Can a DLL be statically loaded by worker thread during the process startup?
We have an application containing many (hundreds) DLLs. The EXE directly depends on part of them (via its Import Table), which in turn depend on another part (via their Import Tables) and so on. Out of all these DLLs there is one, that both the EXE and most of DLLs depend on. This DLL is one of the first to be (statically) loaded at the application startup.
According to all known to me sources describing process' loading, the DLL_PROCESS_ATTACH entry of this DLL must be called on the process' primary thread. This is also confirmed by @MSalters answer and @RbMm comment to my other question. But if this is true, then how to explain the following snapshot of the debugger's "Threads" window, that I received from one of my colleagues (this snapshot was obtained by placing the MessageBox() statement after DLL_PROCESS_ATTACH and attaching the VS debugger):
In this snapshot you can see that the primary thread is stuck in the "ThreadStart" function, while the DLL is being loaded by the worker thread. It is also strange that we see one debugger thread, whereas usually VS debugger doesn't show its threads.
If someone has an explanation, I'd be glad to hear it.
Can a DLL be statically loaded by worker thread during the process startup?
no, can not
while the DLL is being loaded by the worker thread.
if thread entry poins is LoadLibraryWStub (this is same as LoadLibraryW) - this is mean some another process call CreateRemoteThread with LoadLibraryW as thread start routine. this is classic way of dll injection. of course - possible and some code in your process call CreateThread or CreateRemoteThread with LoadLibraryW, but this is very unusual. in any way - system/loader (ntdll code) never do this.
It is also strange that we see one debugger thread, whereas usually VS debugger doesn't show its threads.
DbgUiRemoteBreakin - thread with such entry point created by call DbgUiIssueRemoteBreakin which simply create thread in target process with DbgUiRemoteBreakin. and this thread simply call DbgBreakPoint and exit. the DebugActiveProcess called DbgUiDebugActiveProcess which called DbgUiIssueRemoteBreakin - so also nothing unusual. and in your case 3 threads (including DbgUiRemoteBreakin ) even not begin executed almost, because wait for loader critical section
- Statically compile a C++ app with GCC into a binary
- Call COM object method from Go without CGo
- How can I auto-elevate my batch file, so that it requests from UAC administrator rights if required?
- Cannot import just-installed `pip` packages
- How to get date in BAT file
- Create Windows service from executable
- Cursor disappearing inside text field
- Ubuntu app: WslRegisterDistribution failed with error 0x80070057 (incorrect parameter)
- Can the Windows API use two mutexes to achieve thread synchronization?
- What does this command prompt input do?
- KERNELBASE.dll Exception 0xe0434352 offset 0x000000000000a49d
- Eclipse dark theme for windows: how to change the color of scroll bars and title bars to dark?
- How to untar multiple files with an extension .tar.gz.aa, .tar.gz.ab..... in windows?
- How do I start PowerShell from Windows Explorer?
- Can I use PowerShell in shell-mode for Emacs?
- How to install lua-zlib with LuaRocks on Windows?
- How can I obtain the user's Logon Session SID (e.g. S-1-5-5-X-Y) or otherwise verify RMF SC-23 Unique Identifiers in Windows
- How to get and store the localhost ip address into a variable (Windows 10)
- Child Windows using Rust
- Docker repository server gave HTTP response to HTTPS client
- ADB over Wi-Fi is extremely slow on one PC, great on another
- Create Windows Python virtualenv with a specific version of Python
- Is there a difference if I added the window handle or NULL value
- Run Dart process as admin on Windows
- g++ produce executable for windows
- Took C/C++ code from Linux to Windows is really slow
- Why doesn't MSYS Bash evaluate windows exectuable commands as expected?
- Passing UTF-8 arguments to commands in Perl on Windows
- Where is the "downloads" folder located
- Ping with timestamp on Windows CLI