Myah Caron qsniyg@protonmail.com writes:
Sorry, I'm not quite sure I understand... how could I tweak the usage of ldr.EntryPoint in order to achieve the same result?
To clarify, the issue is that under Windows, it seems like Flags & LDR_IMAGE_IS_DLL is only evaluated once at the beginning, and then cached for the rest of the DLL's lifetime. No matter how Flags is subsequently modified (even if it's modified before the initial DllMain call), it will always seem to call DllMain if the Characteristics was set as IMAGE_FILE_DLL.
You'd make sure ldr.EntryPoint is set only when we actually have a dll entry point to call.