How to create a thread in injected process?

c++ / delphi package - dll injection and api hooking
Post Reply
Fengyun
Posts: 8
Joined: Wed Apr 09, 2014 10:03 am

How to create a thread in injected process?

Post by Fengyun »

hi, madshi, I want to create a thread in injected process to do some works.
I want to create thread in dllmian function, but ms said don't create thread in dllmian.
When I to do is suitable?

I see some inject-dll export functins, but madcodehook's demo dll has no export functions.
I want to known, these inject-dll with export functions, how to call these functions? who will call them?

thank you!
sorry, my english is very pool.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: How to create a thread in injected process?

Post by madshi »

About threads: See hooking rule #9:

http://help.madshi.net/HookingRules.htm

I generally recommend against creating threads in your hook dll (inside or outside of DllMain). But it depends a bit on the situation: If you inject your hook dll system/session wide into all running processes, then creating a thread in your hook dll is dangerous. Why? Because the target process will get a DLL_THREAD_ATTACH event for your thread. Some applications might react to that event and then could get confused if you create a private thread in your hook dll. Such applications might see your thread and think it's the application's private thread, and then maybe create a window in the context of your thread, or stuff like that.

Another big problem with threads in hook dlls is how to close them down properly when your hook dll gets uninjected. That is really difficult, because in DllMain you cannot wait for the thread to shutdown. The thread will not shutdown while another thread is in DllMain, so if you wait for your private thread to end in DllMain, you'll wait forever (deadlock). If you *don't* wait for your thread to end in DllMain, and if your thread continues to run after your dll was already freed, then your thread will crash with an access violation.

If you inject your hook dll only into some specific processes, then the "hooking rules" (mentioned above) can be relaxed a little. In that case maybe creating a thread in your dll is ok. But you'll still have to worry about how to close the thread down properly when your hook dll is getting uninjected.

-------

In Windows every process is totally separate from each other. So if you inject a dll with exported functions into process A, then only process A can call the exported functions (by using GetModuleHandle() + GetProcAddres()). If you inject a dll system/session wide then each process will load a separate copy of your hook dll. Each process can then call the exported functions of the copy of your hook dll which is loaded in the process. But if you want to use that method, please understand that each copy of your hook dll loaded in all the various processes is totally separated from each other. They don't communicate with each other, and they don't share variables or other data sections - unless you implement communication or data sharing manually yourself.

There's one "trick" how you can call the exported function of a hook dll injected into another process: The trick is using CreateRemoteThread(), which will create a new thread in the context of the other process. You would then use the address of the exported function of the injected dll in the other process as the entry point / thread proc of the remote thread. However, this is kinda difficult to use: You'd need to find out the address of the exported function yourself, and you can't use GetProcAddress for that, because the dll is not loaded in *your* process and GetProcAddress only works for dlls in your process. Furthermore, the remote thread will really run in the context of the other process, so the remote thread cannot easily send some results back to you. Finally, the exported function would have to have to right calling convention and parameters for this all to work.
Fengyun
Posts: 8
Joined: Wed Apr 09, 2014 10:03 am

Re: How to create a thread in injected process?

Post by Fengyun »

thank you.

Can i call SendIpcMessage in dllmain DLL_PROCESS_ATTACH ?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: How to create a thread in injected process?

Post by madshi »

Yes, you can. I'd suggest to set the "handleMessages" parameter to "false", though.
Fengyun
Posts: 8
Joined: Wed Apr 09, 2014 10:03 am

Re: How to create a thread in injected process?

Post by Fengyun »

thank you!
But I still have a question.

// send an ipc message to whomever has created the ipc queue (doesn't matter)
// if you only fill the first 3 parameters, SendIpcMessage returns at once
// if you fill the next two parameters, too, SendIpcMessage will
// wait for an answer of the ipc queue owner
// you can further specify how long you're willing to wait for the answer
// and whether you want SendIpcMessage to handle messages while waiting
madCHookApi(BOOL) SendIpcMessage(
LPCSTR pIpc,
PVOID pMessageBuf,
DWORD dwMessageLen,
#ifdef __cplusplus
PVOID pAnswerBuf = NULL,
DWORD dwAnswerLen = 0,
DWORD dwAnswerTimeOut = INFINITE,
BOOL bHandleMessage = TRUE
#else
PVOID pAnswerBuf,
DWORD dwAnswerLen,
DWORD dwAnswerTimeOut,
BOOL bHandleMessage
#endif
);

if my call is: SendIpcMessage("ipc_name", buf, nBufLen, NULL, 0, INFINITE), I don't fill pAnswerBuf and dwAnswerLen variable, but set dwAnswerTimeOut is INFINITE, the call
is return immediately or wait for message handled?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: How to create a thread in injected process?

Post by madshi »

If you leave pAnswerBuf/dwAnswerLen empty, the SendIpcMessage() call should return immediately and not wait for any sort of reply. The dwAnswerTimeOut and bHandleMessage parameters should be ignored in that case.
Post Reply