KERNELBASE.dll: LoadLibraryA wrapped. KERNELBASE.dll: LoadLibraryExA wrapped. KERNELBASE.dll: LoadLibraryW wrapped. KERNELBASE.dll: LoadLibraryExW wrapped. KERNEL32.DLL: LoadLibraryA wrapped. KERNEL32.DLL: LoadLibraryExA wrapped. KERNEL32.DLL: LoadLibraryW wrapped. KERNEL32.DLL: LoadLibraryExW wrapped. A: kernel32.dll A: kernel32.dll A: kernel32.dll W: kernel32.dll W: rpcrt4.dll A: kernel32.dll A: kernel32.dll A: kernel32.dll W: kernel32.dll A: ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll W: ext-ms-win-rtcore-ntuser-window-ext-l1-1-0.dll A: advapi32.dll A: advapi32.dll A: advapi32.dll W: advapi32.dll A: api-ms-win-core-com-l1-1-0.dll W: api-ms-win-core-com-l1-1-0.dll A: ext-ms-win-mininput-inputhost-l1-1-0.dll A: ext-ms-win-mininput-inputhost-l1-1-0.dll W: ext-ms-win-mininput-inputhost-l1-1-0.dll A: d3d9.dll A: d3d9.dll A: d3d9.dll W: d3d9.dll W: C:\WINDOWS\System32\DriverStore\FileRepository\igdlh64.inf_amd64_66011d60fecdb7a1\igdumdim32.dll W: C:\WINDOWS\System32\DriverStore\FileRepository\igdlh64.inf_amd64_66011d60fecdb7a1\igdumdim32.dll W: C:\WINDOWS\System32\DriverStore\FileRepository\igdlh64.inf_amd64_66011d60fecdb7a1\igdumdim32.dll W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-localization-l1-2-1 W: api-ms-win-core-localization-l1-2-1 A: gdi32.dll A: gdi32.dll A: gdi32.dll W: gdi32.dll W: C:\WINDOWS\System32\DriverStore\FileRepository\nvmi.inf_amd64_9cd951c47b0da577\nvdlist.dll W: C:\WINDOWS\System32\DriverStore\FileRepository\nvmi.inf_amd64_9cd951c47b0da577\nvdlist.dll W: C:\WINDOWS\System32\DriverStore\FileRepository\nvmi.inf_amd64_9cd951c47b0da577\nvdlist.dll W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-localization-l1-2-1 W: api-ms-win-core-localization-l1-2-1 W: kernel32.dll W: C:\WINDOWS\System32\DriverStore\FileRepository\nvmi.inf_amd64_9cd951c47b0da577\nvldumd.dll W: C:\WINDOWS\System32\DriverStore\FileRepository\nvmi.inf_amd64_9cd951c47b0da577\nvldumd.dll W: C:\WINDOWS\System32\DriverStore\FileRepository\nvmi.inf_amd64_9cd951c47b0da577\nvldumd.dll W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-localization-l1-2-1 W: C:\WINDOWS\system32\crypt32.dll W: WINTRUST.DLL W: C:\WINDOWS\System32\crypt32.dll A: api-ms-win-core-processthreads-l1-1-2.dll W: api-ms-win-core-processthreads-l1-1-2.dll A: C:\WINDOWS\system32\rsaenh.dll W: C:\WINDOWS\system32\rsaenh.dll W: C:\WINDOWS\system32\bcryptprimitives.dll W: C:\WINDOWS\system32\wintrust.dll W: C:\WINDOWS\System32\DriverStore\FileRepository\nvmi.inf_amd64_9cd951c47b0da577\nvd3dum.dll W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-localization-l1-2-1 W: api-ms-win-core-localization-l1-2-1 A: d3d9.dll A: d3d9.dll A: d3d9.dll W: d3d9.dll W: C:\WINDOWS\System32\DriverStore\FileRepository\igdlh64.inf_amd64_66011d60fecdb7a1\igdumdim32.dll W: C:\WINDOWS\System32\DriverStore\FileRepository\igdlh64.inf_amd64_66011d60fecdb7a1\igdumdim32.dll W: C:\WINDOWS\System32\DriverStore\FileRepository\igdlh64.inf_amd64_66011d60fecdb7a1\igdumdim32.dll W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-synch-l1-2-0 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-fibers-l1-1-1 W: api-ms-win-core-localization-l1-2-1 W: api-ms-win-core-localization-l1-2-1
pour faire simple: j'ai injecte des detours dans LoadLibrary(Ex)?(A|W). J'mattendais a voir des redondances (genre LoadLibraryExX qui appelle le LoadLibraryX associe), mais pourquoi (pour prendre l'exemple le plus evident) kernel32 est charge a la fois a coup de LoadLibraryA et de LoadLibraryW ??? me semble evident que le lanceur de windows a la main sur ces appels, donc pas besoin de trouze mille appels ????
(je sais aussi que kernel32 est juste un trampoline vers kernelbase, mais mon code ne fait pas (encore) la distinction. je ne distingue pas non plus les LoadEx des Load, puisque dans les deux cas la chaine de caracteres est le premier argument (stdcall))
en soit ca ne me bloque pas, je cherche juste a refuser le chargement de certaines dlls quand je demarre ma cible en DBI (a), parce que faut instrumenter tout ca, et plus ya de dll plus c'est long chef, donc si j'peux eviter les merdes genre nvidia ... mais ca me semblait curieux sur API que du code userspace appelle rarement (sauf pour faire des trucs pas tres nets)
le code pour les curieux
code
// LoadLibraryA(LPCSTR)
// LoadLibraryExA(LPCSTR, HANDLE, DWORD)
static void pre_loadLibraryA(void* wrapcxt, OUT void ** /* userdata */)
{
LPCSTR moduleName = static_cast<LPCSTR>(drwrap_get_arg(wrapcxt, 0));
logger << "A: " << moduleName << std::endl;
}
// LoadLibraryW(LPCWSTR)
// LoadLibraryExW(LPCWSTR, HANDLE, DWORD)
static void pre_loadLibraryW(void* wrapcxt, OUT void ** /* userdata */)
{
LPCWSTR moduleName = static_cast<LPCWSTR>(drwrap_get_arg(wrapcxt, 0));
int32_t length = WideCharToMultiByte(CP_UTF8, 0, moduleName, wcslen(moduleName), NULL, NULL, NULL, NULL);
char* buffer = new char[length + 1];
WideCharToMultiByte(CP_UTF8, 0, moduleName, wcslen(moduleName), buffer, length, NULL, NULL);
buffer[length] = '\0';
logger << "W: " << buffer << std::endl;
delete[] buffer;
}
void module_load_event(void* ctx, const module_data_t* info, bool /* loaded */)
{
{
app_pc towrap = reinterpret_cast<app_pc>(dr_get_proc_address(info->handle, "LoadLibraryA"));
if (towrap == nullptr)
return;
bool wrap_op = drwrap_wrap(towrap, pre_loadLibraryA, nullptr);
if (wrap_op)
logger << info->names.file_name << ": LoadLibraryA wrapped." << std::endl;
else
logger << info->names.file_name << ": Failed to wrap LoadLibraryA: is it already wrapped?" << std::endl;
}
{
app_pc towrap = reinterpret_cast<app_pc>(dr_get_proc_address(info->handle, "LoadLibraryExA"));
if (towrap == nullptr)
return;
bool wrap_op = drwrap_wrap(towrap, pre_loadLibraryA, nullptr);
if (wrap_op)
logger << info->names.file_name << ": LoadLibraryExA wrapped." << std::endl;
else
logger << info->names.file_name << ": Failed to wrap LoadLibraryExA: is it already wrapped?" << std::endl;
}
{
app_pc towrap = reinterpret_cast<app_pc>(dr_get_proc_address(info->handle, "LoadLibraryW"));
if (towrap == nullptr)
return;
bool wrap_op = drwrap_wrap(towrap, pre_loadLibraryW, nullptr);
if (wrap_op)
logger << info->names.file_name << ": LoadLibraryW wrapped." << std::endl;
else
logger << info->names.file_name << ": Failed to wrap LoadLibraryW: is it already wrapped?" << std::endl;
}
{
app_pc towrap = reinterpret_cast<app_pc>(dr_get_proc_address(info->handle, "LoadLibraryExW"));
if (towrap == nullptr)
return;
bool wrap_op = drwrap_wrap(towrap, pre_loadLibraryW, nullptr);
if (wrap_op)
logger << info->names.file_name << ": LoadLibraryExW wrapped." << std::endl;
else
logger << info->names.file_name << ": Failed to wrap LoadLibraryExW: is it already wrapped?" << std::endl;
}
}