flat assembler
Message board for the users of flat assembler.

Index > Windows > remove unneccesary DLL's

Author
Thread Post new topic Reply to topic
chaoscode



Joined: 21 Nov 2006
Posts: 64
chaoscode
Hi, when i create a Process there are already some DLL's in Userspace.
is it Possible to get rid of them? (Except Kernel32.dll)

Best regards
Dennis

_________________
Jedes mal, wenn einer was anderes als Englisch redet versteh ich mal wieder kein Wort.
Every time someone talks something other than englisch, i can't understand anything.
Post 13 Jan 2012, 12:44
View user's profile Send private message ICQ Number Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
If they are system "essential" DLLs then you shouldn't even bother.

However you can inject a DLL to unmap the other DLLs using GetModuleHandle and FreeLibrary.

It's a trick that I have practically never tried myself. But I hope it works for you.
Post 13 Jan 2012, 15:18
View user's profile Send private message Reply with quote
chaoscode



Joined: 21 Nov 2006
Posts: 64
chaoscode
The Problem is, the free Userspace is very Fragmented. I wrote a Application to get the free Memory List in Userspace and notice, that the largest Free Block is about 1.784.348.672 bytes. and the other space (304.132.096 byte) is fragmented. (or in total, 59.002.879 bytes are Occupied for nothing!)

_________________
Jedes mal, wenn einer was anderes als Englisch redet versteh ich mal wieder kein Wort.
Every time someone talks something other than englisch, i can't understand anything.
Post 13 Jan 2012, 15:45
View user's profile Send private message ICQ Number Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
So is your purpose just to strip them off your app's memory ?

Obviously they contain code that executes for the sake of the systems integrity.
Post 13 Jan 2012, 15:51
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
The short answer is "no".

When your process is running in the win32 subsystem, you live by win32's rules. Not all of this is documented, and the implementation differs between various Windows versions.
Post 13 Jan 2012, 15:56
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
f0dder wrote:
The short answer is "no".



There's a tool that does achieve this I just forgot it's name. I think it's made by one of the Microsoft guys.

I'll see if I can find it again.
Post 13 Jan 2012, 16:31
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Here's one also from Kaspersky | http://z-oleg.com/secur/avz/download.php

The site is in Russian so use Google Chrome for translation.

good tool too
Post 13 Jan 2012, 17:21
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
typedef wrote:
Here's one also from Kaspersky | http://z-oleg.com/secur/avz/download.php
The site is in Russian so use Google Chrome for translation.
good tool too
What does an antivirus program have to do with getting rid of DLLs in your process address space that you didn't explicitly include yourself? O_o

_________________
Image - carpe noctem
Post 13 Jan 2012, 17:40
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
I think they updated the feature. I'm still looking
Post 13 Jan 2012, 18:22
View user's profile Send private message Reply with quote
chaoscode



Joined: 21 Nov 2006
Posts: 64
chaoscode
which other Subsysteme does Windows provide ? i heard sth about native and posix.
is kernel32.dll Not enough?

_________________
Jedes mal, wenn einer was anderes als Englisch redet versteh ich mal wieder kein Wort.
Every time someone talks something other than englisch, i can't understand anything.
Post 13 Jan 2012, 21:03
View user's profile Send private message ICQ Number Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Afaik, just native and posix - it's been a while since I messed with either, but I wouldn't be surprised if posix has a bit more DLLs than you expect. Native will have the least, but still... keep in mind that the DLLs you import at those that you explicitly request be present, not the only ones.
Post 13 Jan 2012, 21:37
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.