how to prevent dll loading

c++ / delphi package - dll injection and api hooking

how to prevent dll loading

Postby jgh0721 » Wed May 30, 2018 12:59 am

i want to prevent dll loading in globally.

1. LdrLoadDll hook per each process
- i worried about crash with madcodehook
2. madcodehook unique feature?
- per each dll loading event call my callback routine
jgh0721
 
Posts: 9
Joined: Tue Apr 22, 2014 8:06 am

Re: how to prevent dll loading

Postby madshi » Wed May 30, 2018 6:38 am

May I ask which purpose this is for?

Generally, hooking LdrLoadDll should work "fine". The biggest problems I see with this approach are:

1) Many many people want to hook dll loading, using either madCodeHook or other hooking libraries. So you have to be prepared that there could be collisions with other hooking libraries. madCodeHook does its best to be friendly to other hooking libraries, but I can't guarantee that other hooking libraries will play friendly with us. In most cases it should work just fine, though.

2) Of course if you block certain dlls from loading, that could cause crashes in applications. E.g. let's say you block loading of xxx.dll, but application X requires this dll to be present and working. Application X might even do something like "someFunc = GetProcAddress(LoadLibrary("xxx.dll"), "SomeAPI")", without checking if LoadLibrary actually succeeded. So you need to be aware of that blocking the loading of dlls *can* potentially lead to crashes, or non-working applications.
madshi
Site Admin
 
Posts: 9664
Joined: Sun Mar 21, 2004 5:25 pm

Re: how to prevent dll loading

Postby iconic » Wed May 30, 2018 2:59 pm

If you need to support Vista+ you can use LdrRegisterDllNotification() and inside your callback check that the load reason is LDR_DLL_NOTIFICATION_REASON_LOADED (1) then use the passed-in notification data to determine the DLL. Both the full and base filename via a unicode_string structure are available to you which is the same as what LdrLoadDll() sees. Once you've determined which DLL is being loaded you can overwrite the DLL's entry point with XOR EAX, EAX RET which returns False in DllMain() so the DLL never loads. DllBase is a passed-in structure member as well so you don't need to hunt for it and you can calculate the entry point address easily from that. By doing things this way you don't have to worry about API hook collisions or security software becoming watchfully paranoid. I use this technique in commercial software and my DLL is injected system-wide so it's proven to work reliably and in a stable manner. Just make sure that you remember to unregister the notify routine in your module's DLL_PROCESS_DETACH otherwise the callback will remain installed inside the target process even after your DLL has been unloaded.

P.S: If you must also support XP and below you can call the very undocumented LdrSetAppCompatDllRedirectionCallback() API in which you also receive the fully qualified DLL filename as a parameter and if it matches a DLL of interest you can return STATUS_UNSUCCESSFUL or some other relevant NT error code. This also works just fine and I am using this in software as mentioned above.

--Iconic
iconic
 
Posts: 826
Joined: Wed Jun 08, 2005 5:08 am

Re: how to prevent dll loading

Postby madshi » Wed May 30, 2018 3:34 pm

Uh, here come iconic's special magic undocumented hacks... 8)

Haven't heard of LdrSetAppCompatDllRedirectionCallback() yet. Does it also work in Windows 2000? And does it still work in Windows 10?

I did try using LdrRegisterDllNotification() in madCodeHook to replace my internal LoadLibrary API hook, but I had to remove it again because it proved to not be stable enough. It seems you need to be rather careful about what you do within a LdrRegisterDllNotification() callback. <sigh>
madshi
Site Admin
 
Posts: 9664
Joined: Sun Mar 21, 2004 5:25 pm

Re: how to prevent dll loading

Postby iconic » Wed May 30, 2018 4:27 pm

Hey Madshi :D

LdrSetAppCompatDllRedirectionCallback() only works on XP and below (2000 should work too) IIRC but it's only really applicable to what the OP asked in this thread, not so much for patching an in-memory/loaded module such that is possible with LdrRegisterDllNotification(). LdrRegisterDllNotification() can be tamed but as you've already mentioned one must be very careful inside the callback function. When your callback is called the loader lock is held and the DLL module is in the pre dynamic linking stage, which is very early. Whatever you do make sure your code doesn't wind up intentionally or accidentally loading another library inside the callback execution. You might also consider deferred processing of the mapped module at least until OEP is called. For one project I jump to my own callback function that has overwritten the DLL's entry point, apply some module patches, write the original prologue back and call the original entry point again. A cleaner solution might be to add your own TLS callback to the module which just points to your code and do whatever you need to inside. In other projects I've had (luck?) simply applying my patches right inside the notification callback itself without any stability issues. I guess it all just depends on what you're doing to the mapped module.
iconic
 
Posts: 826
Joined: Wed Jun 08, 2005 5:08 am

Re: how to prevent dll loading

Postby madshi » Wed May 30, 2018 4:52 pm

Well, yes, I have a (complicated) function that runs whenever a new DLL is potentially loaded or unloaded. That function runs through all installed API hooks and checks them. Historically I always had my own LoadLibrary hook and doing all these things in it worked fine. But simply trying to replace my LoadLibrary hook with LdrRegisterDllNotification() sometimes produced stability issues. I could be due to the loader lock, but I think there were other issues, as well.

I guess I could try hacking around it somehow by using one of the methods you mentioned. But honestly, my LoadLibrary hook works fine, so I'm somewhat reluctant to add many new hacks to replace something which already works fine. If LdrRegisterDllNotification() had worked fine without any additional hacks, it would have been a very welcome replacement for my LoadLibrary hook. But as it is, I think I'll stick to what has worked well for many years.
madshi
Site Admin
 
Posts: 9664
Joined: Sun Mar 21, 2004 5:25 pm

Re: how to prevent dll loading

Postby iconic » Wed May 30, 2018 5:03 pm

Like the popular phrase goes, if it aint broke don't fix it ;)

--Iconic
iconic
 
Posts: 826
Joined: Wed Jun 08, 2005 5:08 am


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 2 guests