whoknows Posted August 2, 2020 Posted August 2, 2020 https://dzone.com/articles/windows-api-hooking-and-dll-injection 1
kao Posted August 3, 2020 Posted August 3, 2020 This code and accompanying article is worse than most ConfuserEx mods written by script kiddies... Where do I start? Quote we imply the hook setup code is located in DllMain function of the external DLL Holy f*ck, have you ever heard of things you should never ever do inside DllMain? Loading another DLL from DllMain is one of the basic ones - it virtually guarantees a deadlock. Quote Passing a pointer to the DLL hook (the one we initialized using VirtualAllocEx and WriteProcessMemory) as a lpParameter. "DLL hook"... You mean DLL name? Like, I don't know... a string? Quote Microsoft Detour, ... requires a paid subscription for hooking on x64 Not since year 2018... And it's called "Detours" And the cherry on the top! Quote HANDLE hThread = CreateRemoteThread(processInformation.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)lpLoadLibraryW, lpRemoteString, NULL, NULL); if (!hThread) { PrintError(TEXT("CreateRemoteThread failed")); } else { WaitForSingleObject(hThread, 4000); //resume suspended process ResumeThread(processInformation.hThread); } // free allocated memory VirtualFreeEx(processInformation.hProcess, lpRemoteString, 0, MEM_RELEASE); // close process handle CloseHandle(processInformation.hProcess); return TRUE; Just 4 problems in 9 lines of code! Must be a world record or something! 1) if CreateRemoteThread fails, child process is left hanging; 2) WaitForSingleObject with 4000ms timeout assumes that remote thread runs immediately and that hook DLL loads and does its stuff immediately. You just created a race condition between hooking thread and main process thread. 3) WaitForSingleObject with timeout + VirtualFreeEx creates another nasty race condition. 4) You should close the thread handle for the process you created: CloseHandle(processInformation.hThread); 1 2 7
Kuranes Posted March 21, 2021 Posted March 21, 2021 On 8/4/2020 at 12:36 AM, kao said: This code and accompanying article is worse than most ConfuserEx mods written by script kiddies... Where do I start? Holy f*ck, have you ever heard of things you should never ever do inside DllMain? Loading another DLL from DllMain is one of the basic ones - it virtually guarantees a deadlock. "DLL hook"... You mean DLL name? Like, I don't know... a string? Not since year 2018... And it's called "Detours" And the cherry on the top! Just 4 problems in 9 lines of code! Must be a world record or something! 1) if CreateRemoteThread fails, child process is left hanging; 2) WaitForSingleObject with 4000ms timeout assumes that remote thread runs immediately and that hook DLL loads and does its stuff immediately. You just created a race condition between hooking thread and main process thread. 3) WaitForSingleObject with timeout + VirtualFreeEx creates another nasty race condition. 4) You should close the thread handle for the process you created: CloseHandle(processInformation.hThread); Good catch, im learning about api hooking and dll injections i wouldn't want to learn from some 'lazyly' written article
boot Posted August 14, 2023 Posted August 14, 2023 These are very friendly tutorials, which provide some references for beginners... 😏
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now