Thread: How can I hook DllMain ?
View Single Post
  #1  
Old 01-18-2015, 16:59
ioannis ioannis is offline
Friend
  
Join Date: Jan 2015
Posts: 31
Rept. Given: 6
Rept. Rcvd 9 Times in 5 Posts
Thanks Given: 6
Thanks Rcvd at 19 Times in 11 Posts
ioannis Reputation: 9
Quote:
Originally Posted by DMichael View Post
at entrypoint?about memory you can just hook some kernel functions for memory allocation and follow it
If I hook at RtlImageNtHeaderEx, I can get the EntryPoint
0x0FD91154 e9 a7 19 00 00
which is a near relative jump to _DllMainCRTStartup

If i understand correctly i need a long jump (absolute address), which is a 2 byte op code, to enter the hook function in my module. So there is no space to add the additional op code...

__DllMainCRTStartup@12:
0x0FD91154 jmp _DllMainCRTStartup (0FD92B00h)
...
...
_CoGetMalloc@8:
0x0FD91276 jmp CoGetMalloc (0FD91518h)
0x0FD9127B int 3
0x0FD9127C int 3

Can i use the space after _CoGetMalloc@8 to make a near jump instruction there, and then a long jump to my module ?

Also is there any guarantee that there will always be space there to include an additional jump instruction ?
Reply With Quote