DLLs loading sequence

[te$ter]

Is it possible to get sequence how application loads its DLLs?

[gigaman]

Here is a discussion on the subject, with some useful external links.

[wilson bibe]

If I understood your question, Open your target if it was developed in 32 bits OS, with Hdasm, and you will see what you want when you analyze the imports table and the address of each call.

[deroko]

It's possible, you need to hook NtMapViewOfSection. For more details you may look how it's done in this code : http://deroko.phearless.org/itracer.zip (look for NtMapViewOfSection hooking code)

[arlequim]

Did you already try putting BPX on LoadLibraryA?

Here is a little asm code just to recall how dll files are loaded:

Code:

    push offset lib
    call LoadLibrary ; will load the dll
    mov hLib, eax
    push offset function
    push hLib
    call GetProcAddress ; will get the procedure to execute
    mov hProc, eax
    call hProc ; will call your function in your DLL
    push hLib
    call FreeLibrary ; free the resource

[nulli]

To see how DLLs are loaded for an application I would set the global flag for showing loader snaps (http://msdn.microsoft.com/en-us/library/windows/hardware/ff556886(v=vs.85).aspx) and watch the debug output.

The Windows Internals book has an experiment showing how you can do this. Use google and search for "watching the image loader". Here is a direct link to this page: http://bit.ly/1doJuzI

[arlequim]

Using WinDBG, first you have to enable your debugger, so type:

!gflag +ksl

Break when your file (.exe or .dll) is loaded:

sxe ld mydll.dll

That's all