Page 1 of 2

dll injection for the WTSAPI32.DLL's functions

Posted: Tue Sep 27, 2016 6:45 am
by dmz498
Hi,

I want to hook the WTSQuerySessionInformationW function using MadCodeHook 3.1.11.
All of the WTSAPI32.DLL's functions don't seem to be hooked with MadCodeHook. Is there any reason why those functions aren't hooked?

May I know how to hook those functions with MadCodeHook?


I used HookAPI, Functions for kernel32.dll, user32.dll and winstal.dll were hooked and called properly.

code:
HookAPI("wtsapi32.dll", "WTSQuerySessionInformationW", HookWTSQuerySessionInformationW, (PVOID *)&RealWTSQuerySessionInformationW);

1. use HookAPI "WTSQuerySessionInformationW
2. I checked the injected dll using process explorer (sysinternals)
3. When my test app calls WTSQuerySessionInformationW, HookWTSQuerySessionInformationW isn't called.


Re: dll injection for the WTSAPI32.DLL's functions

Posted: Tue Sep 27, 2016 7:02 am
by iconic
@dmz,

Are you using HookAPI() or HookCode()? From what I see, HookCode() will fail if the module containing the to-be-hooked API is not already loaded whereas HookAPI() will succeed regardless, on return. Post your pertinent code please so we can see what you're doing exactly

--Iconic

Re: dll injection for the WTSAPI32.DLL's functions

Posted: Tue Sep 27, 2016 7:14 am
by madshi
If you're using HookAPI() and if it fails, please also call GetLastError() afterwards and let us know the result.

Some users tried doing "if HookAPI() == 1". I hope you're not doing that to test for success?

Re: dll injection for the WTSAPI32.DLL's functions

Posted: Tue Sep 27, 2016 7:21 am
by iconic
In that case BOOL(TRUE) can and usually is -1 depending on the compiler settings, it's why you shouldn't test for an integral value explicitly and instead determine if it's non-zero to determine TRUE

--Iconic

Re: dll injection for the WTSAPI32.DLL's functions

Posted: Tue Sep 27, 2016 7:24 am
by madshi
Thought BOOL(EAN) was always 1 in MSVC++. Good to know it can be -1 in MSVC++, too. For some reason Delphi uses -1. Of course you're right that the proper way to check for a boolean is to test for non-zero. Or in MSVC++ simply "if (SomeBoolValueOrBoolReturningFunction)".

Re: dll injection for the WTSAPI32.DLL's functions

Posted: Tue Sep 27, 2016 7:27 am
by iconic
@dmz,

Check param 3, you're missing an &

--Iconic

Re: dll injection for the WTSAPI32.DLL's functions

Posted: Tue Sep 27, 2016 7:33 am
by madshi
The & usually isn't needed there. My demos don't have it, either.

@dmz498, how to you check if the API hook works or doesn't work? Are you testing the HookAPI() return value at all? Or why did you come to the conclusion that the API hooks don't seem to be working?

Re: dll injection for the WTSAPI32.DLL's functions

Posted: Tue Sep 27, 2016 7:45 am
by iconic
As you previously mentioned, if it's failing he can post the GetLastError code which could help. & is optional but we've yet to see what his callback looks like or how it's setup

--Iconic

Re: dll injection for the WTSAPI32.DLL's functions

Posted: Tue Sep 27, 2016 7:48 am
by madshi
I'm getting the impression dmz498 isn't checking the HookAPI() return value at all, but the hook callback function simply isn't called, although dmz498 expects it to. Which could have a multitude of different reasons, the simplest one being that no one actually called the hooked API.

Re: dll injection for the WTSAPI32.DLL's functions

Posted: Tue Sep 27, 2016 7:51 am
by iconic
He is saying his app is indeed calling WTSQuerySessionInformation, even ansi will call WTSQuerySessionInformationW as you know. Hmmmm

--Iconic

Re: dll injection for the WTSAPI32.DLL's functions

Posted: Tue Sep 27, 2016 8:04 am
by dmz498
I'm sorry for the late reply.
I checked the return value is (-1).

=> how to you check if the API hook works or doesn't work?
So, I hooked both the winsta.dll's WinStationQueryInformationW and WTSQuerySessionInformationW. [I quess WinStationQueryInformationW is a subroutine of WTSQuerySessionInformationW.]
When calling WTSQuerySessionInformationW from test app, HookWinstationQueryInformationW was only called properly.

Thank you for the reply.

Re: dll injection for the WTSAPI32.DLL's functions

Posted: Tue Sep 27, 2016 8:24 am
by madshi
"-1" means success. However, if at the time you called HookAPI() the "wtsapi32.dll" wasn't loaded yet, HookAPI() will always return success because it can't know yet if installing the API hook will work or not.

Try calling LoadLibrary('wtsapi32.dll') before calling HookAPI(). Does HookAPI() still return -1 if you do that? And does the API hook work in that case?

Re: dll injection for the WTSAPI32.DLL's functions

Posted: Tue Sep 27, 2016 8:25 am
by iconic
WTSQuerySessionInformationW is ONLY exported from wtsapi32.dll and WinStationQueryInformationW is ONLY exported from winsta.dll - not the same dll involving both routines

--Iconic

Re: dll injection for the WTSAPI32.DLL's functions

Posted: Tue Sep 27, 2016 8:32 am
by dmz498
iconic wrote:WTSQuerySessionInformationW is ONLY exported from wtsapi32.dll and WinStationQueryInformationW is ONLY exported from winsta.dll - not the same dll involving both routines

--Iconic
I already know that. So, I used it instead of WTSQuerySessionInforamtionW.
Thanks.

Re: dll injection for the WTSAPI32.DLL's functions

Posted: Tue Sep 27, 2016 8:35 am
by dmz498
madshi wrote:"-1" means success. However, if at the time you called HookAPI() the "wtsapi32.dll" wasn't loaded yet, HookAPI() will always return success because it can't know yet if installing the API hook will work or not.

Try calling LoadLibrary('wtsapi32.dll') before calling HookAPI(). Does HookAPI() still return -1 if you do that? And does the API hook work in that case?
After calling LoadLibrary, the hook is working properly.

Thank you...