防止DLL文件通过MS Detours加载到我的进程中 [英] Preventing a DLL file from loading into my process via MS Detours

问题描述

我想阻止特定的第三方DLL文件在运行时加载到我的应用程序的进程中。我最初的尝试是使用MS Detours产品。

I'd like to prevent a specific third-party DLL file from loading into my application's process at runtime. My initial attempt at this was using the MS Detours product.

我有一个32位的 MFC 应用程序。我使用免费的MS Detours 3.0版本进行了可行性测试。

I have a 32-bit MFC application running on Windows 10 64-bit. I tested with the free MS Detours 3.0 version as a feasibility check.

在我的MFC应用程序类构造函数中，我调用Detours来拦截加载库 API（LoadLibraryW， LoadLibraryExW，LoadLibraryA和LoadLibraryExA）。这使我可以拦截库的加载，当前我只是注销要加载的库的名称，然后调用原始API，以便继续加载库。最终的计划是寻找特定的第三方DLL文件名，在这种情况下，只是返回失败，从而阻止DLL文件的加载。

In my MFC application class constructor, I call Detours to intercept the "load library" APIs (LoadLibraryW, LoadLibraryExW, LoadLibraryA, and LoadLibraryExA). This lets me intercept library loading and currently I just log out the name of the library being loaded and then call the original API so it proceeds to load the library. The eventual plan would be to look for the specific third-party DLL file name and in that case just return failure, preventing the DLL file from loading.

这种工作方式。当我运行测试应用程序时，关闭它，然后检查日志，我看到从拦截函数记录的一堆库加载消息。

This sort of works. When I run my test application, close it, and then check the log I see a bunch of library load messages logged from my intercept functions.

但是，我的代码从没看到我要查找的特定第三方DLL文件。发生的情况是，当我到达应用程序类构造函数时，第三方DLL文件已经加载完毕。所以我来不及了！

BUT, my code never sees the particular third-party DLL file I'm looking for. What's happening is that the third-party DLL file is already loaded by the time I get to my application class constructor. So I'm too late!

我如何才能获得一些代码来执行EARLIER，并希望在注入第三方库之前安装绕行的东西？

How can I get some code to execute EARLIER and so hopefully install the detours stuff BEFORE the third-party library gets injected?

推荐答案

听起来像这样：

• 您的应用程序是直接静态链接到目标DLL

• your app is static linking to the target DLL directly

应用程序的一个依赖DLL是静态链接到目标DLL，或者以其他方式在目标DLL本身加载时

one of your app's dependent DLLs is static linking to the target DLL, or otherwise loading it while itself is being loaded.

目标DLL列在 AppInit_DLLs 注册表项中。

the target DLL is listed in the AppInit_DLLs Registry key.

另一个进程通过 SetWindowsHookEx（）将DLL作为全局钩子加载，使用的钩子类型将DLL插入所有正在运行的进程。

another process has loaded the DLL as a global hook via SetWindowsHookEx(), using a hook type that injects the DLL into all running processes.

如果在应用程序代码启动之前已加载目标DLL，您将无法拦截目标DLL。运行。在EXE的代码开始运行之前，操作系统会加载静态链接的DLL。因此只有绕行才能拦截动态加载的DLL，并且只有在安装后才绕行才能加载。

Nothing you can do to intercept the target DLL if it is being loaded before your app's code starts running. Statically linked DLLs are loaded by the OS before the EXE's code starts running. So only dynamically loaded DLLs can be intercepted with a detour, and only if loaded after you have installed you detour.

您需要找到目标DLL实际加载的位置

You need to find where the target DLL is actually being loaded from.

如果您的EXE是直接静态链接到它，则通过 LoadLibrary（）在您的代码中，或通过链接器的延迟加载功能（如果有），该功能在内部使用 LoadLibrary（）。

If your EXE is static linking to it directly, load it dynamically instead, either explicitly via LoadLibrary() in your code, or via your linker's delay-load feature (if it has one), which uses LoadLibrary() internally.

如果另一个DLL正在加载，请动态加载该DLL，而不是静态链接到它。

If another DLL is loading it, load that DLL dynamically instead of static linking to it.

这篇关于防止DLL文件通过MS Detours加载到我的进程中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！