[evelyette]

Hi,

I'm going over the list of loaded modules as present in PEB->Ldr->InMemoryOrderModuleList, which points to the _LDR_DATA_TABLE_ENTRY data structure as presented below. The InMemoryOrderLinks contains Flink/Blink to the next/previous loaded module. Basically I would like to hook the EntryPoint of the DLL. I imagine, the loader loading the A.dll, which depends upoen B.dll, which depends upon C.dll, so when the C.dll's DllMain is called, the modules A.dll and B.dll are already present in the InMemoryOrderLinks, but their DllMain's have not been called yet. Therefore, from C.dll, I would like to hook the EntryPoint of the A.dll in order for my function to be called, from where I would jump to the original entry point.

Code: Select all

typedef struct _LDR_DATA_TABLE_ENTRY {
	LIST_ENTRY InLoadOrderLinks;
	LIST_ENTRY InMemoryOrderLinks;
	LIST_ENTRY InInitializationOrderLinks;
	PVOID DllBase;
	PVOID EntryPoint;
	ULONG SizeOfImage;
	UNICODE_STRING FullDllName;
	UNICODE_STRING BaseDllName;
	ULONG Flags;
	WORD LoadCount;
	WORD TlsIndex;
	ULONG SectionPointer;
	ULONG CheckSum;
	ULONG TimeDateStamp;
	ULONG EntryPointActivationContext;
	ULONG PatchInformation;
	LIST_ENTRY ForwarderLinks;
	LIST_ENTRY ServiceTagLinks;
	ULONG ContextInformation;
	ULONG OriginalBase;
	ULONG LoadTime1;
	ULONG LoadTime2;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;

I would like to know whether the EntryPoint contains a 32-bit address on 32-bit systems and 64-bit address of 64-bit systems. At the http://phrack.org/issues/65/10.html, the following is written:

- BaseAddress: The base of the module in memory.
- EntryPoint : Address where the module's first instruction to
be executed can be found.
- SizeOfImage: Size of the module in memory.

This makes me think that the actual address is stored in the EntryPoint and not the offset, but I would like to be sure before proceeding, because I want this to work on both 32-bit as well as 64-bit operating systems. Does anybody know whether EntryPoint contains 64-bit address on 64-bit systems and how does the loaded calculate this address: in PE structure the entry point field specifies the offset into the current module where the entry point is located, but is the EntryPoint in the _LDR_DATA_TABLE_ENTRY an actual address or an offset?

[EP_X0FF]

Code: Select all

lkd> dt nt!_PEB_LDR_DATA 0x00007ffb9fad0320
   +0x000 Length           : 0x58
   +0x004 Initialized      : 0x1 ''
   +0x008 SsHandle         : (null) 
   +0x010 InLoadOrderModuleList : _LIST_ENTRY [ 0x00000099`21312150 - 0x00000099`213f5f00 ]
   +0x020 InMemoryOrderModuleList : _LIST_ENTRY [ 0x00000099`21312160 - 0x00000099`213f5f10 ]
   +0x030 InInitializationOrderModuleList : _LIST_ENTRY [ 0x00000099`21311ff0 - 0x00000099`213f5f20 ]
   +0x040 EntryInProgress  : (null) 
   +0x048 ShutdownInProgress : 0 ''
   +0x050 ShutdownThreadId : (null) 

Code: Select all

lkd> dt nt!_LDR_DATA_TABLE_ENTRY 0x0000009921312150
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x00000099`21311fd0 - 0x00007ffb`9fad0330 ]
   +0x010 InMemoryOrderLinks : _LIST_ENTRY [ 0x00000099`21311fe0 - 0x00007ffb`9fad0340 ]
   +0x020 InInitializationOrderLinks : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000099`211cf0b8 ]
   +0x020 InProgressLinks  : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000099`211cf0b8 ]
   +0x030 DllBase          : 0x00007ff6`a3f50000 Void
   +0x038 EntryPoint       : 0x00007ff6`a3f9f294 Void
   +0x040 SizeOfImage      : 0x8e000
   +0x048 FullDllName      : _UNICODE_STRING "C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\windbg.exe"
   +0x058 BaseDllName      : _UNICODE_STRING "windbg.exe"

It is PVOID = DllBase (Loaded Image Base Address PVOID) + (AddressOfEntryPoint DWORD from PE header). If it is WOW64 PEB DllBase and resulting EntryPoint will be 4 bytes long.