There is an usefull function under Windows XP - you should know it, I use it - LdrSetAppCompatDllRedirectionCallback - to block loading of some unwanted DLLs (see attached source...). There is one small problem - this function doesn't exist under Windows 7, so my question is - which method of DLL blocking in your opinion is universal and effective as mentioned one (works from XP to 7). If it possible I wouldn't to use any code hooks - just alredy implemented sollutions if any...
Code: Select all
typedef NTSTATUS (NTAPI *PLDR_APP_COMPAT_DLL_REDIRECTION_CALLBACK_FUNCTION)
(
IN ULONG Flags,
IN PCWSTR DllName,
IN PCWSTR DllPath OPTIONAL,
IN OUT PULONG DllCharacteristics OPTIONAL,
IN PVOID CallbackData,
OUT PWSTR *EffectiveDllPath
);
IMP_SYSCALL LdrSetAppCompatDllRedirectionCallback
(
IN ULONG Flags,
IN PLDR_APP_COMPAT_DLL_REDIRECTION_CALLBACK_FUNCTION CallbackFunction,
IN PVOID CallbackData
);
NTSTATUS LdrDllRedirectionCallback(
IN ULONG Flags,
IN PCWSTR DllName,
IN PCWSTR DllPath OPTIONAL,
IN OUT PULONG DllCharacteristics OPTIONAL,
IN PVOID CallbackData,
OUT PWSTR *EffectiveDllPath)
{
LONG ResultValue;
UNICODE_STRING LoadedDllName;
UNICODE_STRING BlockedDllName;
RtlInitUnicodeString(
&LoadedDllName,
DllName);
RtlInitUnicodeString(
&BlockedDllName,
L"unknown.dll");
ResultValue = RtlCompareUnicodeString(
&LoadedDllName,
&BlockedDllName,
TRUE);
if(ResultValue == 0)
{
UmDbgPrint((">> BLOCKING DLL - %ws\n", DllName));
return STATUS_UNSUCCESSFUL;
}
return STATUS_SUCCESS;
}
LdrSetAppCompatDllRedirectionCallback(
0, // Flags
LdrDllRedirectionCallback, // CallbackFunction
NULL); // CallbackData
I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)
