Nvspcap64.dll not found - practical solutions
How do I fix nvspcap64 DLL error?
- Disable NVIDIA GeForce Experience from startup.
- Uninstall using IObit Uninstaller program.
- Update NVIDIA Drivers.
- Update your Windows OS.
Hello everyone, welcome to the Pentester Academy's Network Pentesting series, in this article we are now going to take a look at how to create the HijackDLL as part of the DLL forwarding basics. So let's get started right away. Now, before we start building our DLL - sorry - let's take a look at the export table of a system DLL and try to understand a bit more about it.
So I go to the C drive of Windows 64. I'm on a 64-bit system, and right now, I intend to just look at the 32-bit DLL's, which are all in this directory. And I'm going to use the P viewer - P view, I'm sorry.
Now I can clearly see the export address table in here. And now, as we may have talked about a few articles ago, DLLs are basically exporting various procedures or functions that other code in the program can call and use. Now, DLLs export functions either by name or ordinal.
See that many of these functions - like enable keyboard layout, add clipboard, format listener, etc. - are exported by name that some of them have no name which means they are exported as ordinal . What is ordinal number? Well, very simply put, it is a unique number within the DLL that is assigned to a particular procedure.
I will actually find that this value is different on each export and that this is essentially the ordinal number. And the first two functions were clearly exported from ordinal numbers 05DC and 05DD. Correct? Fantastic.
Well, how does the function forwarding work? DLL may not implement the function it exports. Rather, this function can reside in another DLL that it can reference. Basically, let's say I have a function ABC.
I can say, hey, ABC is actually in an empty dll it up from there. Well, this is a very, very common practice, and even system DLLs will continue to work. So let's go back.
And if I look at user 32 and keep scrolling down, you'll actually find these four entries interesting. If you notice this is a forwarded name, right? So def DLG-Proc A is really forwarded to NTDLL, period, NTDLLdialogue WND proc_A. Well, NTDLL is another proc_A DLL, right? So the format is basically the new DLL, period, name of the procedure.
Now, as you can clearly see, the procedure name in the new DLL can be completely different from what was put in the original DLL, right? There is no requirement that the names must match, how does the loader work in this one Case? Well it would go ahead. First load user 32. And if the program continues and uses def DLG proc W it would go and load NTDLL.
And it would now know that this is the address to be called when this function is referenced. So how are we going to orchestrate this DLLman-in-the-middle attack? Correct? occasionally? So that's what we're going to do. Step one, we are going to take the Realuser32.DL and export the whole process dures by name or ordinal number.
Well after that we will go ahead and create a proxy dll. And that DLL would basically have an export table where pretty much all the names of the procedures would be the same as the real DLL, forwarding entries that would eventually call the correct code from the real DLL. Remember that the application does not call our proxy DLL automatically.
And the only way to do that is to rename it to the real DLL Proxy User 32.DLL. Then I'll create a new DLL called USER32.DLL that will contain functions that will be passed to the real user 32 who will now be renamed to do something else.
Correct? So in summary, all export functions by name and / or ordinals from the real DLL, create a DEF file that will be used by the linker to create a new DLL that is really nothing more than a function redirection to the real DLL, which has now been renamed to something else. The loader loads our new DLL, which basically wasn't hanging but the proxy in between. And once it has gone through the entries, it will load the real DLL that we have now renamed.
So first let's create a DEF file with all the function redirection entries. Well, if you remember, in the last article we had created DLLexportdump.by where we saved all the export information from a particular DLL by name and / or ordinal number.
Now let's create a DEF file. And this DEF file will be understood by our linker LD that this essentially contains the function forwarders. So what is the format? Well, library followed by the library name.
Then we have the export section where we will put the redirects. So let me show it, let's analyze the output first. So the DLL to use is USER32.DLL and of course, because we're creating a proxy with the same name, the output file would eventually be the same - for the DLL binary.
At the moment we can always use a different name as far as the definition files are concerned.Bu don't remember that the new DLL name has to be mentioned in the function forwarding. So let's call this USER32_real.dll.
Let's display less so we can see the output in question is USER32_real. Here is the export section. And when you try to enable the keyboard layout, go to USER32_real and record the same function.
And we have the ordinal number for too Receive further input At the very end you will of course have a couple of exports that are only available in ordinal numbers. It was a bit of a chore figuring out the linker options. I tested it by name.
I think the ordinal part works too, but you can try it for yourself just to check it out. Now we're actually putting that in .Template.def.
And when I open my template.def now, here's a nice def file that our linker can now use to create the proxy DLL to create the proxy DLL , of course we need to have written some DLL template code and everything split this article into two parts. And I think that's all I had in mind for this article.
In the next article we will look at how to use our proxy Creating a DLL with a DLL Template Code. Well, that's all for this article folks. And if you enjoy your time at Pentester Academy please recommend us to your friends and colleagues in the Infosec community.
What is nvspcap64 DLL?
dll, File description: NVIDIA Capture Server Proxy.
What is system32 Nvspcap DLL?
The genuine nvspcap. dll file is a software component of Nvidia GeForce Experience by Nvidia. ... dll is a resource library that is part of ShadowPlay, a video capturing and streaming application that is part of Nvidia GeForce Experience.