NT DLL hooks not called
Posted: Mon Feb 19, 2018 1:04 pm
Using madCodeHook 4.0.4 on Windows 10 (1709) I am launching a process with CreateProcessEx with last parameter injecting my dll.
My launcher, the dll and the process I am injecting into are all 32 bit.
Launcher:
Hook DLL:
The hook code is called for FindWindowW but not for NTQueryInformationToken or NTQueryInformationProcess even though I can see with API Monitor that those functions are being called.
I have also tried just calling CreateProcess with suspended flag then call InjectLibrary and resume but similar result.
Any ideas to why hooking ntdll doesn't work?
My launcher, the dll and the process I am injecting into are all 32 bit.
Launcher:
Code: Select all
ZeroMemory(@si, SizeOf(si));
si.cb := SizeOf(si);
Args := '/SEPERATE';
UniqueString(Args);
DllPath := TPath.Combine(TPath.GetDirectoryName(ParamStr(0)), 'HookDll.dll');
bResult := CreateProcessExW('C:\Windows\SysWOW64\explorer.exe', nil, nil,
nil, False, 0, nil, 'C:\Windows\SysWOW64', si, pi, PChar(DllPath));
Code: Select all
bResult := HookAPI('User32.dll', 'FindWindowW', @FindWindowWCallBack, @FindWindowWNext);
OutputDebugString(PChar(Format('!!! HookAPI FindWindowW returned: %s', [BoolToStr(bResult, True)])));
bResult := HookAPI('ntdll.dll', 'NTQueryInformationProcess', @NTQueryInformationProcessCallBack, @NTQueryInformationProcessNext);
OutputDebugString(PChar(Format('!!! HookAPI NTQueryInformationProcess returned: %s', [BoolToStr(bResult, True)])));
bResult := HookAPI('ntdll.dll', 'NTQueryInformationToken', @NTQueryInformationTokenCallBack, @NTQueryInformationTokenNext);
OutputDebugString(PChar(Format('!!! HookAPI NTQueryInformationToken returned: %s', [BoolToStr(bResult, True)])));
I have also tried just calling CreateProcess with suspended flag then call InjectLibrary and resume but similar result.
Any ideas to why hooking ntdll doesn't work?