티스토리 뷰
이번에 API후킹 탐지를 하면서 치명적인 버그가 발견됫다. 그것은 바로 DLL이 내부에서 또다른 DLL을 다시 로드하는 부분에서 일어낫다.
API후킹 탐지를 위해서, 상대 프로세스에 로딩되어있는 DLL을 나도 똑같이 LoadLibrary()이용하여 로드하게 되는데 이때 해당 DLL이 내부에서 또다른 DLL을 로드할시 "해당 모듈을 찾을 수 없음" 이라는 에러가 발생했다.
이것은 내가 로드한 DLL이 DllMain에서 또 다른 라이브러리를 불러왓기 때문이다. 나는 해당 DLL의 Export함수주소만 알면 되기 때문에 DLL내부에서 또다른 DLL을 로드하는것은 원하지 않는 결과였다.
따라서 찾아본결과 LoadLibraryEx()라는 확장함수가 존재하였다.
Syntax
HMODULE WINAPI LoadLibraryEx( _In_ LPCTSTR lpFileName, _Reserved_ HANDLE hFile, _In_ DWORD dwFlags );
함수의 원형은 위와 같다.
| If this value is used, the system does not check AppLocker rules or apply Software Restriction Policies for the DLL. This action applies only to the DLL being loaded and not to its dependencies. This value is recommended for use in setup programs that must run extracted DLLs during installation. Windows Server 2008 R2 and Windows 7: On systems with KB2532445 installed, the caller must be running as "LocalSystem" or "TrustedInstaller"; otherwise the system ignores this flag. For more information, see "You can circumvent AppLocker rules by using an Office macro on a computer that is running Windows 7 or Windows Server 2008 R2" in the Help and Support Knowledge Base athttp://support.microsoft.com/kb/2532445. Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP: AppLocker was introduced in Windows 7 and Windows Server 2008 R2. |
| If this value is used, the system maps the file into the calling process's virtual address space as if it were a data file. Nothing is done to execute or prepare to execute the mapped file. Therefore, you cannot call functions like GetModuleFileName,GetModuleHandle or GetProcAddress with this DLL. Using this value causes writes to read-only memory to raise an access violation. Use this flag when you want to load a DLL only to extract messages or resources from it. This value can be used with LOAD_LIBRARY_AS_IMAGE_RESOURCE. For more information, see Remarks. |
| Similar to LOAD_LIBRARY_AS_DATAFILE, except that the DLL file is opened with exclusive write access for the calling process. Other processes cannot open the DLL file for write access while it is in use. However, the DLL can still be opened by other processes. This value can be used with LOAD_LIBRARY_AS_IMAGE_RESOURCE. For more information, see Remarks. Windows Server 2003 and Windows XP: This value is not supported until Windows Vista. |
| If this value is used, the system maps the file into the process's virtual address space as an image file. However, the loader does not load the static imports or perform the other usual initialization steps. Use this flag when you want to load a DLL only to extract messages or resources from it. If forced integrity checking is desired for the loaded file then LOAD_LIBRARY_AS_IMAGE is recommended instead. Unless the application depends on the image layout, this value should be used with either LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE or LOAD_LIBRARY_AS_DATAFILE. For more information, see the Remarks section. Windows Server 2003 and Windows XP: This value is not supported until Windows Vista. |
| If this value is used, the application's installation directory is searched for the DLL and its dependencies. Directories in the standard search path are not searched. This value cannot be combined with LOAD_WITH_ALTERED_SEARCH_PATH. Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008: This value requires KB2533623 to be installed. Windows Server 2003 and Windows XP: This value is not supported. |
| This value is a combination of LOAD_LIBRARY_SEARCH_APPLICATION_DIR,LOAD_LIBRARY_SEARCH_SYSTEM32, and LOAD_LIBRARY_SEARCH_USER_DIRS. Directories in the standard search path are not searched. This value cannot be combined with LOAD_WITH_ALTERED_SEARCH_PATH. This value represents the recommended maximum number of directories an application should include in its DLL search path. Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008: This value requires KB2533623 to be installed. Windows Server 2003 and Windows XP: This value is not supported. |
| If this value is used, the directory that contains the DLL is temporarily added to the beginning of the list of directories that are searched for the DLL's dependencies. Directories in the standard search path are not searched. The lpFileName parameter must specify a fully qualified path. This value cannot be combined with LOAD_WITH_ALTERED_SEARCH_PATH. For example, if Lib2.dll is a dependency of C:\Dir1\Lib1.dll, loading Lib1.dll with this value causes the system to search for Lib2.dll only in C:\Dir1. To search for Lib2.dll in C:\Dir1 and all of the directories in the DLL search path, combine this value withLOAD_LIBRARY_DEFAULT_DIRS. Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008: This value requires KB2533623 to be installed. Windows Server 2003 and Windows XP: This value is not supported. |
| If this value is used, %windows%\system32 is searched for the DLL and its dependencies. Directories in the standard search path are not searched. This value cannot be combined with LOAD_WITH_ALTERED_SEARCH_PATH. Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008: This value requires KB2533623 to be installed. Windows Server 2003 and Windows XP: This value is not supported. |
| If this value is used, directories added using the AddDllDirectory or theSetDllDirectory function are searched for the DLL and its dependencies. If more than one directory has been added, the order in which the directories are searched is unspecified. Directories in the standard search path are not searched. This value cannot be combined with LOAD_WITH_ALTERED_SEARCH_PATH. Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008: This value requires KB2533623 to be installed. Windows Server 2003 and Windows XP: This value is not supported. |
| If this value is used and lpFileName specifies an absolute path, the system uses the alternate file search strategy discussed in the Remarks section to find associated executable modules that the specified module causes to be loaded. If this value is used and lpFileName specifies a relative path, the behavior is undefined. If this value is not used, or if lpFileName does not specify a path, the system uses the standard search strategy discussed in the Remarks section to find associated executable modules that the specified module causes to be loaded. This value cannot be combined with any LOAD_LIBRARY_SEARCH flag. |
'Programing' 카테고리의 다른 글
비선형적인 슬라이드바 Value (1) | 2013.06.25 |
---|---|
유저레벨 API후킹 탐지 (0) | 2012.08.27 |
DLL (0) | 2011.08.07 |
- Total
- Today
- Yesterday
- 구글
- 데몬
- 소니
- 하이퍼큐브
- ffmpeg
- Programming - C / C++
- 인코더
- KAI
- 녹화
- API 프로그래밍
- Programing
- Programming - C
- c#
- 프로그래밍
- V3
- 스터디_발표자료
- TCP/IP
- WL-54G
- PSP
- 가상드라이브
- 백신
- 유마일
- GAME
- WPF
- Operation System
일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | |||
5 | 6 | 7 | 8 | 9 | 10 | 11 |
12 | 13 | 14 | 15 | 16 | 17 | 18 |
19 | 20 | 21 | 22 | 23 | 24 | 25 |
26 | 27 | 28 | 29 | 30 | 31 |