在进程的主线程中运行注入的DLL代码 [英] Running injected dll code in main thread of process

问题描述

所以我需要在进程的主线程中运行代码（该进程非常单线程，如果不在主线程中，将随机导致错误）

So I need to run code in the main thread of a process(the process is very single-threaded and will randomly cause errors if not in Main Thread)

某人告诉我DLLMain在每个线程中运行，这是正确的吗？如果是这样，我该怎么做？

Someone told me that DLLMain runs in every thread, is this correct? And if so, how would I do it?

如果不是，我怎么能实现这个目标？

And if it's not, how could I achieve this?

谢谢。

推荐答案

这里有一些有趣的琐事，Windows本身并没有主线程的概念。这实际上是由运行时环境添加的。如果查看CRT启动代码，调用main / WinMain后的几行代码，启动代码将调用
exit。

Here is a little bit of interesting trivia, Windows itself doesn't have a concept of main thread. This is actually added by the runtime environment. If you look at the CRT startup code, a few lines of code after main/WinMain is called, the startup code calls exit.

        //
        // Initialization is complete; invoke main...
        //

        int const main_result = invoke_main();

        //
        // main has returned; exit somehow...
        //

        if (!__scrt_is_managed_app())
            exit(main_result);

这最终的结果是，如果主要调用它的线程退出，整个应用程序也将退出。当然，您必须让所有线程都返回或让其中一个线程调用ExitProcess。

This has the net result that if the thread that had main called on it exits, the entire application will also exit. Naturally you would have to have all threads return or have one of the threads call ExitProcess.

无论如何，除此之外，不，DllMain只能在单个线程中运行，但它可以在任何线程中运行线。这与在每个线程中运行不同。 DllMain运行的位置取决于您加载库的方式。如果它作为应用程序初始化
的一部分加载，那么它将在主线程中运行。但这适用于可执行文件的IAT（导入地址表）中的库。您可以通过在可执行文件上运行dumpbin / imports来查看IAT中的内容。如果你调用LoadLibrary，那么DllMain将在
中运行调用LoadLibrary的线程。因此，如果您想让它在特定线程中运行，那么您需要在该线程中调用LoadLibrary。

Anyway, that aside, no, DllMain only runs in a single thread, but it can run in any thread. This isn't the same as running in every thread. Where DllMain runs depends on how you load the library. If it is loaded as part of the application initialisation then it will run in the main thread. But this is for libraries that are in the IAT (import address table) of the executable. You can view what is in the IAT by running dumpbin /imports on the executable. If you call LoadLibrary, then the DllMain will run in the thread that called LoadLibrary. So if you are wanting to get it to run in a specific thread then you need to call LoadLibrary in that thread.

您可以这样做的一种方法是停止主线程在你注入你的库之后执行，编辑一些你知道将在某一时刻执行的二进制文件，希望找到一些nop指令，并使用它来跳转到你编写二进制指令的
内存中，然后让它跳回来。这可能很痛苦，因为您不仅需要知道/理解ASM，而且您还必须知道汇编指令的二进制表示，还要知道调用
约定，包括哪些寄存器是易失性和非易失性的，并实际阅读程序，直到您注入代码的位置（这意味着阅读反汇编），以了解您必须使用哪些寄存器。

The one way that you could do this is to stop the main thread from executing after you injected your library, edit a bit of the binary that you know will be executed at some point, hopefully finding some nop instructions, and use this to jump to a bit of memory that you wrote your binary instructions to, and then have it jump back. This can be a pain because not only do you have to know/understand ASM, but you have to also know the binary representation of the assembly instructions, also knowing the calling conventions including what registers are volatile and non-volatile, and actually reading through the program leading up to where you inject your code (this means reading the disassembly) to know what registers you are allowed to use is a must.

这篇关于在进程的主线程中运行注入的DLL代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！