madshi.net

HI, madshi:

I'm a working for a security company.
I need to hook all application, monitor files transmission.
But a social application can't be injected when i use madchook 3.0.

the process is qq.exe, It's download url:http://im.qq.com/pcqq/
I find that when qq.exe start, it will start a process called qqprotect.exe.
I think that qqprotect.exe stop inject into qq.exe.

can you help me to inject into qq.exe？ Thank you!

Which OS did you test this on? Which exact madCodeHook version are you using? Are you using system/session wide DLL injection? Or some other kind of injection? Did you start the injection before qq.exe is started or afterwards?

My OS is Win7 32bit.
My madCodeHook version is 3.1.6.
I use system/session wide DLL injection.

It's very strange, today, regardless before or after qq.exe started, can injected into........

But it's still a small problem，My host process call UninjectLibrary then exit, all other process uninject success, but my hookdll still stay in qq.exe process.

I'm not sure what's going on there. That process is probably using some sort of sandbox or so. madCodeHook uninjects the hook dll simply by calling FreeLibrary(). If the sandbox blocks FreeLibrary(), uninjection will only partially succeed. Probably the unhooking of the APIs will succeed, but the dll will stay loaded. At this point there's not much I can do about it. If a process blocks the APIs which are used by madCodeHook then this is outside of my control.