Size of hook dll is 150 KB - shrink it?

[dcsoft]

Hello, I just purchased madCodeHook, and must say the ease of use and support on this forum and usenet are wonderful!

I have already gotten my first project to work --- the most popular example of hooking WS2_32.DLL, the send() function. I have created both a hook dll (which uses HookAPI) and an injector exe (which uses InjectDLL). I built both projects using Microsoft VC++ 6 with the madCodeHook static library linked into both the .exe and the .dll. (I don't want to use the madCodeHook.dll, since this must be copied to windows\system32, and I hate shared DLL's since other people's installs can corrupt mine; plus, this DLL has triggered anti-virus packages in the past.)

My issue is that the resulting hook dll and injector exe are each about 150 KB. Although 300 KB is small by today's standards, I was expecting something 5-10x smaller, since all the SetWindowsHookEx() hook dlls I've previously written are only a few KB in size. This is causing some deployment issues because the download size is extremely critical.

It seems the static library of madCodeHook is always entirely linked in when using VC 6, even though only a few of the API's are actually called. IOW, smart linking is disabled on this library. Furthermore, it uses the /INCREMENTAL:NO flag, which disables incremental linking of my projects, even in debug builds (a minor point, but I thought I'd mention it).

Is this because madeCodeHook is a Delphi library? Can further optimization be made for VC users? I would hate to discard such a fine library due to file size.

Thanks much,
David

[madshi]

The static library is created by using DllToLib, a tool which converts a standard win32 dll to a static lib. Unfortunately DllToLib doesn't support smart linking (I just asked the developers yesterday)...

There's nothing I can do to improve the file size problem - except maybe porting madCodeHook to C++.

[c78]

There's a few programs out there that will shrink your executables and DLLs, just find one thats reliable. I've used Aspack in the past, and had absolutely no problems with it.. I think it's free for 30 days. It reduced my 800k BCB5 .exe to around 300k.

[madshi]

Exe compressors usually work fine. However, there might be problems with using compressors together with madCodeHook. I'm not sure about it, though. Might be worth a try. I'd recommend using it only for the exe, though, and not for the hook dll. I'd not feel well with having a compressed hook dll.

[c78]

If compressing the DLL does work (like u said, worth a try) then it would also help with the virus detectors, since the signature would most likely be scrambled.

[dcsoft]

If compressing the DLL does work (like u said, worth a try) then it would also help with the virus detectors, since the signature would most likely be scrambled.

Thanks for the suggestion to use Aspack. I tried it, and it does make the .exe and .dll smaller. But when we bundle them into our installer, the resulting file size is about the same as before. So using Aspack doesn't reduce the download size.

If it were up to me, I would just write both the .exe and .dll in Delphi (actually, would Borland C++ also use smart linking?), but that would mean the Build team would need to install the Borland tools, and I'm not sure if that isn't too much to ask. Hmmm, I'll keep looking for solutions.

Mathias, maybe one weekend you could port madeCodeHook to C++!


Thanks anyway,
David

[madshi]

Borland C++ wouldn't work, but Borland C++ Builder would work. Versions 5 and 6 are directly supported. And yes, you get smart linking there.

[dcsoft]

Borland C++ wouldn't work, but Borland C++ Builder would work. Versions 5 and 6 are directly supported. And yes, you get smart linking there.

OK, I thought to try Borland. I used to work at Borland (worked on the IDE in Borland C++ 3.0 and Turbo Pascal for Windows 1.5, so it was a long time ago!), so I went there and downloaded Borland C++BuilderX Personal, which I guess is free, although they never came out and said so. I suppose this is the replacement for Borland C++ Builder 6; I couldn't download this one. I didn't see any "BuilderX" folders in the madCollection, so I just copied the .h, .hpp, and .lib files out of the Bcb6 folders. These include things like "sysinit.hpp, which isn't anywhere to be found in either madCollection or the BuilderX install.

So I'm getting build errors now. Is there any hope of getting this to work with the current C++BuilderX?

Thanks,
David

[c78]

CBuilderX is completely different from C++ Builder and Delphi. It's a platform-independent C++ IDE with no built-in native support. It's the newer version of the old Borland C++ you used to work on, but works in Solaris, Linux, windows, etc.

I'm pretty sure C++ Builder 6 can be downloaded for 30 free trial, look again.. Is your only problem the size of the executables? If so Builder won't help that -- probably would make it worse.

[dcsoft]

CBuilderX is completely different from C++ Builder and Delphi. It's a platform-independent C++ IDE with no built-in native support. It's the newer version of the old Borland C++ you used to work on, but works in Solaris, Linux, windows, etc.

Thanks for that! I wondered why the IDE was written in Java!

I'm pretty sure C++ Builder 6 can be downloaded for 30 free trial, look again.. Is your only problem the size of the executables? If so Builder won't help that -- probably would make it worse.

Thanks, I found it (finally... they bury it after the BuilderX stuff). Well, I built my hook dll, which only calls HookAPI() and UnhookAPI(), in BCP6, and it turned out to be 192 KB! The VC++ build was only 155 KB.

Then I accidentally deleted the BCP project file (.dpr file) and had to recreate it. Now when I build, the DLL is only 52 KB. But it doesn't seem to work correctly, probably pilot error. I'll have to look at it some more tomorrow, thanks for all your help. I'll report back what I find.

-- David
I

[madshi]

Is your only problem the size of the executables? If so Builder won't help that -- probably would make it worse.

I think it should be better than using MSVC for one simple reason: MSVC uses the static madCodeHook lib, and that doesn't support smart linking. BCB can use the precompiled obj files which ship with madCollection, and those do support smart linking. So I think the file size should decrease when using BCB. Best option for file size is probably Delphi, though.

[madshi]

Well, I built my hook dll, which only calls HookAPI() and UnhookAPI(), in BCP6, and it turned out to be 192 KB! The VC++ build was only 155 KB.

Now that's strange!

Do you use madCHook.h? Or madCodeHook.h(pp)? The first one is meant for all C++ compilers except BCB. When using BCB please use madCodeHook.h instead.

Then I accidentally deleted the BCP project file (.dpr file) and had to recreate it. Now when I build, the DLL is only 52 KB. But it doesn't seem to work correctly

A small Delphi 7 hook dll compiled with madCodeHook is about 75 KB. A small Delphi 7 exe which calls InjectLibrary is about 95 KB. When using BCB you should get more or less similar results, maybe slightly bigger. But I haven't actually tried BCB yet. Make sure your BCB projects do *not* use packages (see project options) and do also not use the dynamic RTL.

[madshi]

I used to work at Borland (worked on the IDE in Borland C++ 3.0 and Turbo Pascal for Windows 1.5, so it was a long time ago!)

So if you know Turbo Pascal, and if you don't get BCB to play nice, then you can still go Delphi. However, the trial edition of Delphi doesn't accept precompiled 3rd party components. So you can't use that to test madCodeHook. You could try to get access to Delphi 6 Personal Edition, though. That should work fine.

[dcsoft]

Do you use madCHook.h? Or madCodeHook.h(pp)? The first one is meant for all C++ compilers except BCB. When using BCB please use madCodeHook.h instead.

I had used madCodehook.h; I switched to madCodehook.hpp. The only difference I could see is that when i used the Hpp file, I had to manually specify all the madCollection .obj's to link. When I used the .H file, those were linked in automatically (probably due to the #pragma link statement).

A small Delphi 7 hook dll compiled with madCodeHook is about 75 KB. A small Delphi 7 exe which calls InjectLibrary is about 95 KB. When using BCB you should get more or less similar results, maybe slightly bigger. But I haven't actually tried BCB yet. Make sure your BCB projects do *not* use packages (see project options) and do also not use the dynamic RTL.

OK, I played some more and the bottom line is the smallest DLL produced by BCB6 is 190 KB. (The one from yesterday which was 55 KB didn't have my hook source in it! ). I successfully disabled the dynamic RTL (size increased from 150 KB to 190 KB). But I couldn't disable the packages... when I did so, I got a linker error that WINDOWS.OBJ was not found. I could not successfully resolve this without enabling packages. So I don't know if this DLL can even run without the BCB system installed. Without packages, this DLL could get even bigger.

Even so, when I inject this DLL into IExplore.exe, it crashes. The one built with VC++ did not... so I am still quite far from getting something resolved.

It looks like BCB6 isn't a solution. The smallest DLL is even bigger than VC++! I like the Delphi solution. Your demo with the HookTerminateAPIs.dll (which seems built with Delphi) is only 81 KB and zips down to 45 KB. Perfect! But the problem is Delphi 6 is no where found on the Borland web site. Only Delphi 2005.

I could buy Delphi 6 Personal elsewhere... but do you know if this can be used to deploy commercial apps, or do we need to buy the Professional? In addition, there also seems a Delphi 7 Personal available... do you support that too?

Are you sure you won't reconsider porting this to C? Borland products are great, but there are many more developers using Microsoft!

Thanks much,
David

[madshi]

OK, I played some more and the bottom line is the smallest DLL produced by BCB6 is 190 KB. (The one from yesterday which was 55 KB didn't have my hook source in it! ). I successfully disabled the dynamic RTL (size increased from 150 KB to 190 KB). But I couldn't disable the packages... when I did so, I got a linker error that WINDOWS.OBJ was not found. I could not successfully resolve this without enabling packages. So I don't know if this DLL can even run without the BCB system installed. Without packages, this DLL could get even bigger.

Tested it myself in BCB5. With packages its 180 KB. Without packages (had to manually edit the project file to get rid of the WINDOWS.OBJ problem) the file even got to 195 KB. So in other words: BCB really isn't a good solution for madCodeHook. I didn't expect BCB to be that bad!

I could buy Delphi 6 Personal elsewhere... but do you know if this can be used to deploy commercial apps, or do we need to buy the Professional? In addition, there also seems a Delphi 7 Personal available... do you support that too?

madCodeHook supports D4-D7 and D2005. Every edition is supported, except D6 evaluation (not sure about D2005 evaluation, didn't test that yet). I'd suggest that you try to get access to a D4 or D5 standard or professional edition. Those should be *very* cheap to get. I'm not sure about the license situation, though. Maybe the standard edition must not be used for commercial projects? I believe the standard edition (D4, D5) is ok for commercial usage, but the personal edition (D6, D7) is not. Might be wrong, though. The professional edition is just fine, though. And as I said D4/5 professional should be quite cheap now.

Are you sure you won't reconsider porting this to C? Borland products are great, but there are many more developers using Microsoft!

Well, a side effect is that I'm pushing Delphi this way, which is quite welcome! But maybe a C port will come sooner or later, especially because I need to support 64bit OSs soon, and Borland doesn't offer a 64bit compiler/linker/IDE yet...