How to load dll without passing first init?

[LCF-AT]

Hi guys,

I have a small question and dont remember anymore the answer at the moment so maybe you could help quickly.

How was it going to load a module / dll into own  & other process without to execute the init / run of the dll?Normaly if I am using LoadLibrary / Ex function the dll was running the init = did run on time from EP etc.In my case I wanna load the dll then changing some code in the dll and then it should process the init / EP etc you know what I mean right?

In OllyDBG its like if you would enable the option "Break on new  module".If Olly stops then I can see whole dll code in memory map and can also set a BP at EP for example to stop there.Also something like this I wanna do to anyhow but dont remember anymore.

Maybe anyone could help with some infos / functions etc to do this.

Quick Example: Just wanna load a dll in my own or other process and patching the entrypoint of dll to my code location XY / patching XY in same dll and init go on normaly.

greetz

[atom0s]

LoadLibraryEx with flag: DONT_RESOLVE_DLL_REFERENCES, 

[CodeExplorer]

When using LoadLibrary it will call entry point of dll:
here is a tools which stops before calling entry point of dll:
https://forum.tuts4you.com/topic/39871-dllsaver

don't know if that's what you want!
 

[LCF-AT]

Hi guys,

thanks for your answers so far.

Ok I tried using the DONT_RESOLVE_DLL_REFERENCES flag with LoadLibraryEx and it works to load the dll without going to EP etc.Now I can patch something in the loaded dll.The question now is how to init the dll now to the process normaly?

Example: I am using LoadLibraryEx with DONT_RESOLVE_DLL_REFERENCES which returns base of dll in eax.Now with that base I patch the dll EP address to my location to jump to if the EP get accessed.Now after this I want to load this dll normaly like using just LoadLibraryA so that the init / EP gets accessed but how is the question?You know what I mean right?

Something lile DONT_RESOLVE_DLL_REFERENCES first || Patch hook EP || RESOLVE_DLL_REFERENCES etc.I am also not really sure anymore whether this way is working anyhow.

So the only method I can use is to hook the ZwMapViewOfSection function before calling LoadLibraryA.In this case I get the module / dll I wanna load mapped as one section in memory and now I can hook / patch the EP.....also directly in PE Header.

0035F86C   77830450  /CALL to ZwMapViewOfSection from ntdll.7783044B
0035F870   000000B8  |SectionHandle = B8 (184.)
0035F874   FFFFFFFF  |ProcessHandle = FFFFFFFF (-1.)
0035F878   0035F950  |pBaseAddress = 0035F950  <------ Base to get
0035F87C   00000000  |ZeroBits = 0x0
0035F880   00000000  |CommitSize = 0x0
0035F884   00000000  |pSectionOffset = NULL
0035F888   0035F934  |pViewSize = 0035F934     <------ Image size
0035F88C   00000001  |InheritDisposition = VIEW_SHARE
0035F890   00000000  |AllocationType
0035F894   00000004  \Win32Protect = PAGE_READWRITE

0035F950   62BF0000  <--- Base I got
0035F934   0085D000  <--- Image size of module

Section: 62BF0000 | 0085D000

So this seems to work to load a dll normaly using LoadLibraryA | Hooking ZwMapViewOfSection or RtlImageNtHeaderEx  | Checking return values | Modding file etc.Maybe not so pretty using this method but any other method I dont have in my mind at the moment.So I think what I wanna do is clear,just looking for the right or easiest way to do this you know.If you have any better method in mind I could try then just tell me.  

greetz

[atom0s]

You can look up how manual mapping handles initializing the DLL that was manually mapped into memory. That will show the steps to take to manually rehandle the loading steps.

The BlackBone project on GitHub has this handled pretty well which you can reference here: https://github.com/DarthTon/Blackbone/blob/0072fba51c81aec5c6f56b7a7705377fe2f785d1/src/BlackBone/ManualMap/MMap.cpp

 

[fearless]

Came across this which has some code on how to perform image base relocations and resolve import address table once a dll loaded into memory: https://ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection

Just have to adapt the code, as i guess the image is already in memory with the LoadLibraryEx call instead of manually loading it as in the example code shown.

[atom0s]

10 hours ago, fearless said:

Came across this which has some code on how to perform image base relocations and resolve import address table once a dll loaded into memory: https://ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection

Just have to adapt the code, as i guess the image is already in memory with the LoadLibraryEx call instead of manually loading it as in the example code shown.

Assuming this developer isn't part of the game hacking scene/communities, but his implementation is the same thing as manual mapping. Something else to note about his implementation, he does not handle TLS callbacks/initializations.