DLL로딩시 DllMain 실행 안시키는 방법.

이번에 API후킹 탐지를 하면서 치명적인 버그가 발견됫다. 그것은 바로 DLL이 내부에서 또다른 DLL을 다시 로드하는 부분에서 일어낫다.

API후킹 탐지를 위해서, 상대 프로세스에 로딩되어있는 DLL을 나도 똑같이 LoadLibrary()이용하여 로드하게 되는데 이때 해당 DLL이 내부에서 또다른 DLL을 로드할시 "해당 모듈을 찾을 수 없음" 이라는 에러가 발생했다.

이것은 내가 로드한 DLL이 DllMain에서 또 다른 라이브러리를 불러왓기 때문이다. 나는 해당 DLL의 Export함수주소만 알면 되기 때문에 DLL내부에서 또다른 DLL을 로드하는것은 원하지 않는 결과였다.

따라서 찾아본결과 LoadLibraryEx()라는 확장함수가 존재하였다.

Syntax

C++

HMODULE WINAPI LoadLibraryEx(
  _In_        LPCTSTR lpFileName,
  _Reserved_  HANDLE hFile,
  _In_        DWORD dwFlags
);

함수의 원형은 위와 같다.

보면 인자가 3개인걸 알 수 있는데, 첫번째 인수는 원래함수와 같은 DLL의 이름이나 경로다.

두번째 인수는 나도 잘 모르겟고... 세번째 인수가 핵심이다.

LoadLibrary는 내부적으로 LoadLibraryEx를 호출하는데, 이때는 세번째 인자에 0이 들어간다.

DONT_RESOLVE_DLL_REFERENCES

위 플래그를 주게되면 해당 DLL은 로드하면서 DllMain을 호출하지 않는다. 이 포스팅의 핵심 플래그..

나머지 플래그는 다음과 같다...

LOAD_IGNORE_CODE_AUTHZ_LEVEL 0x00000010	If this value is used, the system does not check AppLocker rules or apply Software Restriction Policies for the DLL. This action applies only to the DLL being loaded and not to its dependencies. This value is recommended for use in setup programs that must run extracted DLLs during installation. Windows Server 2008 R2 and Windows 7:  On systems with KB2532445 installed, the caller must be running as "LocalSystem" or "TrustedInstaller"; otherwise the system ignores this flag. For more information, see "You can circumvent AppLocker rules by using an Office macro on a computer that is running Windows 7 or Windows Server 2008 R2" in the Help and Support Knowledge Base athttp://support.microsoft.com/kb/2532445. Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP:  AppLocker was introduced in Windows 7 and Windows Server 2008 R2.
LOAD_LIBRARY_AS_DATAFILE 0x00000002	If this value is used, the system maps the file into the calling process's virtual address space as if it were a data file. Nothing is done to execute or prepare to execute the mapped file. Therefore, you cannot call functions like GetModuleFileName,GetModuleHandle or GetProcAddress with this DLL. Using this value causes writes to read-only memory to raise an access violation. Use this flag when you want to load a DLL only to extract messages or resources from it. This value can be used with LOAD_LIBRARY_AS_IMAGE_RESOURCE. For more information, see Remarks.
LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE 0x00000040	Similar to LOAD_LIBRARY_AS_DATAFILE, except that the DLL file is opened with exclusive write access for the calling process. Other processes cannot open the DLL file for write access while it is in use. However, the DLL can still be opened by other processes. This value can be used with LOAD_LIBRARY_AS_IMAGE_RESOURCE. For more information, see Remarks. Windows Server 2003 and Windows XP:  This value is not supported until Windows Vista.
LOAD_LIBRARY_AS_IMAGE_RESOURCE 0x00000020	If this value is used, the system maps the file into the process's virtual address space as an image file. However, the loader does not load the static imports or perform the other usual initialization steps. Use this flag when you want to load a DLL only to extract messages or resources from it. If forced integrity checking is desired for the loaded file then LOAD_LIBRARY_AS_IMAGE is recommended instead. Unless the application depends on the image layout, this value should be used with either LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE or LOAD_LIBRARY_AS_DATAFILE. For more information, see the Remarks section. Windows Server 2003 and Windows XP:  This value is not supported until Windows Vista.
LOAD_LIBRARY_SEARCH_APPLICATION_DIR 0x00000200	If this value is used, the application's installation directory is searched for the DLL and its dependencies. Directories in the standard search path are not searched. This value cannot be combined with LOAD_WITH_ALTERED_SEARCH_PATH. Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008:  This value requires KB2533623 to be installed. Windows Server 2003 and Windows XP:  This value is not supported.
LOAD_LIBRARY_SEARCH_DEFAULT_DIRS 0x00001000	This value is a combination of LOAD_LIBRARY_SEARCH_APPLICATION_DIR,LOAD_LIBRARY_SEARCH_SYSTEM32, and LOAD_LIBRARY_SEARCH_USER_DIRS. Directories in the standard search path are not searched. This value cannot be combined with LOAD_WITH_ALTERED_SEARCH_PATH. This value represents the recommended maximum number of directories an application should include in its DLL search path. Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008:  This value requires KB2533623 to be installed. Windows Server 2003 and Windows XP:  This value is not supported.
LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR 0x00000100	If this value is used, the directory that contains the DLL is temporarily added to the beginning of the list of directories that are searched for the DLL's dependencies. Directories in the standard search path are not searched. The lpFileName parameter must specify a fully qualified path. This value cannot be combined with LOAD_WITH_ALTERED_SEARCH_PATH. For example, if Lib2.dll is a dependency of C:\Dir1\Lib1.dll, loading Lib1.dll with this value causes the system to search for Lib2.dll only in C:\Dir1. To search for Lib2.dll in C:\Dir1 and all of the directories in the DLL search path, combine this value withLOAD_LIBRARY_DEFAULT_DIRS. Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008:  This value requires KB2533623 to be installed. Windows Server 2003 and Windows XP:  This value is not supported.
LOAD_LIBRARY_SEARCH_SYSTEM32 0x00000800	If this value is used, %windows%\system32 is searched for the DLL and its dependencies. Directories in the standard search path are not searched. This value cannot be combined with LOAD_WITH_ALTERED_SEARCH_PATH. Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008:  This value requires KB2533623 to be installed. Windows Server 2003 and Windows XP:  This value is not supported.
LOAD_LIBRARY_SEARCH_USER_DIRS 0x00000400	If this value is used, directories added using the AddDllDirectory or theSetDllDirectory function are searched for the DLL and its dependencies. If more than one directory has been added, the order in which the directories are searched is unspecified. Directories in the standard search path are not searched. This value cannot be combined with LOAD_WITH_ALTERED_SEARCH_PATH. Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008:  This value requires KB2533623 to be installed. Windows Server 2003 and Windows XP:  This value is not supported.
LOAD_WITH_ALTERED_SEARCH_PATH 0x00000008	If this value is used and lpFileName specifies an absolute path, the system uses the alternate file search strategy discussed in the Remarks section to find associated executable modules that the specified module causes to be loaded. If this value is used and lpFileName specifies a relative path, the behavior is undefined. If this value is not used, or if lpFileName does not specify a path, the system uses the standard search strategy discussed in the Remarks section to find associated executable modules that the specified module causes to be loaded. This value cannot be combined with any LOAD_LIBRARY_SEARCH flag.

http://msdn.microsoft.com/en-us/library/windows/desktop/ms684179(v=vs.85).aspx