Reputation: 32418
Is it safe to call LoadLibrary from DllMain if you've used a kernel driver to ensure yours is the first library loaded?
I've been looking at some hooking code which selectively loads a library into certain processes and then hooks certain native API functions (using Detours). The chain of events looks like this:
- Kernel driver loads A.dll into every process.
- A.dll::
DllMain()decides whether to load B.dll (LoadLibraryEx) which contains actual Detours hooks. - B.dll runs for the duration of the process hooking said functions.
The second bullet here appears to break the DllMain rules specified here, but I'm trying to work out if the way the driver loads A.dll works around the limitations. Specifically, the kernel driver uses PsSetLoadImageNotifyRoutine to get notifications when each process starts and then queues an APC to call LoadLibraryEx on A.dll which means it's pretty much the first DLL loaded when the process starts. Does this circumvent the problems with calling LoadLibrary within DllMain?
Upvotes: 0
Views: 1014
Answers (2)
Reputation: 41252
The documentation very specifically says not to call LoadLibrary in DllMain. Even in the unlikely event that you figured out a safe way to make it work, it may not work in the next version (or even the next service pack) of Windows.
Upvotes: 1
Reputation: 45172
Doesn't matter how the LoadLibraryEx was triggered. Once triggered, the DLL loading process is the same, and the same rules apply.
Upvotes: 2
Related Questions
- Calling dll from kernel mode c++ windows
- Calling LoadLibrary from DllMain
- Is it safe to mix delayed dll loading and manual call of LoadLibraryA?
- Plugin DLLs that depend on other DLLs
- DllMain not called after using LoadLibrary
- Security Of Dynamic Loaded DLL
- How to protect against DLL Hijacking?
- Controlling the order of dllmain() calls while being injected to another process
- DllMain not being called from injected dll
- Is it safe to call LoadLibrary from main()?