LdrSetAppCompatDllRedirectionCallback

#7156 by Alex
Fri Jul 08, 2011 6:38 pm

There is an usefull function under Windows XP - you should know it, I use it - LdrSetAppCompatDllRedirectionCallback - to block loading of some unwanted DLLs (see attached source...). There is one small problem - this function doesn't exist under Windows 7, so my question is - which method of DLL blocking in your opinion is universal and effective as mentioned one (works from XP to 7). If it possible I wouldn't to use any code hooks - just alredy implemented sollutions if any...

Code: Select all

typedef NTSTATUS (NTAPI *PLDR_APP_COMPAT_DLL_REDIRECTION_CALLBACK_FUNCTION)
(
  IN ULONG Flags,
  IN PCWSTR DllName,
  IN PCWSTR DllPath OPTIONAL,
  IN OUT PULONG DllCharacteristics OPTIONAL,
  IN PVOID CallbackData,
  OUT PWSTR *EffectiveDllPath
);

IMP_SYSCALL LdrSetAppCompatDllRedirectionCallback
(
  IN ULONG Flags,
  IN PLDR_APP_COMPAT_DLL_REDIRECTION_CALLBACK_FUNCTION CallbackFunction,
  IN PVOID CallbackData
);

NTSTATUS LdrDllRedirectionCallback(
  IN ULONG Flags,
  IN PCWSTR DllName,
  IN PCWSTR DllPath OPTIONAL,
  IN OUT PULONG DllCharacteristics OPTIONAL,
  IN PVOID CallbackData,
  OUT PWSTR *EffectiveDllPath)
{
  LONG ResultValue;

  UNICODE_STRING LoadedDllName;
  UNICODE_STRING BlockedDllName;


  RtlInitUnicodeString(
                       &LoadedDllName,
                       DllName);

  RtlInitUnicodeString(
                       &BlockedDllName,
                       L"unknown.dll"); 

  ResultValue = RtlCompareUnicodeString(
                                        &LoadedDllName,
                                        &BlockedDllName,
                                        TRUE);

  if(ResultValue == 0)
  {
    UmDbgPrint((">> BLOCKING DLL - %ws\n", DllName));

    return STATUS_UNSUCCESSFUL;
  }

  return STATUS_SUCCESS;
}



LdrSetAppCompatDllRedirectionCallback(
                                      0,                         // Flags
                                      LdrDllRedirectionCallback, // CallbackFunction
                                      NULL);                     // CallbackData

I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)

Username

Alex

Posts

268

Joined

Sun Mar 07, 2010 11:34 am

Re: LdrSetAppCompatDllRedirectionCallback

#7159 by EP_X0FF
Sat Jul 09, 2011 3:31 am

Check out this interesting blog. There are too many hardcode, but overall it's interesting to read. Maybe you will find something.

http://indy-vx.narod.ru/Info/AppCompatD ... llback.txt

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: LdrSetAppCompatDllRedirectionCallback

#16635 by rinn
Fri Nov 16, 2012 5:12 am

Alex wrote:There is one small problem - this function doesn't exist under Windows 7, so my question is - which method of DLL blocking in your opinion is universal and effective as mentioned one (works from XP to 7). If it possible I wouldn't to use any code hooks - just alredy implemented sollutions if any...

Hi.

Sorry for bumping old thread but have you considered using LdrRegisterDllNotification c.f. http://msdn.microsoft.com/en-us/library ... s.85).aspx ?

They are available since Vista.

Best Regards,
-rin

Username

rinn

Posts

91

Joined

Thu Nov 15, 2012 6:14 am

Location

Japan