后面就引用原文了 You should never perform the following tasks from within DllMain: ● Call LoadLibrary or LoadLibraryEx (either directly or indirectly). This can cause a deadlock or a crash. ● Call GetStringTypeA, GetStringTypeEx, or GetStringTypeW (either directly or indirectly). This can cause a deadlock or a crash. ● Synchronize with other threads. This can cause a deadlock. ● Acquire a synchronization object that is owned by code that is waiting to acquire the loader lock. This can cause a deadlock. ● Initialize COM threads by using CoInitializeEx. Under certain conditions, this function can call LoadLibraryEx. ● Call the registry functions. ● Call CreateProcess. Creating a process can load another DLL. ● Call ExitThread. Exiting a thread during DLL detach can cause the loader lock to be acquired again, causing a deadlock or a crash. ● Call CreateThread. Creating a thread can work if you do not synchronize with other threads, but it is risky. ● Call ShGetFolterPathW. Calling shell/known folder APIs can result in thread synchronization, and can therefore cause deadlocks. ● Create a named pipe or other named object (Windows 2000 only). In Windows 2000, named objects are provided by the Terminal Services DLL. If this DLL is not initialized, calls to the DLL can cause the process to crash. ● Use the memory management function from the dynamic C Run-Time (CRT). If the CRT DLL is not initialized, calls to these functions can cause the process to crash. ● Call functions in User32.dll or Gdi32.dll. Some functions load another DLL, which may not be initialized. ● Use managed code. 换算成攻击者可以理解场景就是你无法在dllmain中完成C2的上线。(具体的利用方式后面介绍)