Major Description
When running with +sls on ReactOS, we can see that as soon as a shim module is loaded, this triggers calling all entrypoints for all loaded modules (static imports from the application).
(dll\ntdll\ldr\ldrinit.c:691) [0000075C,00000758] LDR: Real INIT LIST for Process F:\SSP.EXE
|
(dll\ntdll\ldr\ldrinit.c:726) [0000075C,00000758] LDR: D:\reactos\system32\kernel32.dll init routine 7C627A10
|
(dll\ntdll\ldr\ldrinit.c:840) kernel32.dll - Calling entry point at 7C627A10 for DLL_PROCESS_ATTACH
|
|
|
<<-- cut -->>
|
|
|
(dll\ntdll\ldr\ldrpe.c:570) LDR: Snapping imports for aclayers.dll from ntdll.dll
|
(dll\ntdll\ldr\ldrinit.c:691) [0000075C,00000758] LDR: Real INIT LIST for Process F:\SSP.EXE
|
(dll\ntdll\ldr\ldrinit.c:726) [0000075C,00000758] LDR: D:\reactos\system32\gdi32.dll init routine 7C4B1010
|
(dll\ntdll\ldr\ldrinit.c:726) [0000075C,00000758] LDR: D:\reactos\system32\advapi32_vista.dll init routine 7A201010
|
|
|
<<-- cut -->>
|
|
|
(dll\ntdll\ldr\ldrinit.c:726) [0000075C,00000758] LDR: D:\reactos\system32\apphelp.dll init routine 7A1513C0
|
(dll\ntdll\ldr\ldrinit.c:726) [0000075C,00000758] LDR: D:\reactos\AppPatch\aclayers.dll init routine 7A458610
|
Running on windows with +sls and shim engine logging,
we can observe an interesting pattern:
It seems that the shim engine marks modules as 'processed', so that they will not be called.
[9b8,a54] LDR: Real INIT LIST for process E:\SSP.EXE pid 2488 0x9b8
|
[9b8,a54] C:\WINDOWS\system32\kernel32.dll init routine 77E65FB4
|
[9b8,a54] LDR: kernel32.dll loaded
|
- Calling init routine at 77E65FB4
|
|
|
<<-- cut -->>
|
|
|
[MSG ] [SeiCheckComPlusImage] COM+ executable FALSE
|
[WARN] [SeiSetEntryProcessed] Don't mess with 0x7C800000 "ntdll.dll"
|
[WARN] [SeiSetEntryProcessed] Don't mess with 0x77E40000 "kernel32.dll"
|
[WARN] [SeiSetEntryProcessed] Touching 0x77C50000 "RPCRT4.dll"
|
[WARN] [SeiSetEntryProcessed] Touching 0x77F50000 "ADVAPI32.dll"
|
[WARN] [SeiSetEntryProcessed] Touching 0x77C00000 "GDI32.dll"
|
|
|
<<-- cut -->>
|
|
|
[9b8,a54] LDR: Real INIT LIST for process E:\SSP.EXE pid 2488 0x9b8
|
[9b8,a54] C:\WINDOWS\AppPatch\AcLayers.DLL init routine 715F61AB
|
[9b8,a54] LDR: AcLayers.DLL loaded
|
- Calling init routine at 715F61AB
|
|
|
<<-- cut -->>
|
|
|
[WARN] [SeiResetEntryProcessed] Don't mess with "ntdll.dll"
|
[WARN] [SeiResetEntryProcessed] Don't mess with "kernel32.dll"
|
[WARN] [SeiResetEntryProcessed] Reseting "RPCRT4.dll"
|
[WARN] [SeiResetEntryProcessed] Reseting "ADVAPI32.dll"
|
[WARN] [SeiResetEntryProcessed] Reseting "GDI32.dll"
|
|
|
<<-- cut -->>
|
|
|
[9b8,a54] LDR: Real INIT LIST for process E:\SSP.EXE pid 2488 0x9b8
|
[9b8,a54] C:\WINDOWS\system32\RPCRT4.dll init routine 77C75061
|
[9b8,a54] C:\WINDOWS\system32\ADVAPI32.dll init routine 77F6DFCD
|
[9b8,a54] C:\WINDOWS\system32\GDI32.dll init routine 77C0B23E
|
Attachments
Issue Links
- blocks
-
CORE-15845 Implement IgnoreLoadLibrary
-
- Resolved
-