https://dzone.com/articles/windows-api-hooking-and-dll-injection

 

 

This code and accompanying article is worse than most ConfuserEx mods written by script kiddies... Where do I start?

 

Quote

we imply the hook setup code is located in DllMain function of the external DLL

Holy f*ck, have you ever heard of things you should never ever do inside DllMain? Loading another DLL from DllMain is one of the basic ones - it virtually guarantees a deadlock.

Quote

Passing a pointer to the DLL hook (the one we initialized using VirtualAllocEx and WriteProcessMemory) as a lpParameter.

"DLL hook"... You mean DLL name? Like, I don't know... a string?

Quote

Microsoft Detour, ... requires a paid subscription for hooking on x64

Not since year 2018... And it's called "Detours"

 

And the cherry on the top!

Quote

    HANDLE hThread = CreateRemoteThread(processInformation.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)lpLoadLibraryW, lpRemoteString, NULL, NULL);
    if (!hThread) {
        PrintError(TEXT("CreateRemoteThread failed"));
    }
    else {
        WaitForSingleObject(hThread, 4000);
        //resume suspended process
        ResumeThread(processInformation.hThread);
    }
    //  free allocated memory
    VirtualFreeEx(processInformation.hProcess, lpRemoteString, 0, MEM_RELEASE);
    // close process handle
    CloseHandle(processInformation.hProcess);
    return TRUE;

 

Just 4 problems in 9 lines of code! Must be a world record or something!

1) if CreateRemoteThread fails, child process is left hanging;
2) WaitForSingleObject with 4000ms timeout assumes that remote thread runs immediately and that hook DLL loads and does its stuff immediately. You just created a race condition between hooking thread and main process thread.
3) WaitForSingleObject with timeout + VirtualFreeEx creates another nasty race condition.
4) You should close the thread handle for the process you created:  CloseHandle(processInformation.hThread);

On 8/4/2020 at 12:36 AM, kao said:

 

This code and accompanying article is worse than most ConfuserEx mods written by script kiddies... Where do I start?

 

Holy f*ck, have you ever heard of things you should never ever do inside DllMain? Loading another DLL from DllMain is one of the basic ones - it virtually guarantees a deadlock.

"DLL hook"... You mean DLL name? Like, I don't know... a string?

Not since year 2018... And it's called "Detours"

 

And the cherry on the top!

Just 4 problems in 9 lines of code! Must be a world record or something!

1) if CreateRemoteThread fails, child process is left hanging;
2) WaitForSingleObject with 4000ms timeout assumes that remote thread runs immediately and that hook DLL loads and does its stuff immediately. You just created a race condition between hooking thread and main process thread.
3) WaitForSingleObject with timeout + VirtualFreeEx creates another nasty race condition.
4) You should close the thread handle for the process you created:  CloseHandle(processInformation.hThread);

Good catch, im learning about api hooking and dll injections i wouldn't want to learn from some 'lazyly' written article

 

These are very friendly tutorials, which provide some references for beginners... 😏