Udostępnij za pośrednictwem


Finally, some more concrete guidance on the mystery's of DllMain

I spent many years prior to coming to Microsoft doing "dangerous" things inside of DllMain. If you're a diagnostic tool developer, it's often the only reasonable place to take key actions that must occur as soon as possible.

Unfortunately, the MSDN doc has long warned against doing much of anything inside your DllMain code. Unfortunately, the list of "OK" things to do seemed unreasonably restrictive, and I could never find a comprehensive list of why things shouldn't be done inside DllMain.

A big part of the issues concern the relatively undocumented "Loader Lock", which is essentially a critical section that the OS enters and leaves on your behalf in a variety of places, not just DllMain. Without a good understanding of it, you might go nuts trying to figure out why some seemingly fine piece of code chokes.

I learned about many mysteries of DllMain the hard way. Now it's finally here in blessed MSDN form:

https://www.microsoft.com/whdc/driver/kernel/DLL_bestprac.mspx

Interestingly, one useful nugget of information that's not in the article is that GetProcAddress temporarily requires the loader lock. (At least that's my recollection from a few years ago. It may have changed since then. YMMV.)

If only this document had been around 13 years ago when I first needed it!

Comments

  • Anonymous
    June 22, 2006
    On the documentation page of my website, www.smidgeonsoft.com, one will find notes on the loader lock that I put together a while back.  These observations were based on WinXP SP1.  One interesting fact that I learned was that two APIs were added to NTDLL for WinXP called LdrLockLoaderLock and LdrUnlockLoaderLock.  My notes include a cross-reference to DLLs outside of NTDLL that were using these APIs as well as a comprehensive list of where inside NTDLL the loader lock was referenced.
  • Anonymous
    June 26, 2006
    PingBack from http://blogates.com/twinsant/2006/06/23/yesterday-readings-160/
  • Anonymous
    June 29, 2006
    The comment has been removed
  • Anonymous
    June 30, 2006
    I think that this is a much better overview than that document.

    http://blogs.msdn.com/mgrier/default.aspx
  • Anonymous
    June 17, 2009
    PingBack from http://pooltoysite.info/story.php?id=2283