In Windows, every DLL starts by executing its initialization function known as DllMain. This function runs while internal loader synchronization objects, including loader lock, are held. So, you must be especially careful not to violate a lock hierarchy in your DllMain; otherwise, a deadlock may occur.

The intentions of this document are to:

- Compare the Windows, Linux, and sometimes MacOS loaders

- Provide perspective on architectural and ecosystem differences as well as how they coincide with the loader

- Including experiments on how flexible or rigid they are with what can safely be done during module initialization (with the loader's internal locks held)

- Formally document how a modern Windows loader supports concurrency

- Current open source Windows implementations, including Wine and ReactOS, perform locking similar to the legacy Windows loader (they presently don't support the "parallel loading" ability present in a modern Windows loader)

- Educate, satisfy curiosity, and help fellow reverse engineers

For Your Clear Understanding I Posted This Article Sequence Wise Like What Is The Work Of This Trojan And How This Trojan Work And The Main Thing The Algorithm Of The Source Code Lets We Discuss One By One In Next Lines.

Playing ROP’em COP’em Robots with WriteProcessMemory()
77 minute read

Whilst this article is designed to stand on its own, if you’re interested, you can find my previous articles on these topics here, here, here and here. Surprisingly, despite all this research being over a decade old, it’s still completely relevant today. The more things change, the more they stay the same, I guess?

hook, refers to a technique used to advance the use of api intercept and process windows messages. Such as a keyboard hook, the Trojans have a lot of this stuff, monitor your keyboard.

Updated