I’m trying to break on a DLL’s entry point using IDA. I have ‘Suspend on library load’ enabled, but it just breaks at ntdll’s internal DLL loading routines, not the actual entry point. To find the entry, I have to manually trace through the code, which takes a lot of time. Does anyone know how I can break on a DLL’s entry point after it’s loaded using IDA?
Indeed, the LIBRARY_LOADED event may be generated by the operating system too early for your needs.
One way to overcome this is to look up the entry point of the DLL beforehard and add a module-relative breakpoint in IDA. Something like this: mydll.dll+0x1234
You are in luck. It happens that I have a video on this topic AFAIR: https://www.youtube.com/watch?v=fksnjQ20TDE
Of course, this can be automated, etc.
Hope this answers your question.