Tuesday, September 21, 2010

BreakOnDllLoad

In this post i will discuss the "BreakOnDllLoad" registry value found under the "Image File Execution Options" registry key a.k.a  IFEO.

Consider the following 2 figures:_


 
As we can see from the reversed code, the "IsDebuggerPresent" field ("BeingDebugged") in PEB is queried. If set, the "LdrQueryImageFileExecutionOptions" function is called to query for the "BreakOnDllLoad" registry value for the DLL that is being loaded. Also, the "ImageFileExecutionOptionsSpec" field ("ReadImageFileExecOptions") in PEB is queried. If set, the "LdrQueryImageFileExecutionOptions" function is called.

If the "LdrQueryImageFileExecutionOptions" function call succeeds, the "DbgBreakPoint" function is called. The "DbgBreakPoint" function is simply an int3 instruction. So, setting this registry value for a specific DLL gives you the chance to check the code of the "DllMain" function whenever you debug an application that loads this DLL, no matter what debugger you use.

Conclusion:
The "BreakOnDllLoad" registry value can be used to insert a breakpoint whenever a specific DLL loads into the address space of any process under any debugger.

You can follow me on Twitter @waleedassar 

No comments:

Post a Comment