Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

Callstack from Windows PE loader to Dll entrypoint ?

wlecat3wlecat3 Posts: 1
Hi everyone,

Could anyone tell me (or direct me to some resources which could) what functions the Windows PE loader calls to load and initiate DLL (i.e. call their entrypoint) when resolving the IAT of a new process ?

I was under the impression that it would be something like LoadLibraryExW or even LdrLoadDll but I cannot find them one the call stack (from my DllMain)...

Best regards,
William

Comments

  • raj_rraj_r Posts: 953
    when you are on Your DllMain all IAT would have been already resolved by loader

    if you want to watch Import Dll Loading you have to stop after ntdll
    loads but before it
    reaches the SystemBreakpoint (first Default breakpoint )

    open calc.exe in windbg
    type the command
    sxe ld ntdll ; .restart

    windbg will restart calc and stop on ntdll Module Load

    now Set a Breakpoint on ntdll!LdrLoadDll and you will see the first
    import resolved with Kernel32.dll see below for a sample flow

    restart for catching load module event

    0:000> sxe ld ntdll ; .restart

    ntdll!RtlUserThreadStart:
    775270d8 89442404 mov dword ptr [esp+4],eax ss:0023:001ff8c0=00000000

    set a breakpoint on ntdll!LdrLoadDll after ntdll is loaded and continue

    0:000> bp ntdll!LdrLoadDll
    0:000> g
    Breakpoint 0 hit

    bp is hit and ntdll is resolving kernel32.dll import

    LdrpLoadDll has a prototype of (beware might be undocumented prototype)
    so the third argument is the UnicodeString of the module name to be loaded
    and fourth argument is the HMODULE that would be recieved

    NTSYSAPI NTSTATUS

    LdrLoadDll(
    IN PWCHAR PathToFile OPTIONAL,
    IN ULONG Flags OPTIONAL,
    IN PUNICODE_STRING ModuleFileName,
    OUT PHANDLE ModuleHandle );

    ntdll!LdrLoadDll:
    775422ae 8bff mov edi,edi

    0:000> dd esp l5
    001ff410 77547d33 00000000 00000000 77547de0
    001ff420 001ff4c4

    lets check which imported module is being loaded

    0:000> dS poi(esp+c)
    77528230 "kernel32.dll"

    lets set a data write breakpoint on the in argument
    which would recieve the HMODULE

    0:000> ba w4 poi(esp+10)

    0:000> g
    ModLoad: 76d90000 76e64000 C:\Windows\system32\kernel32.dll
    Breakpoint 0 hit

    ntdll!LdrLoadDll:

    0:000> g

    ModLoad: 758c0000 7590a000 C:\Windows\system32\KERNELBASE.dll
    Breakpoint 1 hit

    ntdll!LdrLoadDll+0xa3:

    data breakpoint stops 1 instruction past the write

    0:000> ub
    ntdll!LdrLoadDll+0x8d:
    7754231d e86bd9ffff call ntdll!LdrpLoadDll (7753fc8d)
    77542322 8bf0 mov esi,eax
    77542324 85f6 test esi,esi
    77542326 7c0b jl ntdll!LdrLoadDll+0xa3 (77542333)
    77542328 8b4510 mov eax,dword ptr [ebp+10h]
    7754232b 8b4018 mov eax,dword ptr [eax+18h]
    7754232e 8b4d14 mov ecx,dword ptr [ebp+14h]
    77542331 8901 mov dword ptr [ecx],eax << this caused the
    data write break point to fire so eax holds whatever was written

    0:000> r eax
    eax=76d90000

    0:000> lm a @eax
    Browse full module list
    start end module name
    76d90000 76e64000 kernel32 (pdb symbols) \kernel32.pdb

    only kernel32 its dependency and the avasts hook dll has been loaded upto now
    LdrLoadDll will fire now for all dependencies


    0:000> lm
    start end module name
    00460000 00520000 calc (deferred)
    686d0000 686ff000 aswhookx (deferred)
    758c0000 7590a000 KERNELBASE (deferred)
    76d90000 76e64000 kernel32 (pdb symbols) kernel32.pdb
    774e0000 7761c000 ntdll (pdb symbols) ntdll.pdb







    On 7/15/18, xxxxx@gmail.com <xxxxx@lists.osr.com> wrote:
    > Hi everyone,
    >
    > Could anyone tell me (or direct me to some resources which could) what
    > functions the Windows PE loader calls to load and initiate DLL (i.e. call
    > their entrypoint) when resolving the IAT of a new process ?
    >
    > I was under the impression that it would be something like LoadLibraryExW or
    > even LdrLoadDll but I cannot find them one the call stack (from my
    > DllMain)...
    >
    > Best regards,
    > William
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at:
    > <http://www.osronline.com/showlists.cfm?list=ntdev>;
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
    > drivers!
    > Details at <http://www.osr.com/seminars>;
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > <http://www.osronline.com/page.cfm?name=ListServer>;
    >
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!