Hey everyone,
I need to inject a process as soon as it is being created and finish the hooking process before anything in the injected process occurs.
I inject using the injection driver so that shouldn't be a problem, but until I finish the hooking process, some time passes and I might miss an important call I need. So I am looking for a way to finish the "init" of my DLL as soon as possible.
When the injected DLL is being loaded, in the DLLMain I create another thread that executes the whole hooking process (and other initializations).
One approach I thought about is to suspend all the threads but the one I am initializing. But in this approach there's still a race, and it does sound a bit risky and extreme.
I was hoping anyone here might have a better idea, so anyone here might have a better idea???
Thanks!
Injecting and hooking at the earliest possible
Re: Injecting and hooking at the earliest possible
Your thread will not execute until DLLMain returns, even then the priority and initialization time of its execution is determined by the thread scheduler. If you need things done outside of DLLMain and before the process enters its entry point you should consider TLS or queue an APC to an existing thread. Assuming said process hasn't executed its entry point yet then it will flush a thread's APC queue before it does so
--Iconic
--Iconic
Re: Injecting and hooking at the earliest possible
There are 2 totally different DLL injection paths in madCodeHook:
(1) In the moment when you start injection, madCodeHook opens all running processes and injects your hook DLL into them. These processes have already been running for quite a while, so you'll probably already have missed tons of API calls. Nothing you can do about it. Your hook DLL is loaded by a remote thread and there's not much you can do to speed up API hook installation.
(2) Processes which are started after your DLL injection was activated are handled by the madCodeHook kernel mode driver. These processes behave as if they had a LoadLibrary(YourHook.dll) call as the first source code line in their exe. At the moment when your hook dll is loaded by these processes, there's almost always only one thread running - the very thread which loads your hook dll! So the best you can do is simply install all your API hooks in DllMain, the same way all the madCodeHook demos do it. Your hook DLL will be fully loaded and all API hooks installed before any code of the EXE is executed. *However*, statically linked DLLs will load and initialize before your hook DLL is loaded. So if a statically linked DLL calls some of those APIs you want to hook in their DllMain, you'll miss that, unfortunately. Nothing you can do about that, at the moment. DO NOT move your API hook installation to a separate thread - that will actually do the opposite of what you want, because your secondary thread won't start until much later in the process initialization sequence (as iconic already explained).
(1) In the moment when you start injection, madCodeHook opens all running processes and injects your hook DLL into them. These processes have already been running for quite a while, so you'll probably already have missed tons of API calls. Nothing you can do about it. Your hook DLL is loaded by a remote thread and there's not much you can do to speed up API hook installation.
(2) Processes which are started after your DLL injection was activated are handled by the madCodeHook kernel mode driver. These processes behave as if they had a LoadLibrary(YourHook.dll) call as the first source code line in their exe. At the moment when your hook dll is loaded by these processes, there's almost always only one thread running - the very thread which loads your hook dll! So the best you can do is simply install all your API hooks in DllMain, the same way all the madCodeHook demos do it. Your hook DLL will be fully loaded and all API hooks installed before any code of the EXE is executed. *However*, statically linked DLLs will load and initialize before your hook DLL is loaded. So if a statically linked DLL calls some of those APIs you want to hook in their DllMain, you'll miss that, unfortunately. Nothing you can do about that, at the moment. DO NOT move your API hook installation to a separate thread - that will actually do the opposite of what you want, because your secondary thread won't start until much later in the process initialization sequence (as iconic already explained).