Hello
I'm very confused with this one. Any help would be appreciated.
I have finished my project and I'm testing it on 5 different computers. The program is supposed to hook a few functions located in Kernel32.dll (mainly to prevent certain Explorer file operations). These are the results:
1- Windows XP 32bit (virtual machine) - Works perfectly
2- Windows Vista 32bit - Works perfectly
3- Windows 7 64bit - Works perfectly
4- Windows 7 64bit (virtual machine) - Failed
5- Windows 8 64bit - Failed
In all 5 computers InjectLibrary and HookAPI return true, but in computers 4 and 5 the callback functions are never called. It is very strange to me that the same files work fine in one of the two Win7-64 but not in the other.
At first I thought that maybe Explorer was not calling the hooked functions but after using an API monitor utility I'm sure it does, so I don't know what might be wrong.
Any ideas?
Thank you!
Do you have any idea of
HookAPI returns true but callback function not being called
Re: HookAPI returns true but callback function not being cal
Please show me your HookAPI() calls.
Re: HookAPI returns true but callback function not being cal
Hello Madshi
Thank you for your kind help. I have spent two days looking at this issue and now I have more information:
At first I said that the problem was occurring in a Windows 7 machine but not in another computer with the same OS. That was wrong, my program works great on both Windows 7 machines, the problem seems to be related to Windows 8 64x only (haven't tested on 32x).
At first I said that the callback functions are never called but that was wrong, the callback functions are called ‘but not always’.
In my code I hook to some (mostly) file-related functions located in Kernel32.dll and also to some registry functions located in Advapi32.dll. All hooked functions of Advapi32.dll seem to work fine, only the functions of Kernel32.dll seem to show the problem.
I have concentrated my testing efforts in two functions: MoveFileExW and NtTerminateProcess, I think if I can fix them I’ll be able to fix the others.
Let’s take a look at MoveFileExW first:
As you can see, the first line of MoveFileExWCallback logs the event, so I may know when the function has been called.
The purpose of the callback function is to prevent moving of certain files through Explorer, but when I use Explorer to move a file the callback function is never executed, even if (according to API monitor utility) Explorer is in fact calling to MoveFileExW.
I wrote a simple EXE just to call MoveFileExW and see if my callback function is executed, and it is!, only in Explorer the callback is not executed.
So, what do you think might be the problem?
The other function I have been testing is NtTerminateProcess, but the problem there is different than this one, so I will create a different thread for it. That way people will be able to find it easily in case the solution is reached.
Thanks!
Thank you for your kind help. I have spent two days looking at this issue and now I have more information:
At first I said that the problem was occurring in a Windows 7 machine but not in another computer with the same OS. That was wrong, my program works great on both Windows 7 machines, the problem seems to be related to Windows 8 64x only (haven't tested on 32x).
At first I said that the callback functions are never called but that was wrong, the callback functions are called ‘but not always’.
In my code I hook to some (mostly) file-related functions located in Kernel32.dll and also to some registry functions located in Advapi32.dll. All hooked functions of Advapi32.dll seem to work fine, only the functions of Kernel32.dll seem to show the problem.
I have concentrated my testing efforts in two functions: MoveFileExW and NtTerminateProcess, I think if I can fix them I’ll be able to fix the others.
Let’s take a look at MoveFileExW first:
Code: Select all
//Next function definition
BOOL (WINAPI *MoveFileExWNext)(LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName, DWORD dwFlags);
//Callback function
BOOL WINAPI MoveFileExWCallback(LPCWSTR lpExistingFileName, LPCWSTR lpNewFileName, DWORD dwFlags){
AppendToLog(L"MoveFileExW", lpExistingFileName);
if(IsPathTWAMRelatedW(lpExistingFileName)){
SetLastError(ERROR_ACCESS_DENIED);
return FALSE;
}else{
return MoveFileExWNext(lpExistingFileName, lpNewFileName, dwFlags);
}
}
//HookAPI call.
HookAPI("kernel32.dll", "MoveFileExW", MoveFileExWCallback, (PVOID*) &MoveFileExWNext);
The purpose of the callback function is to prevent moving of certain files through Explorer, but when I use Explorer to move a file the callback function is never executed, even if (according to API monitor utility) Explorer is in fact calling to MoveFileExW.
I wrote a simple EXE just to call MoveFileExW and see if my callback function is executed, and it is!, only in Explorer the callback is not executed.
So, what do you think might be the problem?
The other function I have been testing is NtTerminateProcess, but the problem there is different than this one, so I will create a different thread for it. That way people will be able to find it easily in case the solution is reached.
Thanks!
Re: HookAPI returns true but callback function not being cal
Try hooking the APIs in kernelbase.dll instead of kernel32.dll.
Re: HookAPI returns true but callback function not being cal
I works now!!! Thank you.