A process can't be injected

c++ / delphi package - dll injection and api hooking
Post Reply
Fengyun
Posts: 8
Joined: Wed Apr 09, 2014 10:03 am

A process can't be injected

Post by Fengyun »

HI, madshi:

I'm a working for a security company.
I need to hook all application, monitor files transmission.
But a social application can't be injected when i use madchook 3.0.

the process is qq.exe, It's download url:http://im.qq.com/pcqq/
I find that when qq.exe start, it will start a process called qqprotect.exe.
I think that qqprotect.exe stop inject into qq.exe.

can you help me to inject into qq.exe? Thank you!
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: A process can't be injected

Post by madshi »

Which OS did you test this on? Which exact madCodeHook version are you using? Are you using system/session wide DLL injection? Or some other kind of injection? Did you start the injection before qq.exe is started or afterwards?
Fengyun
Posts: 8
Joined: Wed Apr 09, 2014 10:03 am

Re: A process can't be injected

Post by Fengyun »

My OS is Win7 32bit.
My madCodeHook version is 3.1.6.
I use system/session wide DLL injection.

It's very strange, today, regardless before or after qq.exe started, can injected into........

But it's still a small problem,My host process call UninjectLibrary then exit, all other process uninject success, but my hookdll still stay in qq.exe process.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: A process can't be injected

Post by madshi »

I'm not sure what's going on there. That process is probably using some sort of sandbox or so. madCodeHook uninjects the hook dll simply by calling FreeLibrary(). If the sandbox blocks FreeLibrary(), uninjection will only partially succeed. Probably the unhooking of the APIs will succeed, but the dll will stay loaded. At this point there's not much I can do about it. If a process blocks the APIs which are used by madCodeHook then this is outside of my control.
Post Reply