Hey,

after a dll is loaded via LoadLibrary into a Process a new entry in the PEB.Ldr.InMemoryOrderModuleList is created. Because i want to hide the loading of a certain dll i removed this entry after loading the dll. The dll still works fine, but I'm asking what other reference were create by the usage of LoadLibrary. I know that there is some internal struct on the kernel side for each process, maybe this internal struct also holds an entry of my dll ( i think its called KPEB, but i'm not sure ).

Information regards the behaviour of LoadLibrary concerning dll references would be nice.

OHPen.

look for mgriers blog in msdn iirc he wrote a very lengthy 6,7 part series on Loadlibrary and its allied functions LdrLoadDll

Hi blabberer,

thank you for the hint. I will read the 7 articles. I need to understand what LoadLibrary is exactly doing because i have to make a decision between manually loading the dll ( fixing the relocation, etc. ) or using system functions + clean all created references in the operating system.

To be honest i would prefere the first method, but i don't find any source which i could use the manually loading a dll.

Regards,

OHPen

PS: i read the first one which is about LoadLibrary and from that point of view only the entry in the load order list is created if that would be everything it would be stupid not to use LoadLibrary + removing the created entry. I can't believe that there are not more references created...

i cant be sure if this fits your bill but
you can check anonymouse's modified commandline plugin its available for download at openrce
that plugin has a command loaddll and i have used it to load certain dlls to debuggees in ollydbg

it comes with src

@blabberer: I'm not pretty sure if i completly understand what anonymouse here do but for me he seems to use some api from the dbghelp.dll from ms and use it to load the dlls. Is that correct ? Does the dbghelp use another way to load dlls ?

regards, OHPen

PS: I checked the plugin again and its definitivly not doin what i want to do

i dont think he is using any apis at all in his loaddll function
iirc he simply allocates memory in process , writes the dll string some where in the memory
assembles pusad,pushfd,push &string,call Loadlibrary , popfd,popad modifies thread context and jumps back to the previously fetched eip from unmodified context and has his process suspended for the whole duration

At my website : deroko.phearless.org there is source for dllbande, which uses manual mapping of a dll for debugging purposes. It's C code

@blabberer: i really take a short look at the code. I will study it when i have more time

@deroko: thanks for the hint, but i to stupid to find a download called dllbande on your side. can you post a link ?

regards,

OHPen

DLL Break and Enter
http://deroko.phearless.org/dllbande.rar

danke

I now check the code, and that was exactly was i searching for. Thank you deroko

Regards,

OHPen

http://www.edgeofnowhere.cc/viewtopic.php?t=305739

Search the page for "CloakDll" and you will find what your looking for along with a very detailed explanation of the inner workings of GetModuleHandle.

I would really enjoy reading that code too, but your server seems to be down. I cannot access www.darawk.com at all...

Regards,

OHPen

I know, but the code is posted later in the thread. Keep scrolling down.

Ok, great thank you.