DLLMain() is not being executed after injection

Question

I have written a dll and injector in C++. The dll code is given below:

#include <cstdio>
#include <stdio.h>
#include <windows.h>
#include <string>
#include <fstream>
#include <winsock.h>
using namespace std;
#pragma comment(lib, "wsock32.lib")

extern "C" __declspec(dllexport) void UploadFile()
{
.....
}

INT APIENTRY DLLMain(HMODULE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
    switch(fdwReason)
    {
    case DLL_PROCESS_ATTACH:
        MessageBox(0,"Process Attach","Info",MB_OK);
        UploadFile();
        break;
    case DLL_THREAD_ATTACH:
        MessageBox(0,"Thread Attach","Info",MB_OK);
        UploadFile();
        break;
    case DLL_PROCESS_DETACH:
        break;
    case DLL_THREAD_DETACH:
        break;
    default:
        break;
    }
    return TRUE;
}

The dll uploads a particular file to the server. I am successfully able to inject the dll into "notepad.exe" using LoadLibrary() and CreateRemoteThread() but it is not being executed. Not even the dllmain() function. Dont know what is wrong.

The function should be called `DllMain` with lowercase L. (I guess I should make this into an answer.) — Dirk, May 20 '13 at 09:33
Doing things this complicated from DllMain is a free ticket to crash or deadlock. Read [MSDN remarks on DllMain](http://msdn.microsoft.com/en-us/library/windows/desktop/ms682583(v=vs.85).aspx) for reference. Why do you need injected DLL to upload a file? — hamstergene, May 20 '13 at 09:42
This is the error I got after changing DLLMain() to DllMain() error LNK2005: _DllMain@12 already defined in MSVCRTD.lib(dllmain.obj) — Faheem, May 20 '13 at 09:43

score 6 · Accepted Answer · edited May 23 '17 at 12:11

6

As Dirk has already stated, the DLL entry point is named DllMain(), not DLLMain(). The signature for DllMain() is:

BOOL WINAPI DllMain(
    HINSTANCE hinstDLL,
    DWORD fdwReason,
    LPVOID lpvReserved
);

From Best Practices for Creating DLLs , you should never perform the following tasks from within DllMain():

...Call functions in User32.dll or Gdi32.dll. Some functions load another DLL, which may not be initialized...

MessageBox() is implemented in User32.dll so this may be a possible cause of DllMain() appearing to not be invoked.

It is unwise to perform any time consuming tasks with DllMain() as it will prevent the application loading any other DLLs that is requires, as the loader lock is held when inside DllMain(). Instead, spawn a thread to perform any time consuming task. The linked document advises against using CreateThread() but only if synchronization is involved.

edited May 23 '17 at 12:11

Community

1
1

answered May 20 '13 at 09:37

hmjd

120,187
20
207
252

1

+1 and add [Some reasons not to do anything scary in your DllMain](http://blogs.msdn.com/b/oldnewthing/archive/2004/01/27/63401.aspx) and [Another reason not to do anything scary in your DllMain: Inadvertent deadlock](http://blogs.msdn.com/b/oldnewthing/archive/2004/01/28/63880.aspx) – Remus Rusanu May 20 '13 at 09:41
The return type should also be `BOOL` although that probably doesn't really matter. – Dirk May 20 '13 at 09:42
1

+1 IIRC since the application is already running if all dependencies of the injected DLL are already satisfied a good deal of those restrictions no longer apply and you're free to go bananas. That might apply only to process attach though depending on thread local initialization. – Captain Obvlious May 20 '13 at 09:46
@Faheem, why would you consciously choose a conflicting signature for no benefit? – hmjd May 20 '13 at 09:48
I will change it to `BOOL` but I am also getting this error !!! `error LNK2005: _DllMain@12 already defined in MSVCRTD.lib(dllmain.obj)` – Faheem May 20 '13 at 09:49
1

@Faheem, http://stackoverflow.com/questions/343368/error-lnk2005-dllmain12-already-defined-in-msvcrt-lib . – hmjd May 20 '13 at 09:54

DLLMain() is not being executed after injection

1 Answers1