Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

OSR Seminars


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 2  
15 Jul 18 13:37
wlecat3
xxxxxx@gmail.com
Join Date: 15 Jul 2018
Posts To This List: 1
Callstack from Windows PE loader to Dll entrypoint ?

Hi everyone, Could anyone tell me (or direct me to some resources which could) what functions the Windows PE loader calls to load and initiate DLL (i.e. call their entrypoint) when resolving the IAT of a new process ? I was under the impression that it would be something like LoadLibraryExW or even LdrLoadDll but I cannot find them one the call stack (from my DllMain)... Best regards, William
  Message 2 of 2  
17 Jul 18 15:36
raj r
xxxxxx@gmail.com
Join Date: 20 Jul 2006
Posts To This List: 322
Callstack from Windows PE loader to Dll entrypoint ?

when you are on Your DllMain all IAT would have been already resolved by loader if you want to watch Import Dll Loading you have to stop after ntdll loads but before it reaches the SystemBreakpoint (first Default breakpoint ) open calc.exe in windbg type the command sxe ld ntdll ; .restart windbg will restart calc and stop on ntdll Module Load now Set a Breakpoint on ntdll!LdrLoadDll and you will see the first import resolved with Kernel32.dll see below for a sample flow restart for catching load module event 0:000> sxe ld ntdll ; .restart ntdll!RtlUserThreadStart: 775270d8 89442404 mov dword ptr [esp+4],eax ss:0023:001ff8c0=00000000 set a breakpoint on ntdll!LdrLoadDll after ntdll is loaded and continue 0:000> bp ntdll!LdrLoadDll 0:000> g Breakpoint 0 hit bp is hit and ntdll is resolving kernel32.dll import LdrpLoadDll has a prototype of (beware might be undocumented prototype) so the third argument is the UnicodeString of the module name to be loaded and fourth argument is the HMODULE that would be recieved NTSYSAPI NTSTATUS LdrLoadDll( IN PWCHAR PathToFile OPTIONAL, IN ULONG Flags OPTIONAL, IN PUNICODE_STRING ModuleFileName, OUT PHANDLE ModuleHandle ); ntdll!LdrLoadDll: 775422ae 8bff mov edi,edi 0:000> dd esp l5 001ff410 77547d33 00000000 00000000 77547de0 001ff420 001ff4c4 lets check which imported module is being loaded 0:000> dS poi(esp+c) 77528230 "kernel32.dll" lets set a data write breakpoint on the in argument which would recieve the HMODULE 0:000> ba w4 poi(esp+10) 0:000> g ModLoad: 76d90000 76e64000 C:\Windows\system32\kernel32.dll Breakpoint 0 hit ntdll!LdrLoadDll: 0:000> g ModLoad: 758c0000 7590a000 C:\Windows\system32\KERNELBASE.dll Breakpoint 1 hit ntdll!LdrLoadDll+0xa3: data breakpoint stops 1 instruction past the write 0:000> ub ntdll!LdrLoadDll+0x8d: 7754231d e86bd9ffff call ntdll!LdrpLoadDll (7753fc8d) 77542322 8bf0 mov esi,eax 77542324 85f6 test esi,esi 77542326 7c0b jl ntdll!LdrLoadDll+0xa3 (77542333) 77542328 8b4510 mov eax,dword ptr [ebp+10h] 7754232b 8b4018 mov eax,dword ptr [eax+18h] 7754232e 8b4d14 mov ecx,dword ptr [ebp+14h] 77542331 8901 mov dword ptr [ecx],eax << this caused the data write break point to fire so eax holds whatever was written 0:000> r eax eax=76d90000 0:000> lm a @eax Browse full module list start end module name 76d90000 76e64000 kernel32 (pdb symbols) \kernel32.pdb only kernel32 its dependency and the avasts hook dll has been loaded upto now LdrLoadDll will fire now for all dependencies 0:000> lm start end module name 00460000 00520000 calc (deferred) 686d0000 686ff000 aswhookx (deferred) 758c0000 7590a000 KERNELBASE (deferred) 76d90000 76e64000 kernel32 (pdb symbols) kernel32.pdb 774e0000 7761c000 ntdll (pdb symbols) ntdll.pdb On 7/15/18, xxxxx@gmail.com <xxxxx@lists.osr.com> wrote: > Hi everyone, > > Could anyone tell me (or direct me to some resources which could) what > functions the Windows PE loader calls to load and initiate DLL (i.e. call > their entrypoint) when resolving the IAT of a new process ? > > I was under the impression that it would be something like LoadLibraryExW or > even LdrLoadDll but I cannot find them one the call stack (from my > DllMain)... > <...excess quoted lines suppressed...>
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 18:47.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license