how does dllmain execute the dll ? and how does it go from running in kernel mode to executing the dll within the user space of the program?
Printable View
how does dllmain execute the dll ? and how does it go from running in kernel mode to executing the dll within the user space of the program?
dllmain doesn't 'execute' the dll. dllmain() is an optional entry point in the dll called when specific events occur and is usually used for initialization and clean-up purposes if required.
See
http://msdn.microsoft.com/en-us/wind...=vs.85%29.aspx
so what happens when dllmain is called after injecting a dll?
dllmain() is only optional in a c/c++ program because the linker will link in a dummy/empty dllmain() if you don't provide one.
a DLL always has an entrypoint. The exceptions are a resource only DLL which won't typically have a code-section. And a code-dll where you explicitely define to have no entrypoint. (but in that case, you can't use the C-runtime, or assume that global constructors/destructors get called.
typically the entrypoint will point to the C-Runtime startup/cleanup code which does all sort of things, including calling global constructors and destructors and ends up calling the user-defined dllmain() (or the default one if you don't provide one).
this is basically the same as to how it works for an exe instead that in that case, it calls main().
depending on injection/loading method used... the dll entrypoint of the injected dll may or may not get called.
depending on how the application ends (and how the dll was loaded/injected), the dllentrypoint may or may not be called for each loaded dll to detach to the thread/process.
When you dive into the details, dllmain is probably one of the most complex things to fully understand in windows. So if you want an answer to something, you're going to have to be very specific.
If you want in-depth details, I suggest you read
Windows Internals Parts 1 and 2 by Mark Russinovich
http://www.amazon.co.uk/gp/product/0...?ie=UTF8&psc=1
http://www.amazon.co.uk/Windows-Inte..._bxgy_b_text_y
Also consider
Windows via c/c++ by Jeffrey Richter
http://www.amazon.co.uk/gp/product/0...?ie=UTF8&psc=1