How can I call a function from another .dll which is injected to the same program?

Question

My question is really above, I will give more information on this below however:

I have a program which first takes my \"false\" d3d9.dll, this DLL is then loaded in

Answer 1

Back in the old days we use to CreateRemoteThread and use LoadLibraryA as the address for lpStartAddress (This address happens to be the same in all processes). The trick was to allocate the DLL name you are injecting using VirtualAllocEx and use that as lpParameter. Effectively your thread calls LoadLibraryA with the DLL name you want to inject. When the Dll loads Dllmain gets called and you can run code in Dllmain during a time that the dll is being attached (DLL_PROCESS_ATTACH).

This link has some very good information on doing just that. However this technique relies on a Dllmain function. If you can use Dllmain then this mechanism may work. A summary of the steps from that article gives an overview:

Now, we can summarize this technique in the following steps:

Retrieve a HANDLE to the remote process (OpenProces).
Allocate memory in the remote process's address space for injected data (VirtualAllocEx).
Write a copy of the initialised INJDATA structure to the allocated memory (WriteProcessMemory).
Allocate memory in the remote process's address space for injected code.
Write a copy of ThreadFunc to the allocated memory.
Start the remote copy of ThreadFunc via CreateRemoteThread.
Wait until the remote thread terminates (WaitForSingleObject).
Retrieve the result from the remote process (ReadProcessMemory or GetExitCodeThread).
Free the memory allocated in Steps #2 and #4 (VirtualFreeEx).
Close the handles retrieved in Steps #6 and #1 (CloseHandle).

I saw your comment about too much information. Not sure I quite understand. However Dllmain has some restrictions like most Win32 API calls can't be used. There are some exceptions and one being CreateThread. Had you considered spinning off a thread to do work? If you use CreateThread in a Dllmain it effectively gets blocked until Dllmain exits. So once Dllmain returns the Thread will execute.