madshi wrote:Sorry for the late reply, missed this thread for some reason (no notification from the forum this time).
No worries, thanks for getting back to me
Injection should work just fine, especially from a service, which has usually higher access rights/privileges than a normal user application. Seems you already solved the problem of getting a process handle? The usual way would be to enumerate the running processes and then call OpenProcess(). Enough privileges are needed for that to succeed.
Yes, that side of things is working well thanks - I cobbled togetehr some code that acquires a handle for any running process by module name, I can post it on the forum if you like, it works on 32/64 bit.
HookAPI() succeeds even for APIs which don't exist - if the to-be-hooked dll is not loaded yet. In that situation madCodeHook has no way to double check whether the API really exists. So it returns true. The actual hooking is done (or attempted to be done) when the to-be-hooked dll is loaded. If the target dll is already loaded in the moment when you call HookAPI(), then HookAPI() should fail for non-existing APIs.
Ah, that makes sense - thanks, I should have figured that out.
My best guess would be that the APIs you've hooked are simply not called. You could double check by calling those APIs yourself from within your hook dll. Does the hook callback function get called then?
I think you're right - using the same code to hook notepad worked as expected. From my reading of msdn I thought that spoolsv.exe called spoolss.dll to spools its jobs, but that doesn't appear to be the case
Its a shame as I really want to just hook one central exe rather than every app on the system.
However all is not lost - spoolsv.exe does seem to call localspl.dll to do its jobs spooling to disk, shadowing all the print functions like "StartDocPrinter" with "Spl" prefixed. Initial tests look promising.
Alternatively, is it possible to inject into spoolsv.exe when it starts? it loads all the print monitor dlls on startup and I'd like to trap those dlls before it initialises them.
thanks.