Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   DLLs loading sequence (https://forum.exetools.com/showthread.php?t=15266)

te$ter 09-25-2013 02:31

DLLs loading sequence
 
Is it possible to get sequence how application loads its DLLs?

gigaman 09-25-2013 04:14

Here is a discussion on the subject, with some useful external links.

wilson bibe 09-25-2013 10:11

If I understood your question, Open your target if it was developed in 32 bits OS, with Hdasm, and you will see what you want when you analyze the imports table and the address of each call.

deroko 09-26-2013 21:17

It's possible, you need to hook NtMapViewOfSection. For more details you may look how it's done in this code : http://deroko.phearless.org/itracer.zip (look for NtMapViewOfSection hooking code)

arlequim 10-30-2013 16:55

Did you already try putting BPX on LoadLibraryA?

Here is a little asm code just to recall how dll files are loaded:

Code:

    push offset lib
    call LoadLibrary ; will load the dll
    mov hLib, eax
    push offset function
    push hLib
    call GetProcAddress ; will get the procedure to execute
    mov hProc, eax
    call hProc ; will call your function in your DLL
    push hLib
    call FreeLibrary ; free the resource


nulli 10-30-2013 18:14

To see how DLLs are loaded for an application I would set the global flag for showing loader snaps (http://msdn.microsoft.com/en-us/library/windows/hardware/ff556886(v=vs.85).aspx) and watch the debug output.

The Windows Internals book has an experiment showing how you can do this. Use google and search for "watching the image loader". Here is a direct link to this page: http://bit.ly/1doJuzI

arlequim 10-30-2013 18:52

Using WinDBG, first you have to enable your debugger, so type:

!gflag +ksl

Break when your file (.exe or .dll) is loaded:

sxe ld mydll.dll

That's all :)


All times are GMT +8. The time now is 17:56.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX