[SOLVED]About madchook at win 8.1 x64
[SOLVED]About madchook at win 8.1 x64
I use madchook at win8.1 x64 and found that we can not found ntdll.dll module at the process create notify.
At this moment the ldr at peb is null.
At this moment the ldr at peb is null.
Last edited by dihin on Fri Jan 24, 2014 8:55 am, edited 1 time in total.
Re: About madchook at win 8.1 x64
Are you using the latest version (3.1.6)? It works just fine with win 8.1 x64:
http://madshi.net/madCollection.exe (installer 2.7.8.0, madCodeHook 3.1.6)
http://madshi.net/madCollection.exe (installer 2.7.8.0, madCodeHook 3.1.6)
Re: About madchook at win 8.1 x64
Thank you for you reply.
Yes i am using the latest version. Does new process is injected by InjectLibrary64 at win8.1 x64?
Yes i am using the latest version. Does new process is injected by InjectLibrary64 at win8.1 x64?
Re: About madchook at win 8.1 x64
Are we talking about a new 32bit or 64bit process? I assume you're talking about the injection driver's source code when talking about "process create notify" etc? Can you please give me a bit more information? What is "not found" where exactly in the source code?
Re: About madchook at win 8.1 x64
Yes, i am talking about a new 64bit process injection at DriverEvent_NewProcess.
The invoke path is: InjectIntoProcess --> InjectLibrary --> InjectLibrary64
But at CreateProcessNotifyRoutine the ntdll have not been loaded at win 8.1, and how to change the ntdll!nttestalert code?
The invoke path is: InjectIntoProcess --> InjectLibrary --> InjectLibrary64
But at CreateProcessNotifyRoutine the ntdll have not been loaded at win 8.1, and how to change the ntdll!nttestalert code?
Re: About madchook at win 8.1 x64
Are you sure you're really looking into the latest madCodeHook version's source code? If you look at "InitInjectLibrary()". There's a comment like this:
// Windows 8 doesn't seem to have ntdll loaded in system, anymore
// so we wait until the user application tries to inject
// then we look for the ntdll which is loaded in the user process
This seems to work just fine for me in win 8.1 x64. Please try this demo:
http://madshi.net/PrintMonitor.zip
Does it work on your win 8.1 x64 PC?
// Windows 8 doesn't seem to have ntdll loaded in system, anymore
// so we wait until the user application tries to inject
// then we look for the ntdll which is loaded in the user process
This seems to work just fine for me in win 8.1 x64. Please try this demo:
http://madshi.net/PrintMonitor.zip
Does it work on your win 8.1 x64 PC?
Re: About madchook at win 8.1 x64
Yes you are right, sorry for my carelessness and thanks for your help
Re: [SOLVED]About madchook at win 8.1 x64
No problem. So everything's working fine now?