confuse about modify sources of madcodehook

c++ / delphi package - dll injection and api hooking
Post Reply
nemo314
Posts: 6
Joined: Sun May 04, 2014 11:30 am

confuse about modify sources of madcodehook

Post by nemo314 »

it is too much works for me make a 64bit process to support both 32 and 64 injection, because my project is too large.

i read the sources of driver. it looks like GetRemoteProcAddress works right in 64bit process and just some code like Set32bitNtdllInfo can make it support both 32 and 64.

is it unreliable, if i do that?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: confuse about modify sources of madcodehook

Post by madshi »

There is a 32bit and 64bit version of the driver. Which version is loaded does *not* depend on the bitdepth of your exe. It only depends on the bitdepth of the OS. If your OS is x64, the 64bit version of the driver is always used, regardless of whether your own exe is 32bit or 64bit. A 64bit OS cannot load a 32bit driver file.

Those "tricks" (like GetRemoteProcAddress and Set32bitNtdllInfo) you see in the driver source code are unfortunately necessary for injection into wow64/32bit processes in the 64bit driver. There's no way around it (that I know of). But don't worry, it runs very stable, I'm not aware of any stability issues at the moment. And you can just keep your exe as 64bit. No need to add a 32bit version of your exe (except if you need x86 OSs, of course).
nemo314
Posts: 6
Joined: Sun May 04, 2014 11:30 am

Re: confuse about modify sources of madcodehook

Post by nemo314 »

madshi wrote:There is a 32bit and 64bit version of the driver. Which version is loaded does *not* depend on the bitdepth of your exe. It only depends on the bitdepth of the OS. If your OS is x64, the 64bit version of the driver is always used, regardless of whether your own exe is 32bit or 64bit. A 64bit OS cannot load a 32bit driver file.

Those "tricks" (like GetRemoteProcAddress and Set32bitNtdllInfo) you see in the driver source code are unfortunately necessary for injection into wow64/32bit processes in the 64bit driver. There's no way around it (that I know of). But don't worry, it runs very stable, I'm not aware of any stability issues at the moment. And you can just keep your exe as 64bit. No need to add a 32bit version of your exe (except if you need x86 OSs, of course).
i want to make 32bit process call driver works not only inject 32 process but also 64bit, i want to write some code like that

Set64bitNtdllInfo

{

xxx64 = GetRemoteProcAddress ("xxx")
xxx64 = GetRemoteProcAddress ("xxx")
xxx64 = GetRemoteProcAddress ("xxx")

}

and the follow code in the xxxxxxWorkerRoutine

if is64WaitForInjectedProcess
Set64bitNtdllInfo
else
Set32bitNtdllInfo

i wonder if i can do this, GetRemoteProcAddress seems work well in 64 process. it is too easy to make me feel there is some reason you do not allow call from 32bit process and inject both 32 and 64.

i don't want to write a 64 process project for calling, because it is too many works in my Solution :sorry: .
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: confuse about modify sources of madcodehook

Post by madshi »

Ah, I understand.

Again, it's not the *driver* you need to worry about. It doesn't matter whether your exe file is 32bit or 64bit. The driver doesn't care.

The one and only reason why your 32bit exe cannot do system/session wide DLL injection for 64bit processes is that the *user* mode part of madCodeHook cannot inject 64bit dlls into 64bit processes, if your own exe is only 32bit. In order to understand this you first need to understand that DLL injection consists of two parts:

(1) In the moment when you call InjectLibrary() for system/session wide DLL injection, the user mode part of madCodeHook enumerates all running processes and manually injects your hook dll into every one of them. This is done by using CreateRemoteThread().
(2) Also the kernel mode driver is loaded. But it doesn't inject your hook DLL into already running processes. The kernel mode driver is only responsible for new processes which are created *after* you called InjectLibrary().

Part (2) of the injection is totally independent of bitdepth. You don't need to look at the driver source code. The driver can already do everything you want. The problem is with part (1). Microsoft has decided that CreateRemoteThread() refuses to work if your own process is 32bit and the target process is 64bit. This is a restriction of the CreateRemoteThread() API which Microsoft intentionally forces on us. I haven't found a way around this limitation yet. Which means part (1) of the injection doesn't work, if your exe is 32bit, and if you want to inject a 64bit hook dll.

So basically you need a 64bit helper process which injects the 64bit hook dll. You can create a very small exe for that which does nothing but call InjectLibrary(). Your 32bit exe could then simply call the 64bit helper exe to start the injection.
nemo314
Posts: 6
Joined: Sun May 04, 2014 11:30 am

Re: confuse about modify sources of madcodehook

Post by nemo314 »

thanks for reply
Post Reply