Win32: Who loads the library that implements LoadLibrary?

I was sitting in a Dairy Queen this afternoon thinking about random stuff and suddenly this question hit me: who loads the library that implements LoadLibrary? Isn’t it some kind of chicken-and-egg situation?

Short answer: It’s the loader.

Longer answer: Win32 executable contains a list of DLLs and functions it needs to import. When creating a running process, the loader locates these DLLs, brings them into memory, finds requested functions, and puts their addresses in a well known place. This is done before passing control to the executable’s entry point. From the executable’s point of view when it starts running, the DLLs are already there. If the process wishes to load more DLLs at a later stage, it includes kernel32.dll!LoadLibrary in the list of imports and calls this function when necessary.

Really long answer. Windows executable format specification (.DOC file) defines an Import Directory Table (section 6.4.1), which is a linked list of DLL names. For each imported DLL there is an array of function names called Import Lookup Table (section 6.4.2) and array of their addresses called Import Address Table (section 6.4.4). See also a pretty picture from Google Code (PDF). When the operating system loads the executable file into memory, it scans the Import Directory Table, loads requested DLLs (and their imports, recursively), finds requested names inside those DLLs and puts their addresses in the Import Address Tables. This code is baked into the loader and does not invoke LoadLibrary.

To use LoadLibrary, the executable needs to have an Import Directory Table entry for kernel32.dll, and then an entry for LoadLibrary in its Import Lookup Table. The loader will kindly put LoadLibrary‘s address in the corresponding entry of the Import Address Table.

However, if you inject external code into the process (for the purpose of monitoring, debugging, or some malicious activity), that code will have harder time to find LoadLibrary, since it doesn’t know in advance which entry in Import Address Table contains LoadLibrary‘s address. In fact, LoadLibrary may not be in that table at all. Fortunately, kernel32.dll is loaded into every Win32 process, and LoadLibrary is guaranteed to be inside it, so you only need to find where it is. Your first task is to determine the base address of kernel32.dll. Apparently, on versions of Windows prior to Windows 7 it is the second DLL in the Import Directory Table, but on Windows 7 and later it is the third. A number of articles on the Internet describe how to implement the look up in a portable manner, e.g. http://www.ragestorm.net/blogs/?p=369. Many mention “skypher.com“, but that link is now dead. Once you’ve found the location of kernel32.dll, you’ll have to traverse its “export” tables to find LoadLibrary. This is what system call GetProcAddress would do, but your injected code doesn’t yet know where to find GetProcAddress. Fear not, there is a customized implementation of GetProcAddress, but use it at your own risk.

Leave a Reply

Your email address will not be published. Required fields are marked *