Security Xploded
 
  |    Home    |    Projects    |    Research    |    Articles     |    Security Tools    |    Download    |    Blog    |    About    |
 
Search
Latest Stuff
 
FireMaster for Firefox version 3
FirePassword for latest Firefox version
Hacker Reversing Challenge 2007 Solution
Make your application Vista UAC compliant
Watch your shares from intruders  
Top Tools
 
NetShareMonitor: Monitor shares from intruders
FireMaster: Recover Firefox master password
FirePassword : Dump Firefox sign-on secrets
RemoteDLL: Remove DLL from process
ProcHeapViewer: Enumerate process heaps
Top Articles
 
Using Rainbow crack to recover Windows password
Rapair Windows registry using BackTrack
Unpack UPX using OllyDbg
Writing PESpin plugin for ImpREC
Decrypting Firefox sign-on secrets
 
 
 
 
 
 
 
 
 
Reference Count of DLL in a Process
 
 
What is this Reference Count?
Reference count or load count of the DLL is the number of times the DLL is loaded into the process. Each time the DLL is loaded (through LoadLibrary) into the process its reference count is incremented by 1 and each time the DLL is freed (through FreeLibrary) from the process, reference count is decremented by 1. When the reference count reaches 0, the DLL is completely unmapped from the process.
 
 
No Direct Way
Windows APIs does not give much information about loaded DLLs. Windows provides Tool Help library to retrieve information about DLLs loaded into process but it gives very basic information such as name, handle of DLL. In order to get more information, one need to dig deeper into the windows world.
 
 
How to find Reference Count?
Reference count for the DLL is stored in the PEB (Process Environment Block) for that process. PEB contains the linked list of DLL Module structures which contain complete information about that particular DLL.

Here are the detailed steps.
1. Get address of PEB block
PEB block for any process is usually found at address 0x7ffdf000. However there is standard way to get this address. There is undocumented function ZwQueryInformationProcess from NTDLL.DLL which can be used to retrieve the PROCESS_BASIC_INFORMATION. The PBI structure is shown below.
     
     struct _PROCESS_BASIC_INFORMATION
     {
         PVOID Reserved1;
         PPEB PebBaseAddress;
         PVOID Reserved2[2];
         ULONG_PTR UniqueProcessId;
         PVOID Reserved3;
     } PROCESS_BASIC_INFORMATION;
The second member PebBaseAddress contains the address of PEB which can be used to get the list of loaded modules.
2. Get list of loaded DLLs from PEB.
Once you get the address of PEB, you can use use ReadProcessMemory API to read the PEB from the target process.

     PEB peb;
     ReadProcessMemory(hprocess, pbi.PebBaseAddress, &peb, 16, &dwSize)
PEB is a big structure hence I cannot dump it here. One of the member that is interesting to us is PPEB_LDR_DATA which is pointer to loader data structure containing linked list of loaded modules. Now from PEB, you can get PEB_LDR_DATA structure as follows.

    PEB_LDR_DATA peb_ldr_data;
    ReadProcessMemory(hprocess, peb.Ldr, &peb_ldr_data, sizeof(peb_ldr_data), &dwSize);

     struct _PEB_LDR_DATA
     {
         ULONG Length;
         UCHAR Initialized;
         PVOID SsHandle;
         LIST_ENTRY InLoadOrderModuleList;
         LIST_ENTRY InMemoryOrderModuleList;
         LIST_ENTRY InInitializationOrderModuleList;
         PVOID EntryInProgress;
     } PEB_LDR_DATA, *PPEB_LDR_DATA;
PEB_LDR_DATA structure contains the pointers to 3 linked lists each of which list the modules in different order. Now its just a matter of going through each module by following one of this linked list.
3. Retrieve load count of the DLL.
Now we will go through each of the modules by following the InLoadOrderModuleList pointer. Information about each of these modules is retrieved using ReadProcessMemory function. The structure LDR_MODULE representing each module is given below.

    struct _LDR_MODULE
     {
         LIST_ENTRY InLoadOrderModuleList;
         LIST_ENTRY InMemoryOrderModuleList;
         LIST_ENTRY InInitializationOrderModuleList;
         PVOID BaseAddress;
         PVOID EntryPoint;
         ULONG SizeOfImage;
         UNICODE_STRING FullDllName;
         UNICODE_STRING BaseDllName;
         ULONG Flags;
         USHORT LoadCount;
         USHORT TlsIndex;
         LIST_ENTRY HashTableEntry;
         ULONG TimeDateStamp;
     } LDR_MODULE, *PLDR_MODULE;
It contains lot of information about a module which you don't get using high level APIs. One of the member is LoadCount which is nothing but the reference count of the DLL.

    LDR_MODULE peb_ldr_module;
    void *readAddr = (void*) peb_ldr_data.InLoadOrderModuleList.Flink;

     // Go through each modules one by one in their load order.
     while( ReadProcessMemory(hprocess, readAddr, &peb_ldr_module, sizeof(peb_ldr_module), &dwSize) )
     {
          // Get the reference count of the DLL
          loadCount = (signed short)peb_ldr_module.LoadCount;

          readAddr = (void *) peb_ldr_module.InLoadOrderModuleList.Flink;
     }
If load count for a DLL is -1 then the DLL is statically linked otherwise its dynamically loaded.
 
 
Where it will be Useful?
There are number of instances when there is a need to know the reference count of DLL. One typical case is when you want to free the DLL from the remote process. Many spyware programs uses the DLL injection or similar technique to get loaded themselves into the legitimate windows process and remain hidden from normal user. In order to free such hidden DLLs from that process one must know its reference count so that it can be completely freed from that process. Unless the DLL is freed from the process, it cannot be removed from the disk. For more information on this, look at my RemoteDLL project.

Reference count is also useful to determine if the DLL is statically or dynamically loaded.
 
 
Reference
  • RemoteDLL : The tool to inject/free the DLL from process.
  • Great book on undocumented functions, "Windows NT/2000 API Reference".
  • Online documentation of the undocumented functions is available at  http://undocumented.ntinternals.net
 
 
 
 
 

Total Hit Count: Hit Count
"security through obscurity is just an illusion"
                                   -anonymous 
For any queries and suggestions, please drop a mail to tnagareshwar at gmail.com
 
 
www.SecurityXploded.com © 2008, All rights reserved by Nagareshwar Talekar.                        Firefox 3