Solved

An API detour question

Posted on 2016-09-13
7
106 Views
Last Modified: 2016-09-17
When I am load a DLL library in my process, is the shared DLL code shared same memory with other process that us the same DLL?

Here is the use case,
When I detour and API, say "CreateProcess" from "kernel32.dll", will it intercept the function calls only from this process or it can come from all process?

Thank you for any answer.
0
Comment
Question by:Evan Li
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 34

Expert Comment

by:sarabande
ID: 41797361
shared DLL code shared same memory with other process that us the same DLL?
that is true for static data. it is false for local variables used or for dynamic memory allocated.

if using global or static data in the dll you should always make sure that it is constant data valid for all processes using the dll.

"CreateProcess" from "kernel32.dll", will it intercept the function calls only from this process or it can come from all process?
don't know exactly what you mean by that. kernel32.dll never would be unloaded and each call of one of the exported dll functions is independent to other calls running parallel or later regardless of whether the calls were coming from same process and same thread, or from other thread or from other process. of course you need to care for thread-safety if using global or shared data for input arguments but the code of the dll function is always safe since each call runs a copy of the original code.

Sara
0
 

Author Comment

by:Evan Li
ID: 41797377
Thank you Sara,
I am not asking questions of data. I am asking questions of the code, as when we do the detour of an API we are changing the code of that API for the first 5-6 bytes, here is the reference about what happens:
https://www.microsoft.com/en-us/research/project/detours/

My question is that when we do the detour, are we going to detour only my the calls from my process or all calls from the system for this API.

Looks that it is only affect one my process, and I do not understand that.
0
 
LVL 34

Expert Comment

by:sarabande
ID: 41797422
detours creates new binary code for each dll function detoured and creates a safe copy of the code for each call. the new code is never a subject of to being shared with other threads let alone with other processes.

you may not worry about code but only about data.

Sara
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Evan Li
ID: 41798717
Hi Sara,

Thank for your answer.

I am little more confused.

Here is more question now:

When we loadlibrary, will the OS duplicate the code that other people has loaded for other process in my process space? If yes, it will be too many GDI.dll, kernel.dll etc.

If not, when we do detour, we'll change other process space, is it possible?

Or are you saying that when we call getprocaddress, the function code gets duplicated in my process space.

Anyway, I need to know what is happening underline. I could not find the answer from Microsoft paper. Thanks for further help.

Evan
0
 
LVL 34

Accepted Solution

by:
sarabande earned 500 total points
ID: 41799237
If yes, it will be too many GDI.dll, kernel.dll etc.
LoadLibrary doesn't copy code. it was copied after GetProcAddress returned a valid function pointer and if your code contains a call by using this pointer. detour would intercept directly at this point.

note, copying of code is essential since the process address spaces are strictly separated. even if your process calls into a COM function or into .NET the executed code always would be mapped into your process space.

Sara
0
 

Author Comment

by:Evan Li
ID: 41800159
You are right. if we get an address that is in my process space, it must be copied. But, I could not find any document that talk about when I get the address successfully, the function code is copied to process space?
0
 

Author Closing Comment

by:Evan Li
ID: 41803486
Thank you for your help.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
negation in C function 14 178
Computer slow / BSOD 10 79
Why is compiler in oracle server ? 9 112
Test the speeds on my PC Drives 12 80
This tutorial is posted by Aaron Wojnowski, administrator at SDKExpert.net.  To view more iPhone tutorials, visit www.sdkexpert.net. This is a very simple tutorial on finding the user's current location easily. In this tutorial, you will learn ho…
Summary: This tutorial covers some basics of pointer, pointer arithmetic and function pointer. What is a pointer: A pointer is a variable which holds an address. This address might be address of another variable/address of devices/address of fu…
The goal of this video is to provide viewers with basic examples to understand opening and writing to files in the C programming language.
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use while-loops in the C programming language.
Suggested Courses

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question