CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 6 of 6
  1. #1
    Join Date
    Dec 2010
    Posts
    121

    DLLMain (DLL Attach) not called?

    When I used an external hooker to hook this dll into the process, it worked.
    But when I embedded the hooked functions in the IAT of the exe,
    this DLL_PROCESS_ATTACH branch was not used?
    I don't understand why.
    I keep trying for a whole afternoon already



    Code:
    BOOL APIENTRY DllMain( HANDLE hModule, 
                           DWORD  ul_reason_for_call, 
                           LPVOID lpReserved
    					 )
    {
        switch (ul_reason_for_call)
    	{
    		case DLL_PROCESS_ATTACH:
    			logfile.open(".\\log.txt");

  2. #2
    2kaud's Avatar
    2kaud is offline Super Moderator Power Poster
    Join Date
    Dec 2012
    Location
    England
    Posts
    7,822

    Re: DLLMain (DLL Attach) not called?

    DllMain() is called with DLL_PROCESS_ATTACH when the DLL is being loaded into the virtual address space of the current process as a result of the process starting up or as a result of a call to LoadLibrary. If this isn't happening as expected, then neither of these conditions are satisfied. Have you tried checking for DLL_THREAD_ATTACH? Does the dll already exist in the address space of the current process? How is the dll being loaded - explicitly using LoadLibrary or implicitly via static/dynamic linking?
    All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!

    C++23 Compiler: Microsoft VS2022 (17.6.5)

  3. #3
    Join Date
    Dec 2010
    Posts
    121

    Re: DLLMain (DLL Attach) not called?

    Oh.. Thanks 2kaud, I haven't tried the DLL_THREAD_ATTACH yet, but I'll try tomorrow.
    Anyways, it is not called by LoadLibrary, I just use some third-party tools to stick the
    dll at the end of the iat of the exe, and rebuild the iat.
    I remember one time I did it right, but not with this exe,
    So I think this approach does work, but I probably missed something I learnt before

  4. #4
    Join Date
    Dec 2010
    Posts
    121

    Re: DLLMain (DLL Attach) not called?

    Oh yeah, I think I can't call the dllmain when it is embedded inside the iat,
    I need to call the LoadLibrary somehow.
    The only thing available to me is the actual api itself.

    If I don't want to utilize an external hooker at all,
    I just want the apis to be hooked at runtime.

    I don't have the source of the executable
    and I need to do something like this
    app1 -> hooked app (this application) -> hooking dll (injecting dll)

    When can be done in order to let the hooked app trigger the hooking functionality right after app1 calls
    hooked app?

  5. #5
    Join Date
    Dec 2010
    Posts
    121

    Re: DLLMain (DLL Attach) not called?

    Hello coming back,
    Know that I have created a hooker to intercept all calls from the windows 7 explorer shell (hacked one)
    to windows 7 itself.

    I intercept all calls that are associated with registry.
    Funny enough is when there are registry calls allowed, I can see the taskbar, but the theme is windows basic
    When I disable all registry calls, there are no taskbar at all.

    I was wondering,
    1) how can I tweak the registry calls in order to display any themes I like to the current instance of windows explorer
    (I have thought about using the sandbox, is it possible?)

    2) how can I interpret the registry calls, when I do something like
    Code:
    LSTATUS
    APIENTRY
    HookedRegOpenKeyW(
    	__in HKEY hKey,
    	__in_opt LPCWSTR lpSubKey,
    	__out PHKEY phkResult
    )
    {
    	::RegOpenKeyW(hKey, lpSubKey, phkResult);
    	std::stringstream oss;
    	oss << "RegOpenKeyW = " <<  hKey <<  " " << lpSubKey << endl;
    	//////OutputDebugString(oss.str().c_str());
    	logfile.write(oss.str().c_str(), oss.str().length());
    	logfile.flush();
    	return ERROR_SUCCESS;
    }

    I get all hex numbers, I don't know what they mean

    RegOpenKeyW = 80000002 00422A08

    How do I turn this into some meaningful text?





    Thanks
    Jack
    Last edited by luckiejacky; December 3rd, 2016 at 05:48 AM.

  6. #6
    Join Date
    Nov 2000
    Location
    Voronezh, Russia
    Posts
    6,620

    Re: DLLMain (DLL Attach) not called?

    I wonder how long it would take for you to understand the situation. Explorer is not a part of WinAPI, therefore, has no publicly documented design and behavior (except the topic of shell extensions). It is a standalone proprietory app. The app sources are closed by MS, and the vendor is free to change anything in it with any servicepack released. Nobody here but you is interested in the topic. You are on your own. Wrong forum, sorry.
    Best regards,
    Igor

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  





Click Here to Expand Forum to Full Width

Featured