PDA

View Full Version : Writing a pure Native DLL


cpuZ
January 30th, 2012, 18:47
Does anyone have a small sample of how to do this? I'd like to write a native DLL which doesn't link to anything other than ntdll.lib, is this possible and will the entrypoint be executed when loaded by a Win32 process? I don't need to export any routines or anything, just wanting to write a native DLL since I never have seen this done exactly. Thanks

Regards,
cpuZ

Kayaker
January 30th, 2012, 22:23
I guess the first question is, what defines a "Native Dll" from a programmatic viewpoint? A basic search mentions a couple of things such as requiring the preprocessor definition "NATIVEDLL_EXPORTS", and that the entry point is, by convention though not required, called "NtProcessStartup" rather than winmain/main/dllmain.

Searching for those 2 keywords yields a lot of information. A few random examples which might be useful:

http://technet.microsoft.com/en-us/sysinternals/bb897447
http://www.lcs.syr.edu/faculty/fawcett/handouts/cse775/code/LibDemo/NativeDLL/
http://doxygen.reactos.org/dd/d0d/entry__point_8c_source.html
http://www.codeproject.com/Articles/36344/Native-Thread-Injection-Into-the-Session-Manager-S
http://social.msdn.microsoft.com/Forums/en-US/vcgeneral/thread/03bb7abc-b5a0-427e-b393-588b6b56b949


If you do get a skeleton working it might be interesting if you posted the code.

Kayaker

bilbo
January 31st, 2012, 16:17
well, imho, NtProcessStartup must never be present in a native DLL, which simply imports Nt...() API's, taken from NTDLL.LIB exports, with or without the concurrent use of other less exoteric API's.

An example of this kind of DLL, but only for .NET applications, is in
http://www.codeproject.com/Articles/21974/Windows-NT-Native-API-Wrapper-Library:
it allows a regular .NET application to use Native API's instead of KERNEL32 counterparts...

An use of the included Registry Editor sample? Reset the trial period of the programs developed by a software house (I will not tell here which one) who stores the installation data in some keys and values whose names include some null characters ;-)

Best regards, bilbo