A process can't be injected

c++ / delphi package - dll injection and api hooking

A process can't be injected

Postby Fengyun » Wed Apr 09, 2014 10:14 am

HI, madshi:

I'm a working for a security company.
I need to hook all application, monitor files transmission.
But a social application can't be injected when i use madchook 3.0.

the process is qq.exe, It's download url:http://im.qq.com/pcqq/
I find that when qq.exe start, it will start a process called qqprotect.exe.
I think that qqprotect.exe stop inject into qq.exe.

can you help me to inject into qq.exe? Thank you!
Fengyun
 
Posts: 8
Joined: Wed Apr 09, 2014 10:03 am

Re: A process can't be injected

Postby madshi » Wed Apr 09, 2014 10:39 am

Which OS did you test this on? Which exact madCodeHook version are you using? Are you using system/session wide DLL injection? Or some other kind of injection? Did you start the injection before qq.exe is started or afterwards?
madshi
Site Admin
 
Posts: 9879
Joined: Sun Mar 21, 2004 5:25 pm

Re: A process can't be injected

Postby Fengyun » Thu Apr 10, 2014 4:13 am

My OS is Win7 32bit.
My madCodeHook version is 3.1.6.
I use system/session wide DLL injection.

It's very strange, today, regardless before or after qq.exe started, can injected into........

But it's still a small problem,My host process call UninjectLibrary then exit, all other process uninject success, but my hookdll still stay in qq.exe process.
Fengyun
 
Posts: 8
Joined: Wed Apr 09, 2014 10:03 am

Re: A process can't be injected

Postby madshi » Thu Apr 10, 2014 7:19 am

I'm not sure what's going on there. That process is probably using some sort of sandbox or so. madCodeHook uninjects the hook dll simply by calling FreeLibrary(). If the sandbox blocks FreeLibrary(), uninjection will only partially succeed. Probably the unhooking of the APIs will succeed, but the dll will stay loaded. At this point there's not much I can do about it. If a process blocks the APIs which are used by madCodeHook then this is outside of my control.
madshi
Site Admin
 
Posts: 9879
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 10 guests