很多hook DLL,为了挂载一些函数会直接load相关的dll,然后加载。或者因为依赖关系的原因相应的dll会被加载,这有时候会导致有些进程加载一些不必要的dll。
我们看Sandboxie的处理。
Sandboxie对在初始化的时候挂载了
LdrQueryImageFileExecutionOptions
进程加载dll完成后会调用该函数,该函数最后调用Ldr_MyDllCallbackA,在Ldr_MyDllCallbackA中根据当前加载的dll的信息,对该dll相关的函数进行hook的初始化。
_FX void Ldr_MyDllCallbackA(const CHAR *ImageName, HMODULE ImageBase)
{
//
// invoke our sub-modules as necessary
//
if (ImageBase) {
DLL *dll = Ldr_Dlls;
while (dll->nameA) {
if (_stricmp(ImageName, dll->nameA) == 0) {
BOOLEAN ok = dll->init_func(ImageBase);
if (!ok)
SbieApi_Log(2318, dll->nameW);
break;
}
++dll;
}
}
}
堆栈如下:
Call Site
SbieDll!AdvApi_Init [e:\sandboxie5.40\core\dll\advapi.c @ 173]
SbieDll!Ldr_MyDllCallbackA+0x61 [e:\sandboxie5.40\core\dll\ldr.c @ 1073]
SbieDll!Ldr_CallOneDllCallback+0x3b [e:\sandboxie5.40\core\dll\ldr.c @ 651]
SbieDll!Ldr_CallDllCallbacks+0x276 [e:\sandboxie5.40\core\dll\ldr.c @ 820]
SbieDll!Ldr_LdrQueryImageFileExecutionOptions+0x25 [e:\sandboxie5.40\core\dll\ldr.c @ 1026]
ntdll!RtlIsDosDeviceName_U+0x4674
ntdll!RtlCreateUnicodeStringFromAsciiz+0xea
ntdll!LdrLoadDll+0x9e
SbieDll!Ldr_LdrLoadDll+0x5c [e:\sandboxie5.40\core\dll\ldr.c @ 888]
KERNELBASE!LoadLibraryExW+0x19c
KERNELBASE!LoadLibraryExA+0x51
chrome!IsSandboxedProcess+0x84365
chrome!IsSandboxedProcess+0xb3e4e
0xaaaaaaaa`00000000
0x8de670
0x1
0x8de650