Page 1 of 1

NT DLL hooks not called

Posted: Mon Feb 19, 2018 1:04 pm
by remko
Using madCodeHook 4.0.4 on Windows 10 (1709) I am launching a process with CreateProcessEx with last parameter injecting my dll.
My launcher, the dll and the process I am injecting into are all 32 bit.

Launcher:

Code: Select all

    ZeroMemory(@si, SizeOf(si));
    si.cb := SizeOf(si);

    Args := '/SEPERATE';
    UniqueString(Args);
    DllPath := TPath.Combine(TPath.GetDirectoryName(ParamStr(0)), 'HookDll.dll');
    bResult := CreateProcessExW('C:\Windows\SysWOW64\explorer.exe', nil, nil,
      nil, False, 0, nil, 'C:\Windows\SysWOW64', si, pi, PChar(DllPath));
Hook DLL:

Code: Select all

  bResult := HookAPI('User32.dll', 'FindWindowW', @FindWindowWCallBack, @FindWindowWNext);
  OutputDebugString(PChar(Format('!!! HookAPI FindWindowW returned: %s', [BoolToStr(bResult, True)])));

  bResult := HookAPI('ntdll.dll', 'NTQueryInformationProcess', @NTQueryInformationProcessCallBack, @NTQueryInformationProcessNext);
  OutputDebugString(PChar(Format('!!! HookAPI NTQueryInformationProcess returned: %s', [BoolToStr(bResult, True)])));

  bResult := HookAPI('ntdll.dll', 'NTQueryInformationToken', @NTQueryInformationTokenCallBack, @NTQueryInformationTokenNext);
  OutputDebugString(PChar(Format('!!! HookAPI NTQueryInformationToken returned: %s', [BoolToStr(bResult, True)])));
The hook code is called for FindWindowW but not for NTQueryInformationToken or NTQueryInformationProcess even though I can see with API Monitor that those functions are being called.

I have also tried just calling CreateProcess with suspended flag then call InjectLibrary and resume but similar result.

Any ideas to why hooking ntdll doesn't work?

Re: NT DLL hooks not called

Posted: Mon Feb 19, 2018 1:07 pm
by madshi
The API names are incorrect. It's "Nt" not "NT".

Re: NT DLL hooks not called

Posted: Mon Feb 19, 2018 1:19 pm
by remko
I feel silly now, thanks ;-)

BTW should HookApi not return False in that case?

Re: NT DLL hooks not called

Posted: Mon Feb 19, 2018 1:42 pm
by madshi
Yes, it should.