dll injection for the WTSAPI32.DLL's functions

c++ / delphi package - dll injection and api hooking

dll injection for the WTSAPI32.DLL's functions

Postby dmz498 » Tue Sep 27, 2016 6:45 am

Hi,

I want to hook the WTSQuerySessionInformationW function using MadCodeHook 3.1.11.
All of the WTSAPI32.DLL's functions don't seem to be hooked with MadCodeHook. Is there any reason why those functions aren't hooked?

May I know how to hook those functions with MadCodeHook?


I used HookAPI, Functions for kernel32.dll, user32.dll and winstal.dll were hooked and called properly.

code:
HookAPI("wtsapi32.dll", "WTSQuerySessionInformationW", HookWTSQuerySessionInformationW, (PVOID *)&RealWTSQuerySessionInformationW);

1. use HookAPI "WTSQuerySessionInformationW
2. I checked the injected dll using process explorer (sysinternals)
3. When my test app calls WTSQuerySessionInformationW, HookWTSQuerySessionInformationW isn't called.

Last edited by dmz498 on Tue Sep 27, 2016 7:31 am, edited 2 times in total.
dmz498
 
Posts: 4
Joined: Tue Sep 27, 2016 6:28 am

Re: dll injection for the WTSAPI32.DLL's functions

Postby iconic » Tue Sep 27, 2016 7:02 am

@dmz,

Are you using HookAPI() or HookCode()? From what I see, HookCode() will fail if the module containing the to-be-hooked API is not already loaded whereas HookAPI() will succeed regardless, on return. Post your pertinent code please so we can see what you're doing exactly

--Iconic
iconic
 
Posts: 808
Joined: Wed Jun 08, 2005 5:08 am

Re: dll injection for the WTSAPI32.DLL's functions

Postby madshi » Tue Sep 27, 2016 7:14 am

If you're using HookAPI() and if it fails, please also call GetLastError() afterwards and let us know the result.

Some users tried doing "if HookAPI() == 1". I hope you're not doing that to test for success?
madshi
Site Admin
 
Posts: 9411
Joined: Sun Mar 21, 2004 5:25 pm

Re: dll injection for the WTSAPI32.DLL's functions

Postby iconic » Tue Sep 27, 2016 7:21 am

In that case BOOL(TRUE) can and usually is -1 depending on the compiler settings, it's why you shouldn't test for an integral value explicitly and instead determine if it's non-zero to determine TRUE

--Iconic
iconic
 
Posts: 808
Joined: Wed Jun 08, 2005 5:08 am

Re: dll injection for the WTSAPI32.DLL's functions

Postby madshi » Tue Sep 27, 2016 7:24 am

Thought BOOL(EAN) was always 1 in MSVC++. Good to know it can be -1 in MSVC++, too. For some reason Delphi uses -1. Of course you're right that the proper way to check for a boolean is to test for non-zero. Or in MSVC++ simply "if (SomeBoolValueOrBoolReturningFunction)".
madshi
Site Admin
 
Posts: 9411
Joined: Sun Mar 21, 2004 5:25 pm

Re: dll injection for the WTSAPI32.DLL's functions

Postby iconic » Tue Sep 27, 2016 7:27 am

@dmz,

Check param 3, you're missing an &

--Iconic
iconic
 
Posts: 808
Joined: Wed Jun 08, 2005 5:08 am

Re: dll injection for the WTSAPI32.DLL's functions

Postby madshi » Tue Sep 27, 2016 7:33 am

The & usually isn't needed there. My demos don't have it, either.

@dmz498, how to you check if the API hook works or doesn't work? Are you testing the HookAPI() return value at all? Or why did you come to the conclusion that the API hooks don't seem to be working?
madshi
Site Admin
 
Posts: 9411
Joined: Sun Mar 21, 2004 5:25 pm

Re: dll injection for the WTSAPI32.DLL's functions

Postby iconic » Tue Sep 27, 2016 7:45 am

As you previously mentioned, if it's failing he can post the GetLastError code which could help. & is optional but we've yet to see what his callback looks like or how it's setup

--Iconic
iconic
 
Posts: 808
Joined: Wed Jun 08, 2005 5:08 am

Re: dll injection for the WTSAPI32.DLL's functions

Postby madshi » Tue Sep 27, 2016 7:48 am

I'm getting the impression dmz498 isn't checking the HookAPI() return value at all, but the hook callback function simply isn't called, although dmz498 expects it to. Which could have a multitude of different reasons, the simplest one being that no one actually called the hooked API.
madshi
Site Admin
 
Posts: 9411
Joined: Sun Mar 21, 2004 5:25 pm

Re: dll injection for the WTSAPI32.DLL's functions

Postby iconic » Tue Sep 27, 2016 7:51 am

He is saying his app is indeed calling WTSQuerySessionInformation, even ansi will call WTSQuerySessionInformationW as you know. Hmmmm

--Iconic
iconic
 
Posts: 808
Joined: Wed Jun 08, 2005 5:08 am

Re: dll injection for the WTSAPI32.DLL's functions

Postby dmz498 » Tue Sep 27, 2016 8:04 am

I'm sorry for the late reply.
I checked the return value is (-1).

=> how to you check if the API hook works or doesn't work?
So, I hooked both the winsta.dll's WinStationQueryInformationW and WTSQuerySessionInformationW. [I quess WinStationQueryInformationW is a subroutine of WTSQuerySessionInformationW.]
When calling WTSQuerySessionInformationW from test app, HookWinstationQueryInformationW was only called properly.

Thank you for the reply.
dmz498
 
Posts: 4
Joined: Tue Sep 27, 2016 6:28 am

Re: dll injection for the WTSAPI32.DLL's functions

Postby madshi » Tue Sep 27, 2016 8:24 am

"-1" means success. However, if at the time you called HookAPI() the "wtsapi32.dll" wasn't loaded yet, HookAPI() will always return success because it can't know yet if installing the API hook will work or not.

Try calling LoadLibrary('wtsapi32.dll') before calling HookAPI(). Does HookAPI() still return -1 if you do that? And does the API hook work in that case?
madshi
Site Admin
 
Posts: 9411
Joined: Sun Mar 21, 2004 5:25 pm

Re: dll injection for the WTSAPI32.DLL's functions

Postby iconic » Tue Sep 27, 2016 8:25 am

WTSQuerySessionInformationW is ONLY exported from wtsapi32.dll and WinStationQueryInformationW is ONLY exported from winsta.dll - not the same dll involving both routines

--Iconic
iconic
 
Posts: 808
Joined: Wed Jun 08, 2005 5:08 am

Re: dll injection for the WTSAPI32.DLL's functions

Postby dmz498 » Tue Sep 27, 2016 8:32 am

iconic wrote:WTSQuerySessionInformationW is ONLY exported from wtsapi32.dll and WinStationQueryInformationW is ONLY exported from winsta.dll - not the same dll involving both routines

--Iconic

I already know that. So, I used it instead of WTSQuerySessionInforamtionW.
Thanks.
dmz498
 
Posts: 4
Joined: Tue Sep 27, 2016 6:28 am

Re: dll injection for the WTSAPI32.DLL's functions

Postby dmz498 » Tue Sep 27, 2016 8:35 am

madshi wrote:"-1" means success. However, if at the time you called HookAPI() the "wtsapi32.dll" wasn't loaded yet, HookAPI() will always return success because it can't know yet if installing the API hook will work or not.

Try calling LoadLibrary('wtsapi32.dll') before calling HookAPI(). Does HookAPI() still return -1 if you do that? And does the API hook work in that case?


After calling LoadLibrary, the hook is working properly.

Thank you...
dmz498
 
Posts: 4
Joined: Tue Sep 27, 2016 6:28 am

Next

Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 2 guests