[Buster_BSA]

The DllMain function is an optional entry point into a dynamic-link library (DLL).

Is possible to know if a DLL contains a DllMain function? If yes, what methods can be used to detect DllMain´s presence or absence?

[EP_X0FF]

OptionalHeader->AddressOfEntryPoint

[Buster_BSA]

Attached there are 2 DLLs.

Could you explain how to know what of them has DllMain, please?

I checked OptionalHeader->AddressOfEntryPoint but I was not able to figure out anything that may help me to know if the DLL has DllMain or not.

[EP_X0FF]

AddressOfEntryPoint is the address from where code being executed. There is no difference how it named in sources "DllMain", "MegaCode" or "WhatEverShit".

DLLMAIN.DLL - is x86 DLL with EntryPoint set as 0041E084, here is "DllMain"
NODLLMAIN.DLL - is x86 EXE with EntryPoint set as 0040DD16, here is "main".

Code: Select all

LPVOID WINAPI PELoaderGetEntryPoint(
	LPVOID ImageBase
	)
{
	PIMAGE_DOS_HEADER			pdosh;
	PIMAGE_FILE_HEADER			pfh1;
	PIMAGE_OPTIONAL_HEADER32	poh32;
	PIMAGE_OPTIONAL_HEADER64	poh64;
	LPVOID						EntryPoint = NULL;

	__try {

		pdosh = (PIMAGE_DOS_HEADER)ImageBase;
		pfh1 = (PIMAGE_FILE_HEADER)((ULONG_PTR)ImageBase + (pdosh->e_lfanew + sizeof(DWORD)));
		poh32 = (PIMAGE_OPTIONAL_HEADER32)((ULONG_PTR)pfh1 + sizeof(IMAGE_FILE_HEADER));
		poh64 = (PIMAGE_OPTIONAL_HEADER64)poh32;

		EntryPoint = (pfh1->Machine == IMAGE_FILE_MACHINE_AMD64) ?
			(LPVOID)(poh64->AddressOfEntryPoint + (ULONG_PTR)ImageBase) : 
			(LPVOID)(poh32->AddressOfEntryPoint + (ULONG_PTR)ImageBase);

	} __except (EXCEPTION_EXECUTE_HANDLER) {

#ifdef PELDRDBG
		LdrOutputDebugString(TEXT("PELoader: GetEntryPoint failed\n"));
#endif
	}

	return EntryPoint;
}