locked
Intercepting the WinMain of an arbitrary process RRS feed

  • Question

  • Hi,

    Please take in mind the following:
    1. I need to intercept the first ~line of code~ executed by a given Native image ( console app / windows app )
    2. The Intercepting application is a distinct application creating the process to be intercepted ( a debugger )
    3. To ~Take control~ of the debugged process the Debugger should inject a small code snap to be executed on behaf of the debugee
    4. The injected code snap calls methods on Kernel32.dll and ntdll
    5. Point of intercaption should be after all dlls were loaded ( those referred to by the Import table ) BUT BEFORE the 1st line of code implemented by the debugee was executed ( e.g. intercept the WinMain method of the application ).

    I was trying to :
    A. create a suspended process and inject code into it though at that stage the DLLs referred to at the import table are not yet loaded and the injected code cannot run
    B. using the debugging API, wait for NTDLL.DLL and KERNEL32.DLL to be loaded and just than inject the code, this also didn't help as the thread grabbed is the one loading the PE, and up until the PE is not fully loaded the DLLs are not fully initialized ( static variables, ... )

    Unfortunetely, the debugging API doesn't provide a callback notification when the PE is fully loaded ( prior to execution ), The only solution I C now is to manually iterate through the IATs of the debugee and all of it's references to result the the total amount of referenced DLLs, and then, to wait with injection for that amount of LOAD_DLL_DEBUG_EVENT calls by the debugging API.

    The above is a cumbersome process, and, I wonder, is there any other way to achive what is described in this post?
    Should it be possible to dynamically inject a '.tls' callback? does such a callback is executed after all IAT DLLs are loaded? is it gaurunteed to executed prior to ~WinMain~ ?

    Thanks,
       Nadav Rubinstein,
       http://www.sophin.com

    Nadav Rubinstein, http://www.sophin.com
    • Moved by Nancy Shao Monday, October 19, 2009 7:33 AM Not appropriate forum (From:Visual C++ Language)
    Saturday, October 17, 2009 8:25 AM

All replies

  • arbitrary process? then you don't know when Kernel32 would be loaded. The loadlibrary call can be anywhere in the code.
    Not sure why you post in a C++ compiler forum. The compiler does not understand what is API either. It just accept whatever lib you give to it.


    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful.
    Visual C++ MVP
    Saturday, October 17, 2009 3:11 PM
  • "arbitrary process? then you don't know when Kernel32 would be loaded", well,  As said in my original post, I am using windows debugging APIs, this API set enables the debugger to know when a DLL is loaded by the debugee.

    Regarding availability or absence of Kernel32 DLL, well, it can easily be apriorily known by iterating the IAT, In practice it is possible for an application not to use Kernel32 ( in contrast to ntdll which is loaded by any PE ) though I couldn’t find any application that doesn’t use Kernel32 DLL, I am just curios, can U give me an example for such an application?

    "Not sure why you post in a C++ compiler forum", well, I post here because I already got helpful replies in this forum in several occasions


    Nadav Rubinstein, http://www.sophin.com
    Saturday, October 17, 2009 9:42 PM
  • What you are describing looks like a good post in sysinternal forums. Yes, you got help here, but your post is still off-topic and you won't be always lucky enough to win volunteers' time over the posts that are actually covered by the scope of this forum.

    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful.
    Visual C++ MVP
    Saturday, October 17, 2009 9:49 PM
  • Ok, I'll try the sysinternals forum, I didn't know that one exists, thanks for the tip
    Nadav Rubinstein, http://www.sophin.com
    Sunday, October 18, 2009 9:49 AM