[fpc-devel] Manual reload of a DLL snapshot (with relocations) causes multiple AV

Gennadiy Poryev core at barvinok.net
Fri Jan 6 17:22:45 CET 2012

> GP> The task I'm working on is somewhat unorthodox, but I'd like to get
> some comments anyway.
> [...]
> GP> I'm writing "semi-stealth" DLL which is one loaded by the process
> GP> (and visible by others) while not residing on disk as a file. This
> GP> is done by the following method:
> Why you do not load the DLL from memory ? There is code to load and
> relocate it as it is being done by the Windows OS.

I've seen a lot of code samples that do just that, including one for kernelmode. My goal is not to reinvent the wheel and duplicate the whole DLL loader mechanism, but rather to not have a DLL file on a disk.
Also I want to keep code as little as possible, leaving the OS to do most of work -- it's better for [backward] compatibility too (I need both x86 and x64 versions with shared codebase). The current engine is only 7kb in source code, and it omits manual adjustment of sections to page boundaries, import walking, and most of the relocation block processing (ntdll luckily happens to have LdrProcessRelocationBlock), etc, since all this is done by LdrLoadLibrary anyway.

More information about the fpc-devel mailing list