Stack Exchange network consists of 183 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Visit Stack ExchangeStack Internal
Knowledge at work
Bring the best of human thought and AI automation together at your work.
Explore Stack Internal To answer the original question, what you can do is to hook LdrpCallInitRoutine in ntdll.dllntdll.dll. This function is used by DLL loading/unloading code to actually call the DLL entry point (DllMain) and also the TLS callbacks. The first argument is the address to be called:
BOOLEAN NTAPI LdrpCallInitRoutine(PDLL_INIT_ROUTINE EntryPoint, PVOID BaseAddress, ULONG Reason, PVOID Context); To answer the original question, what you can do is to hook LdrpCallInitRoutine in ntdll.dll. This function is used by DLL loading/unloading code to actually call the DLL entry point (DllMain) and also the TLS callbacks. The first argument is the address to be called:
BOOLEAN NTAPI LdrpCallInitRoutine(PDLL_INIT_ROUTINE EntryPoint, PVOID BaseAddress, ULONG Reason, PVOID Context); To answer the original question, what you can do is to hook LdrpCallInitRoutine in ntdll.dll. This function is used by DLL loading/unloading code to actually call the DLL entry point (DllMain) and also the TLS callbacks. The first argument is the address to be called:
BOOLEAN NTAPI LdrpCallInitRoutine(PDLL_INIT_ROUTINE EntryPoint, PVOID BaseAddress, ULONG Reason, PVOID Context); To answer the original question, what you can do is to hook LdrpCallInitRoutine in ntdll.dll. This function is used by DLL loading/unloading code to actually call the DLL entry point (DllMain) and also the TLS callbacks. The first argument is the address to be called:
BOOLEAN NTAPI LdrpCallInitRoutine(PDLL_INIT_ROUTINE EntryPoint, PVOID BaseAddress, ULONG Reason, PVOID Context);