How can I hook DllMain ?
I'm playing around with VLD which is inline patching LdrLoadDll in order to hook to dynamic library functions that allocate memory, in order to detect memory leaks.
At this point the dll has not been loaded yet so I dont have a module handle to setup library hooks. Also setting up hooks after the original LdrLoadDll is called means that DllMain has already been called, which might allocate some memory that is not recorded by the leak detector. My question is, where is the best place to setup the hooks just before the call to DllMain, in order to be able to record memory allocations within DllMain? |
at entrypoint?about memory you can just hook some kernel functions for memory allocation and follow it
|
Quote:
0x0FD91154 e9 a7 19 00 00 which is a near relative jump to _DllMainCRTStartup If i understand correctly i need a long jump (absolute address), which is a 2 byte op code, to enter the hook function in my module. So there is no space to add the additional op code... __DllMainCRTStartup@12: 0x0FD91154 jmp _DllMainCRTStartup (0FD92B00h) ... ... _CoGetMalloc@8: 0x0FD91276 jmp CoGetMalloc (0FD91518h) 0x0FD9127B int 3 0x0FD9127C int 3 Can i use the space after _CoGetMalloc@8 to make a near jump instruction there, and then a long jump to my module ? Also is there any guarantee that there will always be space there to include an additional jump instruction ? |
Load your own DLL. At EP of your DLL get the return address from stack. C code can use MSVC intrinsics for this. It'll be address in the system DLL from which all DLL EPs are called. Hook it. Profit?!
|
I think the function is called LdrpCallInitRoutine. Just hook it. You can get the address from NTDLL debug symbols.
Code:
BOOLEAN NTAPI LdrpCallInitRoutine ( IN PDLL_INIT_ROUTINE EntryPoint, |
You can do it also by hooking NtMapViewOfSection and getting name of mapped section, if it matches wanted dll, look in pe header of mapped dll for entrypoint and hook it :) That's the simplest way.
Somebody in the past also asked how to know when dlls are loaded, and I will also point to same code : http://deroko.phearless.org/itracer.zip <--- look for hook of NtMapViewOfSection. There is detailed code how to find dll name too :) As you may see from previous answers, there are many ways to do it :) |
I'll have to try every solution more extensively to find the one that requires the least amount of assembly knowledge, before I mark best answer.
I have already tried Archer's suggestion that gives me a pointer inside LdrpCallInitRoutine function at the red line below, so now I need to figure out how to change the function to call and return from my function pointer. Code:
_LdrpCallInitRoutine@16: Code:
if (SymInitializeW(g_currentProcess, symbolpath, FALSE)) { |
Look here for a simple PDB-GetProcAddress
https://bitbucket.org/NtQuery/pdb-getprocaddress/src/eebe9737d6de34261f6bec5b7b57ae973978c9e2/PDBReader/Source.cpp?at=master |
Hook LoadLibraryEx -> check if dll is your -> fix flags to DONT_RESOLVE_DLL_REFERENCES -> call original -> set hooks -> call DllMain.
|
Quote:
If this value is used, and the executable module is a DLL, the system does not call DllMain for process and thread initialization and termination. Also, the system does not load additional executable modules that are referenced by the specified module. https://msdn.microsoft.com/en-us/library/windows/desktop/ms684179%28v=vs.85%29.aspx |
Ok, set hooks -> fill dll's imports -> call DllMain :)
There is no legal way to do this without durty hacks. |
I have developed a working solution I wanted to run by your briliant minds for comments, feedback or any other considerations i might have missed.
I used Archer recommendation to get the ReturnAddress and work my way from there by creating a code cave. This solution should work for all versions of Windows XP+ x86 and x64. Code:
typedef BOOLEAN(NTAPI *PDLL_INIT_ROUTINE)(IN PVOID DllHandle, IN ULONG Reason, IN PCONTEXT Context OPTIONAL); |
Guys, no love from you?
None of you gurus can review the code sample above to give me some comments/pointers ? I would appreciate any comments greatly. |
All times are GMT +8. The time now is 08:20. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX