[SOLVED]About madchook at win 8.1 x64

c++ / delphi package - dll injection and api hooking
Post Reply
dihin
Posts: 4
Joined: Tue Jan 21, 2014 12:24 pm

[SOLVED]About madchook at win 8.1 x64

Post by dihin »

I use madchook at win8.1 x64 and found that we can not found ntdll.dll module at the process create notify.

At this moment the ldr at peb is null.
Last edited by dihin on Fri Jan 24, 2014 8:55 am, edited 1 time in total.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: About madchook at win 8.1 x64

Post by madshi »

Are you using the latest version (3.1.6)? It works just fine with win 8.1 x64:

http://madshi.net/madCollection.exe (installer 2.7.8.0, madCodeHook 3.1.6)
dihin
Posts: 4
Joined: Tue Jan 21, 2014 12:24 pm

Re: About madchook at win 8.1 x64

Post by dihin »

Thank you for you reply.
Yes i am using the latest version. Does new process is injected by InjectLibrary64 at win8.1 x64?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: About madchook at win 8.1 x64

Post by madshi »

Are we talking about a new 32bit or 64bit process? I assume you're talking about the injection driver's source code when talking about "process create notify" etc? Can you please give me a bit more information? What is "not found" where exactly in the source code?
dihin
Posts: 4
Joined: Tue Jan 21, 2014 12:24 pm

Re: About madchook at win 8.1 x64

Post by dihin »

Yes, i am talking about a new 64bit process injection at DriverEvent_NewProcess.
The invoke path is: InjectIntoProcess --> InjectLibrary --> InjectLibrary64

But at CreateProcessNotifyRoutine the ntdll have not been loaded at win 8.1, and how to change the ntdll!nttestalert code?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: About madchook at win 8.1 x64

Post by madshi »

Are you sure you're really looking into the latest madCodeHook version's source code? If you look at "InitInjectLibrary()". There's a comment like this:

// Windows 8 doesn't seem to have ntdll loaded in system, anymore
// so we wait until the user application tries to inject
// then we look for the ntdll which is loaded in the user process

This seems to work just fine for me in win 8.1 x64. Please try this demo:

http://madshi.net/PrintMonitor.zip

Does it work on your win 8.1 x64 PC?
dihin
Posts: 4
Joined: Tue Jan 21, 2014 12:24 pm

Re: About madchook at win 8.1 x64

Post by dihin »

Yes you are right, sorry for my carelessness and thanks for your help
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: [SOLVED]About madchook at win 8.1 x64

Post by madshi »

No problem. So everything's working fine now?
Post Reply