1

Topic: api to call DLLMain

Whether correctly I understand that if I want to intercept in loading DLL a call of a certain function from kernel32.dll to call DLLMain I have three ways: 1) Splajsing of the function from kernel32.dll 2) process Start in a debug mode and waiting WaitForDebugEvent with LOAD_DLL_DEBUG_EVENT and the subsequent modification IAT of the table. 3) writing of the loader dll in which the table will be modified IAT.

2

Re: api to call DLLMain

Hello, Aniskin, you wrote: whether A> Correctly I understand that if I want to intercept in loading DLL a call of a certain function from kernel32.dll to call DLLMain I have three ways: Mechanism SHIM (Application Verifier) - https://github.com/ionescu007/HookingNi … Hooks.pdf, section "AVRF Hooks" and till the end of document PoC - https://github.com/ionescu007/HookingNi … /verif.dll

3

Re: api to call DLLMain

A> 1) Splajsing of the function from kernel32.dll A> 2) process Start in a debug mode and waiting WaitForDebugEvent with LOAD_DLL_DEBUG_EVENT and the subsequent modification IAT of the table. A> 3) writing of the loader dll in which the table will be modified IAT. For judges: 4.a) LdrRegisterDllNotification +  DllMain + modification IAT from  on DLLMain For brave judges: 4.b) LdrRegisterDllNotification + patch EntryPoint in corresponding LDR_DATA_TABLE_ENTRY + modification IAT from  on DLLMain  And can launch all the same in separate process that archiver?

4

Re: api to call DLLMain

Hello, ononim, you wrote: O>  And that archiver can launch all the same in separate process? For a situation in which I needed to produce interception api to call DLLMain, "that archiver" already in separate process, is more exact in separate COM the server.

5

Re: api to call DLLMain

Hello, Aniskin, you wrote: whether A> Correctly I understand that if I want to intercept in loading DLL a call of a certain function from kernel32.dll to call DLLMain I have three ways: what for dll? How it is loaded? What for function from 32? What for it to you generally? I think if to know a situation more close also variants will be much more

6

Re: api to call DLLMain

Hello, rumit7, you wrote: R> I think if to know a situation more close also variants Will eat much more at me widely known project in narrow circles TC4Shell. A project essence - operation with different archives in the Explorer, as with simple folders. The project as a matter of fact represents  over various indirect dll, such as 7z.dll and unrar.dll. Possibility of connection WCX of plug-ins from TotalCommander is in addition implemented. All it  works. I decided to add support of plug-ins from FAR. Also added. And again all  works, including emulation FAR dialog api. But there is one moment. As itself FAR and its plug-ins work in the console I need to intercept and emulate layer API working with the console. I made it, but found out that separate plug-ins cause console API in DLLMain. For example, plug-in NetBox, causes CreateFile (' CONIN $ ') and saves received  in the granaries which then uses (in particular) by call Peek/ReadConsoleInput. But as in an explorer of the console is not present, CreateFile returns INVALID_HANDLE_VALUE, and to me in intercepted Peek/ReadConsoleInput also comes INVALID_HANDLE_VALUE. I do at present so: if to me came INVALID_HANDLE_VALUE I consider that it is my correct , and accordingly I process it. But as that it is not beautiful. Here also I want to try to intercept API not after LoadLibrary, and to call DLLMain. And I intercept much. CreateFileAW/CloseHandle and practically all from the list. As that so.

7

Re: api to call DLLMain

Hello, Aniskin, you wrote: A> There is at me widely known project in narrow circles TC4Shell. Thanks, abruptly.

8

Re: api to call DLLMain

Hello, Aniskin, you wrote: A> Here also I want to try to intercept API not after LoadLibrary, and to call DLLMain. Then to a heap - interception NtMapViewOfSection, there somehow so turns out: LoadLibrary->LdrLoadDll->LdrpFindOrMapDll->LdrpMapViewOfSection-> NtMapViewOfSection... LoadLibrary->LdrLoadDll->...->LdrpCallInitRoutine-> DllMain Remains after a call original NtMapViewOfSection to learn a name  sections and if it is necessary  "it is done bad affairs further". But a principle such as well as  above the Author: ononim Date: 28.09 23:51 ononim th. A> And I intercept much. CreateFileAW/CloseHandle and practically all from the list. As that so. Well just in case I will throw off, your case can: Faking KERNEL32.DLL - an Amateur Sandbox Using Pragmas to Create a Proxy DLL Forwarded DLL Exports and an Interesting Loader Behaviour

9

Re: api to call DLLMain

A> but found out that separate plug-ins cause console API in DLLMain. Well if "that " truth in separate process, whether that to give it  on hands by means of AllocConsole is easier? It by the way even not mandatory to do visible, it is possible to hide its window or  to launch process on not interactive desktop and if it would be desirable  that he there such draws - periodically to find contents  ReadConsoleOutput () th

10

Re: api to call DLLMain

Hello, Aniskin, you wrote: A> 1) Splajsing of the function from kernel32.dll A> 2) process Start in a debug mode and waiting WaitForDebugEvent with LOAD_DLL_DEBUG_EVENT and the subsequent modification IAT of the table. A> 3) writing of the loader dll in which the table will be modified IAT. So there was a subject,  - http://www.rsdn.org/forum/asm/6681483.1 Andrey, laid out, look.

11

Re: api to call DLLMain

Hello, ononim, you wrote: whether O> to give to it  on hands by means of AllocConsole is easier? It by the way even not mandatory to do visible, it is possible to hide its window If to cause AllocConsole, and then to hide a console window the window blinks. Not beautifully. O> or  to launch process on not interactive desktop, I use COM servers (simplicity of implementation, convenience of a call callback functions from the server in the client application), i.e. process is launched not by me, and COM a subsystem. O> if it would be desirable to know that he there draws the such - periodically to find contents  ReadConsoleOutput () th For correct UI interception of functions is necessary to me.

12

Re: api to call DLLMain

Hello, BLov, you wrote: BL> So there was a subject,  - http://www.rsdn.org/forum/asm/6681483.1 BL> Andrey, laid out, look. Looked. Realized, as a little I know about this life... For me it is too difficult, I will not master.

13

Re: api to call DLLMain

Hello, Aniskin, you wrote: A> Hello, ononim, you wrote: whether O>> to give to it  on hands by means of AllocConsole is easier? It by the way even not mandatory to do visible, it is possible to hide its window A> If to cause AllocConsole, and then to hide a console window the window blinks. Not beautifully. Well all over it is not beautiful, it is possible to make and it is beautiful. At process creation it is possible to transfer the  for input-output through structure STARTUPINFO. There normal  are transferred. No window will exist.

14

Re: api to call DLLMain

Hello, Aniskin, you wrote: O>> or  to launch process on not interactive desktop, A> I use COM servers (simplicity of implementation, convenience of a call callback functions from the server in the client application), i.e. process is launched not by me, and COM a subsystem. It is possible, that process was COM-service, truth installation (registration) of such service demands the administrator (but only registration).

15

Re: api to call DLLMain

Hello, Denwer, you wrote: A>> If to cause AllocConsole and then to hide a console window the window blinks. Not beautifully. D> well all over it is not beautiful, it is possible to make and it is beautiful. At process creation it is possible to transfer the  for input-output through structure STARTUPINFO. There normal  are transferred. No window will exist. Thanks for council but as I already wrote, the console as that is not necessary to me. Interception of functions is necessary to me.

16

Re: api to call DLLMain

Hello, Alexander G, you wrote: AG> It is possible, that process was COM-service, truth installation (registration) of such service demands the administrator (but only registration). And where about it to esteem?

17

Re: api to call DLLMain

Hello, Aniskin, you wrote: A> And where about it to esteem? Here. An object written as a service is installed for use by COM by establishing a LocalService value under its AppID key and performing a standard service installation. (I generally manually it never did, with ATL after all as, Wizard, ATL Project, in Application Settings select Service - and all works).