whoknows Posted August 2, 2020 Share Posted August 2, 2020 https://dzone.com/articles/windows-api-hooking-and-dll-injection Link to comment Share on other sites More sharing options...
kao Posted August 3, 2020 Share Posted August 3, 2020 This code and accompanying article is worse than most ConfuserEx mods written by script kiddies... Where do I start? Quote we imply the hook setup code is located in DllMain function of the external DLL Holy f*ck, have you ever heard of things you should never ever do inside DllMain? Loading another DLL from DllMain is one of the basic ones - it virtually guarantees a deadlock. Quote Passing a pointer to the DLL hook (the one we initialized using VirtualAllocEx and WriteProcessMemory) as a lpParameter. "DLL hook"... You mean DLL name? Like, I don't know... a string? Quote Microsoft Detour, ... requires a paid subscription for hooking on x64 Not since year 2018... And it's called "Detours" And the cherry on the top! Quote HANDLE hThread = CreateRemoteThread(processInformation.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)lpLoadLibraryW, lpRemoteString, NULL, NULL); if (!hThread) { PrintError(TEXT("CreateRemoteThread failed")); } else { WaitForSingleObject(hThread, 4000); //resume suspended process ResumeThread(processInformation.hThread); } // free allocated memory VirtualFreeEx(processInformation.hProcess, lpRemoteString, 0, MEM_RELEASE); // close process handle CloseHandle(processInformation.hProcess); return TRUE; Just 4 problems in 9 lines of code! Must be a world record or something! 1) if CreateRemoteThread fails, child process is left hanging; 2) WaitForSingleObject with 4000ms timeout assumes that remote thread runs immediately and that hook DLL loads and does its stuff immediately. You just created a race condition between hooking thread and main process thread. 3) WaitForSingleObject with timeout + VirtualFreeEx creates another nasty race condition. 4) You should close the thread handle for the process you created: CloseHandle(processInformation.hThread); 1 2 7 Link to comment Share on other sites More sharing options...
Kuranes Posted March 21, 2021 Share Posted March 21, 2021 On 8/4/2020 at 12:36 AM, kao said: This code and accompanying article is worse than most ConfuserEx mods written by script kiddies... Where do I start? Holy f*ck, have you ever heard of things you should never ever do inside DllMain? Loading another DLL from DllMain is one of the basic ones - it virtually guarantees a deadlock. "DLL hook"... You mean DLL name? Like, I don't know... a string? Not since year 2018... And it's called "Detours" And the cherry on the top! Just 4 problems in 9 lines of code! Must be a world record or something! 1) if CreateRemoteThread fails, child process is left hanging; 2) WaitForSingleObject with 4000ms timeout assumes that remote thread runs immediately and that hook DLL loads and does its stuff immediately. You just created a race condition between hooking thread and main process thread. 3) WaitForSingleObject with timeout + VirtualFreeEx creates another nasty race condition. 4) You should close the thread handle for the process you created: CloseHandle(processInformation.hThread); Good catch, im learning about api hooking and dll injections i wouldn't want to learn from some 'lazyly' written article Link to comment Share on other sites More sharing options...
boot Posted August 14 Share Posted August 14 These are very friendly tutorials, which provide some references for beginners... 😏 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now