Alternative DllMain in Visual Studio 2015?

I was creating something silly and wanted to see if there was some neat ways to link data into my project from libcmt.lib to edit it, or reference it (in a way that is similar to the TLS callback array, _ImageBase, etc)

Upon opening up my module and going to DllMainCRTStartup, DllMainCRTStartup calls a function called dllmain_dispatch (in all circumstances)
Inside DllMainCRTStartup I saw this

ida

The function dllmain_raw is the center of attention, the function itself looks like this

ida

Since you can reference statically linked variables and functions, and since the compiler won’t throw a fit if you override this specific variable, I did it!

int _cdecl dll_main_raw_fn(HINSTANCE__ *const instance, const unsigned int reason, void *const reserved)  
{
    return TRUE;
}

// Here's another underhanded trick to gain execution in VS2015 C standard lib (libcmt)
// In fact, if you force a failure in the dllmain fn here, it will refuse to call the actual dllmain.
extern "C"  
{
    void *_pRawDllMain = &dll_main_raw_fn;
};

That comment is entirely correct, by the way. DllMain for will not be called if you return a failure code here for the same . That means you could disable certain messages getting to your DllMain, for example, upon certain conditions.

This ‘raw dllmain’ is called before, and after references to ‘your’ DllMain (also, once more at the end of the dllmain_dispatch function upon certain conditions).

Andrew Artz

Read more posts by this author.