Hello all,
I am running a client on Windows. The client subscribes to the module load event and for each loaded module, enumerates the exports and creates a pre_func_cb with dr_wrap for every exported function.
One of the pieces of information I would like to be able to collect from the exported functions that are called, is whether or not the loader lock was held at the time of execution.
I have made an attempt to determine whether the loader lock is held from the pre_func_cb.
My code is as follows (called from the pref_func_cb):
static bool is_loader_lock_held()
{
constexpr ULONG NoWait = 0x2;
constexpr ULONG AcquiredLock = 0x1;
constexpr ULONG RaiseException = 0x1;
ULONG state{ 0 };
ULONG_PTR cookie{ 0 };
if (LdrLockLoaderLock(NoWait, &state, &cookie) < 0L)
{
// Function failed, unknown state
return false;
}
if (state == AcquiredLock)
{
//
// We were able to acquire the lock
// Meaning no other thread had it
LdrUnlockLoaderLock(RaiseException, cookie);
return false;
}
return true;
}
However, this yielded inaccurate results.
For example: exported functions called from DllMain are determined to have been able to acquire the loader lock.
Any suggestions (or course corrections) would be much appreciated!