2

I'm trying to write a program, which will catch the event of a dll load into memory. For that purpose I put a hook on LdrLoadDll API. That works very fine, but the problem is that this API doesn't catch dlls which loaded as dependencies. For example -

LoadLibraryW(L"C:\...\chrome_child.dll");

using LdrLoadDl I will catch chrome_child.dll loading to memory, but I won't catch win32u.dll which is one of chrome_child.dll dependencies.

Does anyone know a better API to use for that purpose?

RHA
  • 3,677
  • 4
  • 25
  • 48
macro_controller
  • 1,469
  • 1
  • 14
  • 32
  • 3
    you can use `LdrRegisterDllNotification` begin from vista - https://msdn.microsoft.com/en-us/library/dd347460(v=vs.85).aspx – RbMm Dec 08 '16 at 19:23
  • Thanks! It works, However this API was added only in Vista. Do you know about something that might work on Windows XP too? – macro_controller Dec 11 '16 at 11:40
  • for XP exist several **undocumented** options - we can use `LdrSetDllManifestProber` for set own callback, which will be called when dll loaded. but in callback we will be need yourself create activation context for dll (by `CreateActCtx` ) or find original callback and use it. **note** `LdrSetDllManifestProber` signature changed in new windows versions (now it take 3 callbacks) but on `XP` it have only one param and this already never changed. – RbMm Dec 11 '16 at 13:06
  • the most power option - call `LdrInitShimEngineDynamic(&__ImageBase)` in this case you need export several funcs - `SE_InstallBeforeInit` `SE_InstallAfterInit`, `SE_DllLoaded`, `SE_DllUnloaded`, `SE_IsShimDll`, `SE_ProcessDying`, `SE_GetProcAddress`. this give you great control over dll load/unload process. ShimEngine is very volatile, and changed in every new windows version. however XP already will not changed – RbMm Dec 11 '16 at 13:06
  • finally - you can hook `ZwMapViewOfSection` - and query it `SectionImageInformation`, also when dll loaded (but not data section mapped) `NT_TIB.ArbitraryUserPointer` point to full dll path – RbMm Dec 11 '16 at 13:07
  • Thank you, it's really helpful! I want to use the `ZwMapViewOfSection` method, but I couldn't really understand where do I find the pointer to the full path of the dll? – macro_controller Dec 11 '16 at 15:12
  • in `NT_TIB.ArbitraryUserPointer` - this is point to unicode (PWSTR) path to image file – RbMm Dec 11 '16 at 15:15
  • look `NtCurrentTeb()` macro in `winnt.h` and `NT_TIB` definition – RbMm Dec 11 '16 at 15:18
  • in `winnt.h` look – RbMm Dec 11 '16 at 15:23
  • look this - http://imgur.com/a/sOS41 – RbMm Dec 11 '16 at 15:34
  • Does it suppose to work the same in a 32 bit process? I didn't see the assignment you posted in Windbg in 32 bit process, and: `LoadLibraryExW(L"C:\\...\\chrome_child.dll", NULL, 0); PNT_TIB teb = (PNT_TIB)NtCurrentTeb(); teb2->ArbitraryUserPointer` points to 0X00000000. Is there a way to extract the path or the dll name from SectionImageInformation? – macro_controller Dec 11 '16 at 15:49
  • yes, of course this true in both 32 and 64 bit processes. `ArbitraryUserPointer` point to path only when `ZwMapViewOfSection` called - just after this it restored to saved value – RbMm Dec 11 '16 at 16:06
  • look better to http://imgur.com/a/sOS41 - `ArbitraryUserPointer` ([rdi+28h]) - assigned with path several instructions before `ZwMapViewOfSection` called and on next instruction after call already restored to saved value (`rbx`) – RbMm Dec 11 '16 at 16:09
  • It seems like it worked, thank you! – macro_controller Dec 11 '16 at 16:16
  • this is from 32 bit process - look for `[edi+14]` - http://imgur.com/a/9hVOn – RbMm Dec 11 '16 at 16:20
  • @RbMm None of these will intercept manually mapped images. – Mecanik Apr 02 '22 at 04:18

0 Answers0