LoadLibrary

JediPathetique · **Joined:** 18 Sep 2008 22:23 **Posts:** 32

Just to try DLL function hooking, I made an example program and a hook for a function in it using Win Detours. When I inject my DLL using an injector, the function is properly hooked. However, I want to automatically load the DLL every time the program loads, so I'm wondering: If I add in a LoadLibrary call in the program I'm hooking, would the DLL still hook properly, or should I use a different method?

aluigi · **Posted:** 30 Jun 2009 20:17

if you find a way to place the LoadLibrary call somewhere at the beginning of the program's code, sure.
when the dll is loaded it's automatically executed the code contained in the DllMain() function of the loaded dll where you can put all the inizialization stuff and so on

JediPathetique · **Joined:** 18 Sep 2008 22:23 **Posts:** 32

Well it should be easy to place it at the beginning of the code... even if there isn't an easy place to divert a jump I can just copy some bytes, overwrite them with a jump, and paste them at the patch location before the LoadLibrary call, so it shouldn't be a problem.

Do you think this would slow down the program significantly, or cause any problems? 'Cause it's sounding like the best way to go to me.

Thanks for your help.

aluigi · **Posted:** 30 Jun 2009 22:59

no, the performances should remain the same.
remember that LoadLibrary is a WINAPI (aka __stdcall) function so when you call it you must NOT restore the stack pointer like for example "add esp, 4" which instead is needed for __cdecl functions.

JediPathetique · **Joined:** 18 Sep 2008 22:23 **Posts:** 32

Hmm, one thing I'm a little worried about...
Would LoadLibrary would be from Kernel32.dll, and if so, would its address be different on various installations of Windows?

aluigi · **Posted:** 30 Jun 2009 23:58

yeah, LoadLibraryA is in kernel32.dll and obviously its offset changes between the various windows versions and languages.

JediPathetique · **Joined:** 18 Sep 2008 22:23 **Posts:** 32

Well, that seems like a problem... would it be possible to copy the LoadLibrary function, and place it in a free place in the program, or in a new code section?

Also, I am trying to intercept a function from Quake3 now, and the function definition uses some special data types defined specifically for that game. Is there any way to use some generic data type to call the original function, or do I need to redefine the specific data types? (Sorry if that doesn't make any sense...)

aluigi · **Posted:** 01 Jul 2009 09:40

uhmmm you can add LoadLibrary to the list of imported functions in the import table but this is something I have never done so I don't have a step-by-step ready although seems that you can do it with PEditor:
- directory
- Imports
- KERNEL32.dll
- add Import
- Function Name: LoadLibraryA and press the +
- OK and save

if you don't need to know the content of these data types define them as "void *" so if the original function is:
int q3_func(q3struct_t *blah, q3bool blah2);
use
int q3_func(void *blah, int blah2);
or
int q3_func(void *blah, void *blah2);

suN8Hclf · **Joined:** 05 Oct 2008 00:04 **Posts:** 2

There are some ways to find base of kernel32.dll in process's memory
and then resolve needed symbols. Check this paper:
http://hick.org/code/skape/papers/win32-shellcode.pdf
("Shellcode Basics" section).

JediPathetique · **Joined:** 18 Sep 2008 22:23 **Posts:** 32

Ok, I think I'll be able to add a LoadLibrary call alright, but I'm still having a bit of a problem the actual function interception.
When I use void for the variables, I am still having the same problem I had before: EIP was not saved correctly. (An error dialog comes up and the program terminates.)
I don't have access to my source code right now, but if you want I can post the relevant parts once I do.

JediPathetique · **Joined:** 18 Sep 2008 22:23 **Posts:** 32

Sorry to keep plaguing you with this, but....
Here's my source for hooking the function. All this is supposed to do is intercept the function, do nothing, and return the original function.

Code:

#include "stdafx.h"
#include "HookTest3.h"

#include <windows.h>
#include "detours.h";
#pragma comment(lib, "detours.lib")

       
//The original function prototype for this was:
//static qboolean SV_ClientCommand( client_t *cl, msg_t *msg )
int (__stdcall* SV_ClientCommand)(void *cl, void *msg); 
   
   static int MySV_ClientCommand( void *cl, void *msg )
      {
     return SV_ClientCommand(cl, msg); //Call the

 original function
      }
  

BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
    {
      switch (ul_reason_for_call)
      {

      case DLL_PROCESS_ATTACH:
     SV_ClientCommand = (int (__stdcall*)(void*, void*))DetourFunction((PBYTE)0x0abcdef, (PBYTE)MySV_ClientCommand);
     break;

      case DLL_THREAD_ATTACH: 
      break;

      case DLL_THREAD_DETACH:
      break;

      case DLL_PROCESS_DETACH: 
DetourRemove((PBYTE)0x0abcdef, (PBYTE)SV_ClientCommand);
      break;

      }

      return TRUE;

      }

When I inject this DLL, and the function is called, I get this:

I'm assuming I have the function definition for the function wrong, but I'm not sure what it should be.

Francis · **Joined:** 26 Apr 2008 21:50 **Posts:** 27

You declared it as __stdcall but it may not be a __stdcall if it is declared as fellow

Code:

//The original function prototype for this was:
//static qboolean SV_ClientCommand( client_t *cl, msg_t *msg )

I dont know only a guess on which luigi said,

also you can alternatively use GetProcAddress to get the address of loadlibrarya as fellow

Code:

/* Get the LoadLibraryA base address */
GetProcAddressA( GetModuleHandleA("Kernel32.dll"), "LoadLibraryA" );

aluigi · **Posted:** 09 Jul 2009 21:30

depends because some compilers use stdcall as default calling convention (Visual Studio if I'm not in error)

Luigi Auriemma

LoadLibrary