Hi all.

1.
I used WaitForDebugEvent,Windows API in Debug category.
it works to catch at moment,dll load.
I cought at time When dll loaded by program code,I made.
the information from WaitForDebugEvent is a useful.
but i do not know dll-name loaded.

How can I?

2.
I explain to inject code,machine code, to original program.
but I know to be will re-align section,text or rdata or etc, information.
so I have not any information.
could some help me something?

1. You can get the base address of the DLL from LOAD_DLL_DEBUG_INFO.lpBaseOfDll.
You can then use CreateToolhelp32Snapshot to iterate the modules in the target process. When you find the module for which MODULEENTRY32.modBaseAddr == LOAD_DLL_DEBUG_INFO.lpBaseOfDll, you can use MODULEENTRY32.szModule or MODULEENTRY32.szExePath to get the loaded DLL's name.

2. I don't understand your question.

I am sorry, my english is short. and thank you for your help.

the second topic I would explain is very simple.
I purpose inject machine code,I programed,to target program.
but not use API hook or etc..
it will be changed.section table offset or function pointer, etc.
if I will do that,I want to know what do I do.
for example, if I want to use TextOutA,in GDI32.dll, to target program. so
The taget program has no GDI32.dll and TextOutA about information. I will write information at import section in target program.but What can I do in this environment? I want to get information at this situation.

I know my fault, but I hope you to understand it.

I think you're asking how to insert code (and a new section) into the PE that uses imports not already included in the target exe? I'm not sure if you're trying to do this manually (ie: use IIDKing) or through an exploit (unchecked buffer to shellcode).

If you're doing it through an exploit you can't do this at runtime in the manner you're describing, it's not possible to edit the data directory of a PE when its loaded. If you can create a proper exploit you could just getprocaddress of TextOutA in your code then call the function directly.

If you're doing it manually then you could add another section for your code then add the appropriate imports (good time to use Ntoskrnl's Explorer Suite!). Then simply add a call/jmp to your code in the new section from wherever you need in the original section.

I think most of this is going to be lost in translation though...

agcraft, out of curiousity, what will you be using these techniques for? What is your project?

it's hobby. I can talk you this is a private project for contentment of myself. but will not commit a crime or crack something.
don't worry. I dislike to eat a rice mixed beans.

the manual is right!! I surprised your ability ! I think to do study english for myself.

but there is some different thing.

first, I mistake "a function in external dll insert into target exe not import dll,include that function."

second, I suppose that the original program is not include TextOutA then no dll info at import section in this application.

thank you.

Your first and second refer to the same thing, I think?

You don't need to have TextOutA in the imports to use it with getprocaddress. If getprocaddress also isn't in the imports you can call its address directly (I don't have the address to hand at the moment).

The address is dependent on your specific version/build of kernel32.dll.

you may always write your own getprocaddress and use it. Locate one import from k32.dll and cycle backward till you find mz/pe after that search exports of k32 for getprocaddress and loadlibrarya and you will get all you need using this two apis

Yep, you're right, I forgot about that. Potentially you could find another kernel32 import then compare it to known addresses for that same import per kernel32.dll version, which would then let you pick the right address. Of course that assumes you have all the possible addresses per kernel32 version for both the import used to compare and getprocaddress, which is fairly messy and feels very overengineered.

I get a hint from this topic. thank.
I will try it.