madCodeHook2 doesn't hook API in 32bit process on Win7 x64

c++ / delphi package - dll injection and api hooking
Post Reply
Overnissen
Posts: 31
Joined: Mon Dec 29, 2014 6:22 pm

madCodeHook2 doesn't hook API in 32bit process on Win7 x64

Post by Overnissen »

Dear madshi,

First, thank you, I'm a big fan and faithful believer in your software, it's probably the coolest piece of code I have come across ever..

Now, I've made a small 32 bit .dll for injecting into processes, with the purpose of hooking on to the "gethostbyname" export in Winsock (wsock32.dll) and Winsock2 (ws2_32.dll).

My challenge here is that it works absolutely wonders on my dev machine, a 32 bit Win7 vm-ware machine, it injects the .dll no problem, I can call the "SetHooks" export in the context of the remote process and it hooks the "gethostbyname" API call, no problemo.

Now, if I copy the files over on my host machine, an x64 system running Windows7 as well, suddenly it doesn't work anymore.

I can inject the .dll and I can call the "SetHooks" export in it (I have set up IPC messaging to tell me the result of the HookAPI calls), but suddenly it doesn't hook the APIs anymore, the hooking functionality are not there and the HookAPI call returns false.

I have tried to just load the .dll from the test application and hook the APIs for just my local process, that does not work either.

The dev machine are Win7, no antivirus, no antimalware or anything like that, the Delphi version are XE5.

Could you help me out a little here with a hint or two ?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: madCodeHook2 doesn't hook API in 32bit process on Win7 x

Post by iconic »

If you're injecting a hook DLL on a 64-bit OS you should be using a 64-bit process to do this. You'll need to recompile your hook DLL to support both 32-bit and 64-bit Windows and then inject them both if you want to hook processes of both bit depths.

--Iconic
Overnissen
Posts: 31
Joined: Mon Dec 29, 2014 6:22 pm

Re: madCodeHook2 doesn't hook API in 32bit process on Win7 x

Post by Overnissen »

Iconic,

Thank you for your reply, but I don't quite understand why..

The code works running the hooking-app and the test-app on a 32 bit OS, now if I move the same apps and the same hooking .dll to a 64 bit environment, suddenly it doesn't hook the API's anymore.

I get the .dll injected and the .dll self-initialises upon process attach and attempts to set the hooks.

I agree completely that out in the future, I would be having the hooking .dlls compiled for both bitdepths and my injecting process should be a 64 bit process, but right now, I'm making some prototyping code to figure out how to do this and it should, by all intends and purposes, be possible for a 32 bit process to inject a 32 bit .dll into another 32 bit process and have it hook the 'gethostbyname' and 'getaddrinfo' exports from the winsock APIs.

/Overnissen
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: madCodeHook2 doesn't hook API in 32bit process on Win7 x

Post by madshi »

madCodeHook 2 is really outdated. It's still supposed to work, but support for 64bit OSs is very limited. It might work, if you're lucky, or not. For full 64bit support please use madCodeHook 3.

Anyway. Do the HookAPI() calls succeed? If they fail, what does GetLastError() say?
Overnissen
Posts: 31
Joined: Mon Dec 29, 2014 6:22 pm

Re: madCodeHook2 doesn't hook API in 32bit process on Win7 x

Post by Overnissen »

Yes, you're right, I probably should update to madCodeHook3.

I've send you an email regarding upgrading from my 11 year old 2-user license for madCollection, all I need for now would be a single-user upgrade to madCodeHook3.

I did manage to make it work, I can't really recall the nittygritty details, some of it was probably me who didn't understand the documentation correctly or me not paying enough attention on whither I was attempting to hook a 64 bit or a 32 bit process from a 32 bit executable at the time of testing, but the init() problem I solved by making the .dll self-initializing, upon process_attach it would set the hooks and remove them upon process_detach, works like a charm.. ;)

It works quite reliable on Win7 32/64 bit as well as Windows8 64 bit, no problem, so I'd have to say that madCodeHook isn't in such a bad shape as portrayed, just sayin'.

In madCodeHook3, if I DON'T need system-wide hooking, but only needs to hook processes running under the same users context as the hooking application (user running application, application starting other applications and hooking them, all in user land), I won't need a signing certificate will I ?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: madCodeHook2 doesn't hook API in 32bit process on Win7 x

Post by madshi »

The signing certificate is needed if you want to make use of the injection driver. The injection driver is needed if you want to use any sort of user/session/system wide DLL injection. Without the driver you can still inject your hook dll, but only into one process at a time (by providing madCodeHook with a valid process handle).
Post Reply