You cannot use functions other than kernel32.dll functions from DllMain :
From the MS documentation:
Since Kernel32.dll is guaranteed to be loaded into the process address space when calling the entry point function, calling functions in Kernel32.dll do not cause the DLL to be used before the initialization code is executed. Therefore, the entry-point function can call functions in Kernel32.dll that do not load other DLLs. For example, DllMain can create synchronization objects, such as critical sections and mutexes, and use TLS. Unfortunately, Kernel32.dll does not have an exhaustive list of safe functions.
...
Call functions that require DLLs other than Kernel32.dll can lead to problems that are difficult to diagnose. For example, calling the User, Shell, and COM functions may cause access errors because some functions load other components of the system. Conversely, calling functions such as these upon termination may cause access violation errors, since the corresponding component may already be unloaded or uninitialized.
My question is:
But the documentation does not mention ntdll.dll . - Can I call LoadLibrary for "ntdll" and use the functions in ntdll from DllMain :
1) during DLL_PROCESS_ATTACH (function to load and use ntdll)?
2) during DLL_PROCESS_DETACH (use the functions of the previously loaded ntdll)?
Also, please, would anyone with more than 1,500 reputation want to create a new tag called "dllmain"?
source
share