NT DLL hooks not called

c++ / delphi package - dll injection and api hooking

NT DLL hooks not called

Postby remko » Mon Feb 19, 2018 1:04 pm

Using madCodeHook 4.0.4 on Windows 10 (1709) I am launching a process with CreateProcessEx with last parameter injecting my dll.
My launcher, the dll and the process I am injecting into are all 32 bit.

Launcher:
Code: Select all
    ZeroMemory(@si, SizeOf(si));
    si.cb := SizeOf(si);

    Args := '/SEPERATE';
    UniqueString(Args);
    DllPath := TPath.Combine(TPath.GetDirectoryName(ParamStr(0)), 'HookDll.dll');
    bResult := CreateProcessExW('C:\Windows\SysWOW64\explorer.exe', nil, nil,
      nil, False, 0, nil, 'C:\Windows\SysWOW64', si, pi, PChar(DllPath));


Hook DLL:
Code: Select all
  bResult := HookAPI('User32.dll', 'FindWindowW', @FindWindowWCallBack, @FindWindowWNext);
  OutputDebugString(PChar(Format('!!! HookAPI FindWindowW returned: %s', [BoolToStr(bResult, True)])));

  bResult := HookAPI('ntdll.dll', 'NTQueryInformationProcess', @NTQueryInformationProcessCallBack, @NTQueryInformationProcessNext);
  OutputDebugString(PChar(Format('!!! HookAPI NTQueryInformationProcess returned: %s', [BoolToStr(bResult, True)])));

  bResult := HookAPI('ntdll.dll', 'NTQueryInformationToken', @NTQueryInformationTokenCallBack, @NTQueryInformationTokenNext);
  OutputDebugString(PChar(Format('!!! HookAPI NTQueryInformationToken returned: %s', [BoolToStr(bResult, True)])));


The hook code is called for FindWindowW but not for NTQueryInformationToken or NTQueryInformationProcess even though I can see with API Monitor that those functions are being called.

I have also tried just calling CreateProcess with suspended flag then call InjectLibrary and resume but similar result.

Any ideas to why hooking ntdll doesn't work?
remko
 
Posts: 5
Joined: Tue Jan 31, 2017 2:20 pm

Re: NT DLL hooks not called

Postby madshi » Mon Feb 19, 2018 1:07 pm

The API names are incorrect. It's "Nt" not "NT".
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: NT DLL hooks not called

Postby remko » Mon Feb 19, 2018 1:19 pm

I feel silly now, thanks ;-)

BTW should HookApi not return False in that case?
remko
 
Posts: 5
Joined: Tue Jan 31, 2017 2:20 pm

Re: NT DLL hooks not called

Postby madshi » Mon Feb 19, 2018 1:42 pm

Yes, it should.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 3 guests

cron