When you call LoadLibrary, the dll calls its dllMain with a parameter: DLL_PROCESS_ATTACH. At that time, is it possible to recover the registers of the calling process? What edi points to, what eax holds, etc.
The short answer is NO.
LoadLibrary has no obligation to give your DLL a way to get the register values it (LoadLibrary) has received.
If you wrote the DLL yourself, you could at the start of the LibMain push all of the registers and save them to GLOBAL variables that you can access later with a call to the DLL but if you did not write it yourself, you are in trouble.
If you didn't write the dll, you cand always find some caves and add some extra code to fit your needs ;)
hm.. let me rephrase, when you call LoadLibrary, is the DllMain procedure in a seperate thread? if
push esi <--- That's the register I want
push dllname
call [LoadLibraryA]
now in the library
DllEntry proc hInstance:HINSTANCE, Reason:dword, Reserve:dword
.if Reason == DLL_PROCESS_ATTACH
pop esi <--- it's not what I pushed in the calling process
.endif
ret
DllEntry endp
Even if it was in the same thread, the values on the stack would have been the stack frame (and maybe LOCAL variables and preserved registers also), the return address, and the pushed parameters before you would even find the value of the pushed ESI.
Raymond
but if I keep poping I would eventually find it?
Parse,
Always remember that you must balance the stack or you can end up in big trouble.
Quote from: Parse on January 01, 2005, 03:24:44 AM
but if I keep poping I would eventually find it?
"Stack mining" is a very bad practice. Much code in Windows is in C, and adding new variables, deleting old variables, calling new subroutines, a new optimizing compiler, all will change where any data is located relative to your DLL. Critical upgrades may add stack variables that are used to address some security issue.
And stack data is definitely not register data.
If you want to give values to your DLL reliably, then you must send it via a function argument. If you need to call an initialization function after loading a DLL, then that's the way you must do it.