Intercept LoadLibrary calls by current process after DLL injection

Question

Intercept LoadLibrary calls by current process after DLL injection

418 Views Asked by Dlionis At 16 July 2022 at 17:37

After injecting my DLL into a process via CreateRemoteThread, I would like to know how this DLL could intercept any calls to LoadLibraryA/W that are made by the injected process. I saw the library Detour however it does not seem appropriate as I don't want to change the behaviour of the hooked LoadLibrary call, I just would like to know what DLL the injected process is trying to load and obtain it full path + name.

What would be the best approach on that? Thank you.

Edit 1:

Okay, after playing around with Detour, I set it to intercept any LoadLibraryA() and even LoadLibraryW() and ... the message box is never triggered:

// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"
#include <stdio.h>
#include <windows.h>
#include "detours.h"

// Target pointer for the uninstrumented LoadLibraryW API.
//
static HMODULE(WINAPI* TrueLoadLibrary)(LPCWSTR lpLibFileName) = LoadLibraryW;

// Detour function that replaces the LoadLibrary API.
//
HMODULE WINAPI DetouredLoadLibrary(LPCWSTR lpLibFileName)
{
    HMODULE res = TrueLoadLibrary(lpLibFileName);
    MessageBoxW(NULL, lpLibFileName, L"Detoured!", MB_OK | MB_ICONEXCLAMATION);
    return res;
}

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
        if (DetourIsHelperProcess()) {
            return TRUE;
        }

        if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
            DetourRestoreAfterWith();

            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourAttach(&(PVOID&)TrueLoadLibrary, DetouredLoadLibrary);
            DetourTransactionCommit();
        }
        else if (ul_reason_for_call == DLL_PROCESS_DETACH) {
            DetourTransactionBegin();
            DetourUpdateThread(GetCurrentThread());
            DetourDetach(&(PVOID&)TrueLoadLibrary, DetouredLoadLibrary);
            DetourTransactionCommit();
        }

        return TRUE;
    }

I can see now that Procmon is logging more activity due to the job performed by Detours. However, one thing is buggering me: it looks like the operation is a CreateFile rather than LoadLibrary, I also tried to detour CreateFileA but no more luck. I found a question on SO on this but there isn't any answer.

Any ideas why? Thank you.

Original Q&A

There are 2 best solutions below

**Joseph Sible-Reinstate Monica** · Answer 1 · 2022-07-16T17:39:40.373000

Joseph Sible-Reinstate Monica On 16 July 2022 at 17:39

Using Detours is appropriate. It doesn't need to change the behavior; it can just log the information you want and then forward the call on to the real method.

**Dlionis** · Answer 2 · 2022-07-17T14:42:24.683000

Dlionis On 17 July 2022 at 14:42

Found my answer by hooking CreateFileW instead of LoadLibrary..() with Detours.

Intercept LoadLibrary calls by current process after DLL injection

There are 2 best solutions below

Related Questions in LOADLIBRARY

Related Questions in DLL-INJECTION

Related Questions in CREATEREMOTETHREAD

Trending Questions

Popular # Hahtags

Popular Questions