Explicit DLL Module Loading and Symbol Linking
Implicit load/linking: when loader implicitly loads/links the DLL when application is invoked. This is when application code references symbols contained in DLL
Explicit load/linking: A thread explicitly loads DLL into its calling process' address space, retrieves virtual memory address of a function contained within the DLL, and calls the function using the memory address
LoadLibraryEx to load the DLL into process' address space
GetProcAddress to indirectly reference the DLL's exported symbols
Explicitly Loading the DLL Module
Can use either LoadLibrary or LoadLibraryEx to map the DLL. They will return the virtual memory address where the file image is mapped. (HMODULE == HINSTANCE).
Mapping addresses returned by LoadLibrary and LoadLibraryEx should not be used interchangeably.
They both increase the library's per-process usage count.
DllMain entry point returns the virtual memory address where the file is mapped.
LoadLibraryEx allows you to pass handle to a file and flags.
DONT_RESOLVE_DLL_REFERENCES
Tell system to map DLL into calling process' address space without calling DllMain nor loading any additional DLLs that the DLL may require.
LOAD_LIBRARY_AS_DATAFILE
Tells system to map DLL into proc address space as if it were a data file. System does not setup the page file permissions for a DLL module.
Reasons to use this flag:
- DLL contains resources only and no functions
- This flag can be used to load resources from a .exe without starting a new process
LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE
Similar to LOAD_LIBRARY_AS_DATAFILE but does not let other applications modify the file's contents.
LOAD_WITH_ALTERED_SEARCH_PATH
Changes the DLL search algorithm depending on what is passed to pszDLLPathName parameter
Can call SetDllDirectory with the library folder as a parameter as well, and the folder set will be searched after the folder containing the application. Retrieve this parameter with GetDllDirectory
LOAD_IGNORE_CODE_AUTHZ_LEVEL
Turns off validation provided by WinSafer (Software Restriction Policies)
Explicitly Unloading the DLL Module
FreeLibrary to explicitly unload DLL from process' address space
FreeLibraryAndExitThread also works
They both decrement the library's per-process usage count. The library is only unmapped from address space when usage count is 0.
GetModuleHandle to determine if DLL is already mapped into process' address space. Returns NULL if not mapped.
GetModuleFileName - gets the full pathname of DLL/.exe
Explicitly Linking to an Exported Symbol
Pass the handle returned from LoadLibrary(Ex) to GetProcAddress in order to get the address where the DLL is loaded.
pszSymbolName only accepts ANSI strings. Can either pass it the name of the symbol as an ANSI string, or pass it the ordinal number of the symbol.
GetProcAddress(hInstDll, MAKEINTRESOURCE(2));
Warning: Passing an ordinal number that has not been assigned to any of the exported functions might return a non-NULL value.
Finally, cast the function pointer into something that matches its signature.
PEN_DUMPMODULE pFnDumpModule = (PFN_DUMPMODULE)GetProcAddress(hDll, "DumpModule");
if (pFnDumpModule != NULL) pFnDumpModule(hDll);
Sources
Windows via C/C++ - J. Richter 2008 - Chapter 20
No comments:
Post a Comment