How to avoid DLL Main? [duplicate] - c++

My question is really above, I will give more information on this below however:
I have a program which first takes my "false" d3d9.dll, this DLL is then loaded into the game I am reverse engineering. After the some time and the .dll is loaded, along with all the other games dependencies I want to inject my DLL which will do all the dirty work of the reverse engineering.
I think I can load this DLL into the program using LoadLibrary, however when I'm using the DLL I injected to run the main reverse engineered code. Is there a function I can use to call something from the d3d9.dll?
This is because I still need access to the d3d9 library to render things I may want to add on the screen with my injected .dll. I also don't want to just use the d3d9.dll as this will cause problems with loading times, and the point at which memory is changed.
I also don't plan on using DllMain in the DLL, this means I will also need to call a remote function from the d3d9.dll to the injected DLL in order to ensure a safe process start.
Sorry if this is a stupid question, however thanks for any answers.

Back in the old days we use to CreateRemoteThread and use LoadLibraryA as the address for lpStartAddress (This address happens to be the same in all processes). The trick was to allocate the DLL name you are injecting using VirtualAllocEx and use that as lpParameter. Effectively your thread calls LoadLibraryA with the DLL name you want to inject. When the Dll loads Dllmain gets called and you can run code in Dllmain during a time that the dll is being attached (DLL_PROCESS_ATTACH).
This link has some very good information on doing just that. However this technique relies on a Dllmain function. If you can use Dllmain then this mechanism may work. A summary of the steps from that article gives an overview:
Now, we can summarize this technique in the following steps:
Retrieve a HANDLE to the remote process (OpenProces).
Allocate memory in the remote process's address space for injected data (VirtualAllocEx).
Write a copy of the initialised INJDATA structure to the allocated memory (WriteProcessMemory).
Allocate memory in the remote process's address space for injected code.
Write a copy of ThreadFunc to the allocated memory.
Start the remote copy of ThreadFunc via CreateRemoteThread.
Wait until the remote thread terminates (WaitForSingleObject).
Retrieve the result from the remote process (ReadProcessMemory or GetExitCodeThread).
Free the memory allocated in Steps #2 and #4 (VirtualFreeEx).
Close the handles retrieved in Steps #6 and #1 (CloseHandle).
I saw your comment about too much information. Not sure I quite understand. However Dllmain has some restrictions like most Win32 API calls can't be used. There are some exceptions and one being CreateThread. Had you considered spinning off a thread to do work? If you use CreateThread in a Dllmain it effectively gets blocked until Dllmain exits. So once Dllmain returns the Thread will execute.

Related

Prevent GDI leaks in dll

There is a graphical library which is used in a dll, loaded into a process. It seems the library leaks (during loading/unloading several times GDI handle count in the Process Explorer property dialog constantly grows for the whole process).
Is there a way to store all GDI handles created by the dll in a process to delete them all after the dll is unloaded? Say, hook CreateBitmap() and so on? But how to determine whether the resource is being created by our dll, not the process itself?
Regards,
Is there a way to store all GDI handles created by the dll in a process to delete them all after the dll is unloaded? Say, hook CreateBitmap() and so on? But how to determine whether the resource is being created by our dll, not the process itself?
No. You are going to need to fix this problem at source. If the DLL really is leaking handles, you have to fix the DLL.
A way to close all handles open by the DLL and release all resources is in usage of a separate process which loads the DLL and terminates after the DLL is unloaded. So you can evaluate which effort is larger: to fix the DLL, to find another DLL (which doesn't leak and perhaps doesn't have many other pitfalls), or to implement inter-process communication to release the handles and still use the DLL. If you choose the latter way, you could transfer the bitmaps drawn between the processes using a block of shared memory, synchronize using named events, etc. .
To determine the caller you have to get stack trace for each call, look at RtlCaptureStackBackTrace.
Another way I would try to do is to modify this DLL (I assume that you have a DLL binary only, not source code: otherwise you could fix the leaks) to make it use say GDI33.DLL instead of GDI32.dll. Then you create GDI33.DLL that exports those functions that are used by that dll. GDI33.DLL forwards calls to GDI32.dll and collects GDI object handles.

Injecting a hook DLL into a process before its imports get called?

I have a target process which loads a DLL before its main code gets called. It accomplishes this through a DLL whose name was added to the file's ImportsTable (using StudPE). My goal is to create a hook DLL that will be injected into this process and intercept its calls before it loads its imports. So the target process will load my hook dll before its security DLL. I tried using the conventional method but I hadn't success because the security DLL always gets called before my hook DLL's DllMain is called. Can anybody tell me a method to solve this issue?
You can create the target process suspended and use CreateRemoteThread() for injection, but mind the following limitations:
You should copy the thread main routine for the remote thread to the address space of the target process.
This code cannot contain any external references (e.g. CRTL or direct WinApi calls). I would usually limit this code to loading of the DLL and either executing function from it, or relying on the DllMain to do the job you need. In order to call LoadLibrary and GetProcAddress methods, I obtain their addresses and copy structure containing this information to the target process and pass the address of the remote structure as an argument for the thread main routine in CreateRemoteThread(). You can use VirtualAllocEx() to allocate memory in the remote process.
Remote thread in this situation will be executed before main thread, including process and some Win32/64 initialization. Therefore, not every Win32 API is safe to call in this condition.
If the target process is spawned by someone else, you have to intercept its creation before it is initialized. There are some ways to do that, all of them are undocumented and therefore not future proof.
The DLL are loaded sequentially in the same order as the imports entries in the PE header. Most PE editors will let you reorder the imports. You should also note that if another DLL X has dependencies on the security DLL, then it will be loaded at the same time as DLL X. Also, if security DLL is using static loading, hooking by modifying the import tables at runtime should still be effective even if your DLL is loaded later, though you will miss the calls done in the meantime (but there shouldn't be any).

How can I call a function from another .dll which is injected to the same program?

My question is really above, I will give more information on this below however:
I have a program which first takes my "false" d3d9.dll, this DLL is then loaded into the game I am reverse engineering. After the some time and the .dll is loaded, along with all the other games dependencies I want to inject my DLL which will do all the dirty work of the reverse engineering.
I think I can load this DLL into the program using LoadLibrary, however when I'm using the DLL I injected to run the main reverse engineered code. Is there a function I can use to call something from the d3d9.dll?
This is because I still need access to the d3d9 library to render things I may want to add on the screen with my injected .dll. I also don't want to just use the d3d9.dll as this will cause problems with loading times, and the point at which memory is changed.
I also don't plan on using DllMain in the DLL, this means I will also need to call a remote function from the d3d9.dll to the injected DLL in order to ensure a safe process start.
Sorry if this is a stupid question, however thanks for any answers.
Back in the old days we use to CreateRemoteThread and use LoadLibraryA as the address for lpStartAddress (This address happens to be the same in all processes). The trick was to allocate the DLL name you are injecting using VirtualAllocEx and use that as lpParameter. Effectively your thread calls LoadLibraryA with the DLL name you want to inject. When the Dll loads Dllmain gets called and you can run code in Dllmain during a time that the dll is being attached (DLL_PROCESS_ATTACH).
This link has some very good information on doing just that. However this technique relies on a Dllmain function. If you can use Dllmain then this mechanism may work. A summary of the steps from that article gives an overview:
Now, we can summarize this technique in the following steps:
Retrieve a HANDLE to the remote process (OpenProces).
Allocate memory in the remote process's address space for injected data (VirtualAllocEx).
Write a copy of the initialised INJDATA structure to the allocated memory (WriteProcessMemory).
Allocate memory in the remote process's address space for injected code.
Write a copy of ThreadFunc to the allocated memory.
Start the remote copy of ThreadFunc via CreateRemoteThread.
Wait until the remote thread terminates (WaitForSingleObject).
Retrieve the result from the remote process (ReadProcessMemory or GetExitCodeThread).
Free the memory allocated in Steps #2 and #4 (VirtualFreeEx).
Close the handles retrieved in Steps #6 and #1 (CloseHandle).
I saw your comment about too much information. Not sure I quite understand. However Dllmain has some restrictions like most Win32 API calls can't be used. There are some exceptions and one being CreateThread. Had you considered spinning off a thread to do work? If you use CreateThread in a Dllmain it effectively gets blocked until Dllmain exits. So once Dllmain returns the Thread will execute.

is it possible to inject multiple Dlls with MS detours?

In c++ ,I want to hook more than one dll to a process. Right now I use CreateProcesswithdll() which can hook only one api at a time. What can I do to inject multiple dlls?
I came across this problem because MS detours requires us to name our custom dll the same as original dll in order to properly detour the api calls. So even though i could have different api calls handled in the same detour dll I created I need to have different names to hook calls from different apis, which means I need different detour Dlls. This also means I need to inject different DLLs. Am I right?
If I am unclear about something I will try to present it more clearly :D
Thanks!
P.S: Just to make my problem more lucid. I need to inject more than 1 dll onto the same process. CreateProcesswithdll() creates a new process with its thread in sleep state. It is woken up after the detours has finished injecting the dll and setting up the hooks. If I want to inject more than one dll I obviously cant repeatedly call CreateProcesswithdll()
so what do i do?? or Is my understanding about some aspect of this wrong?
Calling LoadLibrary() and FreeLibrary() is NOT SAFE from DLLMain(). From TFA:
"The entry-point function should
perform only simple initialization or
termination tasks. It must not call
the LoadLibrary or LoadLibraryEx
function (or a function that calls
these functions), because this may
create dependency loops in the DLL
load order. This can result in a DLL
being used before the system has
executed its initialization code.
Similarly, the entry-point function
must not call the FreeLibrary function
(or a function that calls FreeLibrary)
during process termination, because
this can result in a DLL being used
after the system has executed its
termination code."
EDIT: Apologies - this was meant as a comment for Serge's answer above.
Seems like detourattach and detourdetach will do the trick for me. Thanks everyone!
I found this blog useful!
Obviously you can load any number of DLLs from the first DLL you inject with detours.
EDIT.
When DLL is loaded system runs DllMain of your DLL (with fdwReason==DLL_PROCESS_ATTACH) and then within that function you can do whatever you like, e.g. you can call LoadLibrary to load other DLLs.
ADD:
I totally agree with comments that calling LoadLibrary from DllMain is unsafe. So you can call LoadLibrary (and all the other tricky things) from thread created in DllMain.

Difference between WinMain,main and DllMain in C++

What is the difference between the three functions and when to use them??
main() means your program is a console application.
WinMain() means the program is a GUI application -- that is, it displays windows and dialog boxes instead of showing console.
DllMain() means the program is a DLL. A DLL cannot be run directly but is used by the above two kinds of applications.
Therefore:
Use WinMain when you are writing a program that is going to display windows etc.
Use DLLMain when you write a DLL.
Use main in all other cases.
WinMain is used for an application (ending .exe) to indicate the process is starting. It will provide command line arguments for the process and serves as the user code entry point for a process. WinMain (or a different version of main) is also a required function. The OS needs a function to call in order to start a process running.
DllMain is used for a DLL to signify a lot of different scenarios. Most notably, it will be called when
The DLL is loaded into the process: DLL_PROCESS_ATTACH
The DLL is unloaded from the process: DLL_PROCESS_DETACH
A thread is started in the process: DLL_THREAD_ATTACH
A thread is ended in the process: DLL_THREAD_DETACH
DllMain is an optional construct and has a lot of implicit contracts associated with it. For instance, you should not be calling code that will force another DLL to load. In general it's fairly difficult function to get right and should be avoided unless you have a very specific need for it.
[Addendum to your question]
Also don't forget the DllEntryPoint:
When loading time is involved the entry point is DllMain.
(Ex. COM in-process server DLL).
When running time is involved the entry point is DllEntryPoint.
(Ex. LoadLibrary get called).