Hi everyone,
Could anyone tell me (or direct me to some resources which could) what functions the Windows PE loader calls to load and initiate DLL (i.e. call their entrypoint) when resolving the IAT of a new process ?
I was under the impression that it would be something like LoadLibraryExW or even LdrLoadDll but I cannot find them one the call stack (from my DllMain)…
Best regards,
William
when you are on Your DllMain all IAT would have been already resolved by loader
if you want to watch Import Dll Loading you have to stop after ntdll
loads but before it
reaches the SystemBreakpoint (first Default breakpoint )
open calc.exe in windbg
type the command
sxe ld ntdll ; .restart
windbg will restart calc and stop on ntdll Module Load
now Set a Breakpoint on ntdll!LdrLoadDll and you will see the first
import resolved with Kernel32.dll see below for a sample flow
restart for catching load module event
0:000> sxe ld ntdll ; .restart
ntdll!RtlUserThreadStart:
775270d8 89442404 mov dword ptr [esp+4],eax ss:0023:001ff8c0=00000000
set a breakpoint on ntdll!LdrLoadDll after ntdll is loaded and continue
0:000> bp ntdll!LdrLoadDll
0:000> g
Breakpoint 0 hit
bp is hit and ntdll is resolving kernel32.dll import
LdrpLoadDll has a prototype of (beware might be undocumented prototype)
so the third argument is the UnicodeString of the module name to be loaded
and fourth argument is the HMODULE that would be recieved
NTSYSAPI NTSTATUS
LdrLoadDll(
IN PWCHAR PathToFile OPTIONAL,
IN ULONG Flags OPTIONAL,
IN PUNICODE_STRING ModuleFileName,
OUT PHANDLE ModuleHandle );
ntdll!LdrLoadDll:
775422ae 8bff mov edi,edi
0:000> dd esp l5
001ff410 77547d33 00000000 00000000 77547de0
001ff420 001ff4c4
lets check which imported module is being loaded
0:000> dS poi(esp+c)
77528230 “kernel32.dll”
lets set a data write breakpoint on the in argument
which would recieve the HMODULE
0:000> ba w4 poi(esp+10)
0:000> g
ModLoad: 76d90000 76e64000 C:\Windows\system32\kernel32.dll
Breakpoint 0 hit
ntdll!LdrLoadDll:
0:000> g
ModLoad: 758c0000 7590a000 C:\Windows\system32\KERNELBASE.dll
Breakpoint 1 hit
ntdll!LdrLoadDll+0xa3:
data breakpoint stops 1 instruction past the write
0:000> ub
ntdll!LdrLoadDll+0x8d:
7754231d e86bd9ffff call ntdll!LdrpLoadDll (7753fc8d)
77542322 8bf0 mov esi,eax
77542324 85f6 test esi,esi
77542326 7c0b jl ntdll!LdrLoadDll+0xa3 (77542333)
77542328 8b4510 mov eax,dword ptr [ebp+10h]
7754232b 8b4018 mov eax,dword ptr [eax+18h]
7754232e 8b4d14 mov ecx,dword ptr [ebp+14h]
77542331 8901 mov dword ptr [ecx],eax << this caused the
data write break point to fire so eax holds whatever was written
0:000> r eax
eax=76d90000
0:000> lm a @eax
Browse full module list
start end module name
76d90000 76e64000 kernel32 (pdb symbols) \kernel32.pdb
only kernel32 its dependency and the avasts hook dll has been loaded upto now
LdrLoadDll will fire now for all dependencies
0:000> lm
start end module name
00460000 00520000 calc (deferred)
686d0000 686ff000 aswhookx (deferred)
758c0000 7590a000 KERNELBASE (deferred)
76d90000 76e64000 kernel32 (pdb symbols) kernel32.pdb
774e0000 7761c000 ntdll (pdb symbols) ntdll.pdb
On 7/15/18, xxxxx@gmail.com wrote:
> Hi everyone,
>
> Could anyone tell me (or direct me to some resources which could) what
> functions the Windows PE loader calls to load and initiate DLL (i.e. call
> their entrypoint) when resolving the IAT of a new process ?
>
> I was under the impression that it would be something like LoadLibraryExW or
> even LdrLoadDll but I cannot find them one the call stack (from my
> DllMain)…
>
> Best regards,
> William
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at:
> http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
> drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at
> http:
></http:></http:></http:>