Observe Dll Loading

Sometimes we want to know when a DLL is being loaded into memory and by whom. The following bp command sets breakpoint  on LoadLibraryW and dump the full path passed to the function:

bp kernel32!LoadLibraryW “kb 3;dc poi(@ebp+8);”

Some notes:

  1. This only applies to 32-bit function calls without FPO. 64-bit functions will be different as most of the time RCX, RDX, R8 and R9 will be used for passing first four integer parameters.
  2. There are other ways of loading DLL into memory, e.g. a stack of loading COM in-proc server:

6385918f 63800000 00000001 ntdll!LdrpCallInitRoutine+0x14
00000000 75de3c8e 777f7c9a ntdll!LdrpRunInitializeRoutines+0x26f
02c6ba48 02c6ba14 00000000 ntdll!LdrpLoadDll+0x4d1
04afc6b4 02c6ba5c 02c6ba48 ntdll!LdrLoadDll+0x92
00000000 00000000 ffffffff KERNELBASE!LoadLibraryExW+0x15a
00000000 02c6baec 00000008 ole32!LoadLibraryWithLogging+0x16
02c6baec 02c6bab8 02c6babc ole32!CClassCache::CDllPathEntry::LoadDll+0xa9
02c6baec 02c6bdcc 02c6bae4 ole32!CClassCache::CDllPathEntry::Create_rl+0x37
00000001 02c6bdcc 02c6bd40 ole32!CClassCache::CClassEntry::CreateDllClassEntry_rl+0xd4
00000001 003e4eec 02c6bd84 ole32!CClassCache::GetClassObjectActivator+0x224
02c6bdcc 02c6c8e0 02c6c374 ole32!CClassCache::GetClassObject+0x30
77646444 02c6c374 02c6c8e0 ole32!CServerContextActivator::GetClassObject+0x104

If the breakpoint was hit too often, set it as a conditional break:

bp kernel32!LoadLibraryExW “.block {as /mu DllPath poi(@esp+4)}; .block {.if ( $spat( \”${DllPath}\”, \”*abc*\” ) ) { .echo DllPath; ad *; } .else { .echo DllPath; ad *; g;}};”

bp kernel32!LoadLibraryExA “.block {as /ma DllPath poi(@esp+4)}; .block {.if ( $spat( \”${DllPath}\”, \”*abc*\” ) ) { .echo DllPath; ad *; } .else { .echo DllPath; ad *; g;}};”

Advertisements

Posted on December 27, 2011, in Uncategorized. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: