Query - selective global hooking

c++ / delphi package - dll injection and api hooking
Post Reply
blackpaw
Posts: 33
Joined: Mon Nov 05, 2007 1:08 am

Query - selective global hooking

Post by blackpaw »

I've been testing hooking spoolss.dll functions in spoolsv.exe (Print Spooler Service) and wasn't having much luck until I realised that in windows 7 onwards most print drivers proxy everything into a separate PrintIsolationHost.exe process (launched via dcom/svchost.exe).

I was trying to avoid the need for a global hook, but to do that I would have to hook CreateProcessInternalW in services.exe -> svchost.exe, to inject my dll into PrintIsloationHost.exe. A lot of hassle to avoid signing problems :)

So - I sign & global hook my DLL, but I still want to avoid loading it into every process when its only several exe's I want to hook. Can I:
- In DllMain
- Check the exe name of the loading process
- if Not "PrintIsloationHost.exe"
- return false and abort the load of my hook dll

Would there be any issues with that? performance slowdown etc?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Query - selective global hooking

Post by madshi »

You can use the include list in the InjectLibrary() call to only have your hook dll injected into specific target processes, based on the exe name. You could return "FALSE" in DllMain(), that will make Windows unload your hook dll again. But I do remember that in rare cases this could cause some weird issues. So I'd suggest that if your hook dll gets loaded into a process you're not interested in, just skip the HookAPI() calls and stay loaded. Should not be a problem for performance or stability. Anyway, using an inclusion list of "PrintIsloationHost.exe" should do exactly what you need.
blackpaw
Posts: 33
Joined: Mon Nov 05, 2007 1:08 am

Re: Query - selective global hooking

Post by blackpaw »

Thanks madshi, I'd forgotten about that.
Post Reply