A hooked dll, how to the entrypoint?
hello everybody,
i loaded up a dll into a process by apihook.
in the dll is the dllmain() funktion call to initialise it.
but the process normaly calls a custom entrypoint
and not dllmain to register the dll to the process.
how do i call this custom funktion, which is seated
in a other dll from my dll.
it won't be a problem to load up a second dll with
loadlibrary an register the 2. dll, if it can't be done with the
first one.
is getprocddress() a way to get access to this custom
funkt. and how to use the returnvalue (the address)
in my code to execute the funktion?
this is called on startup the dll.
/////////////////////////////////////////////////////////////////////////////
// DLL Entry Point
extern "C"
BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID pkt/*lpReserved*/)
{
if (dwReason == DLL_PROCESS_ATTACH)
{
_hdllInstance = hInstance;
// Extension DLL one time initialization
DeluxeDLL.AttachInstance(hInstance);
DisableThreadLibraryCalls(hInstance);
InitAcUiDLL();
}
else if (dwReason == DLL_PROCESS_DETACH)
{
// Terminate the library before destructors are called
DeluxeDLL.DetachInstance();
// try to decrease the refcount on the dbx
// if we couldn't load it then this a no op.
}
return TRUE; // ok
}
this is the funktion that should called from the process,
but there is no call???? :-(
/////////////////////////////////////////////////////////////////////////////
// ObjectARX EntryPoint
extern "C" AcRx::AppRetCode
acrxEntryPoint(AcRx::AppMsgCode msg, void* pkt)
{
switch (msg)
{
case AcRx::kInitAppMsg:
AfxSetResourceHandle(_hdllInstance);
CSplashScreen::EnableSplashScreen(TRUE);
CSplashScreen::ShowSplashScreen(acedGetAcadFrame());
AfxSetResourceHandle(acedGetAcadResourceInstance());
// Comment out the following line if your
// application should be locked into memory
acrxDynamicLinker->unlockApplication(pkt);
acrxDynamicLinker->registerAppMDIAware(pkt);
InitApplication();
break;
case AcRx::kUnloadAppMsg:
UnloadApplication();
break;
}
return AcRx::kRetOK;
}
regards
ngc
[2399 byte] By [
ngc7000] at [2007-11-18 0:39:31]
# 1 Re: A hooked dll, how to the entrypoint?
I am not clear on what you are trying to do. Do you want to get the address for the language runtime startup code (which subsequently calls DllMain) or the address for your custom function? You can modify the IMAGE_NT_HEADERS field for the address of entry point with a thunk to some trampoline code that calls your custom code if that is what you are trying to accomplish. Is your custom method static? If not, then you will have some more difficulties here. The OS (specifically ntdll.dll on NT / 2000/ XP systems) is the one who does the loading and registering, but it also does all the import/export linking and relocation work as well, so I am not assuming that you want to replace this as well, but should I be?
Here is the information I think might be helpful. Clearly state the order of events you want to occur (you mention 2 dlls, but it is not clear what they are or what you mean by the process calling functions in them -- app or OS?). State what type of API hook you are using (patched IAT, detours-like trampolines, kernel mode interrupt method, etc.) as many examples out there are called apihook. I think with that information, we might be able to help you better...
# 2 Re: A hooked dll, how to the entrypoint?
hello,
thank's for anwering me.
i've made a few dll's for autocad. the autocad can load dll's made by other programmers.
now i want to load up my dll's into the small autocad lt, which also uses this type of dll's, but the interface - the call to the funktion acrxEntryPoint(AcRx::AppMsgCode msg, void* pkt)
is disabled. so i load up a dll (like a trojanik horse) by apihook into autocad lt. that's not difficould, but how to manage that call to the regestering funktion in my dll?
without this call the dll can do nothing, just remains in the process memory. only easy things like print word at the screen you can do from the code.
so my intention is, to force autocad lt call the acrxEntryPoint(AcRx::AppMsgCode msg, void* pkt) funktion in my dll.
i don't know, if you can force a process to execute a funktion which init a dll, from the same dll that is not really registered to the programm. so i thought, if i load up another dll i can force the programm to call the funktion at that dll.
i hope this is better explained, i tried my very best. :-)
regards
chris
