Intercept LoadLibrary calls by current process after DLL injection

Question

After injecting my DLL into a process via CreateRemoteThread, I would like to know how this DLL could intercept any calls to LoadLibraryA/W that are made by the injected process. I saw the library Detour however it does not seem appropriate as I don't want to change the behaviour of the hooked LoadLibrary call, I just would like to know what DLL the injected process is trying to load and obtain it full path + name.

What would be the best approach on that? Thank you.

Edit 1:

Okay, after playing around with Detour, I set it to intercept any LoadLibraryA() and even LoadLibraryW() and ... the message box is never triggered:

// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"
#include <stdio.h>
#include <windows.h>
#include "detours.h"

// Target pointer for the uninstrumented LoadLibraryW API.
//
static HMODULE(WINAPI* TrueLoadLibrary)(LPCWSTR lpLibFileName) = LoadLibraryW;

// Detour function that replaces the LoadLibrary API.
//
HMODULE WINAPI DetouredLoadLibrary(LPCWSTR lpLibFileName)
{
    HMODULE res = TrueLoadLibrary(lpLibFileName);
    MessageBoxW(NULL, lpLibFileName, L"Detoured!", MB_OK | MB_ICONEXCLAMATION);
    return res;
}

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
        if (DetourIsHelperProcess()) {
            return TRUE;
        }

        if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
            DetourRestoreAfterWith();

            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourAttach(&(PVOID&)TrueLoadLibrary, DetouredLoadLibrary);
            DetourTransactionCommit();
        }
        else if (ul_reason_for_call == DLL_PROCESS_DETACH) {
            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourDetach(&(PVOID&)TrueLoadLibrary, DetouredLoadLibrary);
            DetourTransactionCommit();
        }

        return TRUE;
    }

I can see now that Procmon is logging more activity due to the job performed by Detours. However, one thing is buggering me: it looks like the operation is a CreateFile rather than LoadLibrary, I also tried to detour CreateFileA but no more luck. I found a question on SO on this but there isn't any answer.

Any ideas why? Thank you.

score 1 · Answer 1 · answered Jul 16 '22 at 17:39

1

Using Detours is appropriate. It doesn't need to change the behavior; it can just log the information you want and then forward the call on to the real method.

answered Jul 16 '22 at 17:39

Joseph Sible-Reinstate Monica

45,431
5
48
98

Thanks Joseph, would MinHook allow the same feature? I know that there are licencing constraints with Detours... – Dlionis Jul 16 '22 at 17:40
@Dlionis Detours has been MIT-licensed since 2016. – Joseph Sible-Reinstate Monica Jul 16 '22 at 17:41

score 1 · Answer 2 · answered Jul 17 '22 at 14:42

1

Found my answer by hooking CreateFileW instead of LoadLibrary..() with Detours.

answered Jul 17 '22 at 14:42

Dlionis

100
1
6

As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jul 24 '22 at 00:53

Intercept LoadLibrary calls by current process after DLL injection

2 Answers2