-
December 2nd, 2016, 07:48 AM
#1
DLLMain (DLL Attach) not called?
When I used an external hooker to hook this dll into the process, it worked.
But when I embedded the hooked functions in the IAT of the exe,
this DLL_PROCESS_ATTACH branch was not used?
I don't understand why.
I keep trying for a whole afternoon already
Code:
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
logfile.open(".\\log.txt");
-
December 2nd, 2016, 08:25 AM
#2
Re: DLLMain (DLL Attach) not called?
DllMain() is called with DLL_PROCESS_ATTACH when the DLL is being loaded into the virtual address space of the current process as a result of the process starting up or as a result of a call to LoadLibrary. If this isn't happening as expected, then neither of these conditions are satisfied. Have you tried checking for DLL_THREAD_ATTACH? Does the dll already exist in the address space of the current process? How is the dll being loaded - explicitly using LoadLibrary or implicitly via static/dynamic linking?
All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!
C++23 Compiler: Microsoft VS2022 (17.6.5)
-
December 2nd, 2016, 09:44 AM
#3
Re: DLLMain (DLL Attach) not called?
Oh.. Thanks 2kaud, I haven't tried the DLL_THREAD_ATTACH yet, but I'll try tomorrow.
Anyways, it is not called by LoadLibrary, I just use some third-party tools to stick the
dll at the end of the iat of the exe, and rebuild the iat.
I remember one time I did it right, but not with this exe,
So I think this approach does work, but I probably missed something I learnt before
-
December 2nd, 2016, 11:21 PM
#4
Re: DLLMain (DLL Attach) not called?
Oh yeah, I think I can't call the dllmain when it is embedded inside the iat,
I need to call the LoadLibrary somehow.
The only thing available to me is the actual api itself.
If I don't want to utilize an external hooker at all,
I just want the apis to be hooked at runtime.
I don't have the source of the executable
and I need to do something like this
app1 -> hooked app (this application) -> hooking dll (injecting dll)
When can be done in order to let the hooked app trigger the hooking functionality right after app1 calls
hooked app?
-
December 3rd, 2016, 12:24 AM
#5
Re: DLLMain (DLL Attach) not called?
Hello coming back,
Know that I have created a hooker to intercept all calls from the windows 7 explorer shell (hacked one)
to windows 7 itself.
I intercept all calls that are associated with registry.
Funny enough is when there are registry calls allowed, I can see the taskbar, but the theme is windows basic
When I disable all registry calls, there are no taskbar at all.
I was wondering,
1) how can I tweak the registry calls in order to display any themes I like to the current instance of windows explorer
(I have thought about using the sandbox, is it possible?)
2) how can I interpret the registry calls, when I do something like
Code:
LSTATUS
APIENTRY
HookedRegOpenKeyW(
__in HKEY hKey,
__in_opt LPCWSTR lpSubKey,
__out PHKEY phkResult
)
{
::RegOpenKeyW(hKey, lpSubKey, phkResult);
std::stringstream oss;
oss << "RegOpenKeyW = " << hKey << " " << lpSubKey << endl;
//////OutputDebugString(oss.str().c_str());
logfile.write(oss.str().c_str(), oss.str().length());
logfile.flush();
return ERROR_SUCCESS;
}
I get all hex numbers, I don't know what they mean
RegOpenKeyW = 80000002 00422A08
How do I turn this into some meaningful text?
Thanks
Jack
Last edited by luckiejacky; December 3rd, 2016 at 05:48 AM.
-
December 4th, 2016, 01:10 PM
#6
Re: DLLMain (DLL Attach) not called?
I wonder how long it would take for you to understand the situation. Explorer is not a part of WinAPI, therefore, has no publicly documented design and behavior (except the topic of shell extensions). It is a standalone proprietory app. The app sources are closed by MS, and the vendor is free to change anything in it with any servicepack released. Nobody here but you is interested in the topic. You are on your own. Wrong forum, sorry.
Best regards,
Igor
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|