ 157
[03:01:32]: Map and execute for dbghelp.dll [..\Main\ManualMap.cpp] @ 165
[03:01:32]: mapped to remote process for dbghelp.dll [..\Main\ManualMap.cpp] @ 171
[03:01:32]: dbghelp.dll has no tls section [..\Main\ManualMap.cpp] @ 182
[03:01:32]: run dllmain And/or tls callback for dbghelp.dll [..\Main\ManualMap.cpp] @ 205   
<<< after mapping, call tls callbacks and DllMain


[03:01:32]: stubase at 0x4280000 dll entry at: 0x49AC314 [..\Main\ManualMap.cpp] @ 206
[03:01:32]: dbghelp.dll finished loading dllmain and/or callback [..\Main\ManualMap.cpp] @ 212

[03:01:32]: Fix imports for d3d9.dll [..\Main\ManualMap.cpp] @ 407
[03:01:32]: import table fixed [..\Main\ManualMap.cpp] @ 143
[03:01:32]: successfully loaded : gdh.dll [..\Main\ManualMap.cpp] @ 157    
<<< my dll is mapped, 


[03:01:32]: gdh.dll is loaded, redirect some module functions to use ManualMap [.\MMDll.cpp] @ 74     <<< setup up some monitoring functions
[03:01:32]: (GMFN): 757C14FA [.\MMDll.cpp] @ 81        << GetModuleFileName
[03:01:32]: (GPA): 757C1202 [.\MMDll.cpp] @ 82         << GetProcAddress
[03:01:32]: (GMH): 757C1225 [.\MMDll.cpp] @ 83		<< GetModuleHandle
[03:01:32]: (GLL): 757C4BC6 [.\MMDll.cpp] @ 84		<< LoadLibrary

[03:01:32]: Map and execute for gdh.dll [..\Main\ManualMap.cpp] @ 165       	<< call tls callbacks and DllMain
[03:01:32]: mapped to remote process for gdh.dll [..\Main\ManualMap.cpp] @ 171
[03:01:32]: gdh.dll has tls section callback(s) [..\Main\ManualMap.cpp] @ 185
[03:01:32]: tls slot index assigned to 60 max is: 4294967295 [..\Main\ManualMap.cpp] @ 187   <<< manually set _tls_index value
[03:01:32]: run dllmain And/or tls callback for gdh.dll [..\Main\ManualMap.cpp] @ 205		<<< run PIMAGE_TLS_CALLBACKS array

[03:01:32]: stubase at 0x4270000 dll entry at: 0x479DA20 [..\Main\ManualMap.cpp] @ 206  
[03:01:33]: MyGPA GetProcAddress2 to check func: FlsAlloc [.\MMDll.cpp] @ 163                  <<< these should be some callbacks relating with CRT
[03:01:33]: kernel:GetProcAddress for FlsAlloc is at 0x757C1F22 [.\MMDll.cpp] @ 171
[03:01:33]: MyGPA GetProcAddress2 to check func: FlsGetValue [.\MMDll.cpp] @ 163
[03:01:33]: kernel:GetProcAddress for FlsGetValue is at 0x757C123D [.\MMDll.cpp] @ 171
[03:01:33]: MyGPA GetProcAddress2 to check func: FlsSetValue [.\MMDll.cpp] @ 163
[03:01:33]: kernel:GetProcAddress for FlsSetValue is at 0x757C18E4 [.\MMDll.cpp] @ 171
[03:01:33]: MyGPA GetProcAddress2 to check func: FlsFree [.\MMDll.cpp] @ 163
[03:01:33]: kernel:GetProcAddress for FlsFree is at 0x757C3954 [.\MMDll.cpp] @ 171
[03:01:33]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
[03:01:33]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
[03:01:33]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
[03:01:33]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
[03:01:33]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
[03:01:33]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
[03:01:33]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
[03:01:33]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
[03:01:33]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
[03:01:33]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
[03:01:33]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
[03:01:33]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
[03:01:33]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
[03:01:33]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
[03:01:33]: MyGPA GetProcAddress2 to check func: DecodePointer [.\MMDll.cpp] @ 163
[03:01:33]: kernel:GetProcAddress for DecodePointer is at 0x77AB9BD5 [.\MMDll.cpp] @ 171
[03:01:33]: MyGPA GetProcAddress2 to check func: DecodePointer [.\MMDll.cpp] @ 163
[03:01:33]: kernel:GetProcAddress for DecodePointer is at 0x77AB9BD5 [.\MMDll.cpp] @ 171
[03:01:33]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
[03:01:33]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
[03:01:33]: MyGPA GetProcAddress2 to check func: DecodePointer [.\MMDll.cpp] @ 163
[03:01:33]: kernel:GetProcAddress for DecodePointer is at 0x77AB9BD5 [.\MMDll.cpp] @ 171
[03:01:33]: MyGMFN GetModuleFileName2 for module   [.\MMDll.cpp] @ 117
[03:01:33]: hmodule 0x00000000 is at G:\World of Warcraft_tw_old\Wow.exe [.\MMDll.cpp] @ 131        <<<< Callback finished

[03:01:33]: Logging started at 2010-02-27			<<<< DllMain starts here
[03:01:33]: dllmain at 0x04767480 [.\GDHM.cpp] @ 110
[03:01:33]: DLL_PROCESS_ATTACH [.\GDHM.cpp] @ 113
[03:01:34]: Direct3DCreate9 OK, pD3D: 0x155909E0 [.\GDHM.cpp] @ 41
[03:01:34]: pD3D->CreateDevice with hWnd : 0032073C [.\GDHM.cpp] @ 50
[03:01:34]: pD3D->CreateDevice OK, pd3dDevice: 0x155E2F80 *pd3dDevice= 0x155E5D1C [.\GDHM.cpp] @ 60
[03:01:34]: pd3dDevice -> Vtable[42] = 6096CE09 [.\GDHM.cpp] @ 68
[03:01:34]: end scene is successfully hooked! [.\GDHM.cpp] @ 116
[03:01:34]: MyGPA GetProcAddress2 to check func: DecodePointer [.\MMDll.cpp] @ 163
[03:01:34]: kernel:GetProcAddress for DecodePointer is at 0x77AB9BD5 [.\MMDll.cpp] @ 171
[03:01:34]: MyGPA GetProcAddress2 to check func: DecodePointer [.\MMDll.cpp] @ 163
[03:01:34]: kernel:GetProcAddress for DecodePointer is at 0x77AB9BD5 [.\MMDll.cpp] @ 171
[03:01:34]: MyGPA GetProcAddress2 to check func: EncodePointer [.\MMDll.cpp] @ 163
[03:01:34]: kernel:GetProcAddress for EncodePointer is at 0x77AC0E5B [.\MMDll.cpp] @ 171
[03:01:34]: MyGPA GetProcAddress2 to check func: DecodePointer [.\MMDll.cpp] @ 163
[03:01:34]: kernel:GetProcAddress for DecodePointer is at 0x77AB9BD5 [.\MMDll.cpp] @ 171
[03:01:34]: IDirect3DDevice9* obtained to be 0x3428A20 [.\GDHM.cpp] @ 84
[03:01:34]: gdh.dll finished loading dllmain and/or callback [..\Main\ManualMap.cpp] @ 212  <<<<<<< all finished

[03:01:41]: In manualmap.dll :: UnmapModule gdh.dll [.\MMDll.cpp] @ 102
[03:01:41]: in Unmap [..\Main\ManualMap.cpp] @ 219
[03:01:41]: clear mapped mapbyName [..\Main\ManualMap.cpp] @ 245
[03:01:41]: clear mapped mapbyHandle [..\Main\ManualMap.cpp] @ 247

Every thing seems going well, but still no floating point support.
Besides, I've also changed the code cave to call all the callbacks not the first one only.

Code:

//	Stub that calls the Dll from within the remote process.
//	This is necessary because a DllMain function takes 3
//	arguments, and CreateRemoteThread can pass only 1.
unsigned char ManualMap::DllCall_stub[] = { 
	0x55,  // push ebp
	0x89,0xe5,  // mov ebp,esp
	0x31, 0xdb, // xor ebx,ebx
	0x83, 0xec, 0x10, // sub esp,10
	0xb8, 0xDE, 0xAD, 0xBE, 0xEF, // mov eax, 0xdeadbeef  << pTlsCallback_array
	0x89, 0x45, 0xfc, // mov dword ptr [ebp-4], eax      <<<< loop start
	0x39, 0xd8, // cmp eax, ebx
	0x74, 0x15, // je Label:quit
	0x39, 0x18, // cmp [eax], ebx
	0x74, 0x11, // je label:quit
	
	0x6a, 0x00, // push 0
	0x6a, 0x01, // push 1
	0xff, 0x75, 0x08, // push dword [ebp+8]
	0xff, 0x10, // call [eax]
	0x8b, 0x45, 0xfc, // mov eax, [ebp-4]
	0x83, 0xc0, 0x04, // add eax,4
	0xeb, 0xe4, // jmp loop start
	
	0x6a, 0x00, // push 0
	0x6a, 0x01, // push 1
	0xff, 0x75, 0x08, // push dword [ebp+8]
	0xb8, 0xDE, 0xAD, 0xBE, 0xEF, // mov eax, 0xdeadbeef
	0xff, 0xd0, // call eax
	0x89, 0xec, // mov esp, ebp
	0x5d,	// pop ebp
	0xc3	// retn
};

I've really run out of ideas..

As you're also going to write the mapping codes, sincerely hope you can shed light on me.