Hook mchInjDrv

c++ / delphi package - dll injection and api hooking
Post Reply
linden
Posts: 36
Joined: Tue Mar 08, 2005 9:17 am
Location: Japan

Hook mchInjDrv

Post by linden »

Hi,
There is a software runnning in my PC that's doing a system wide hooking using the madCodeHook library.
But I don't like it injecting hooks into every process, so I wrote a kernel mode driver to hook mchInjDrv (by monitoring its loading and patching the IAT). I hooked PsSetCreateProcessNotifyRoutine, PsLookupProcessByProcessId, ZwAllocateVirtualMemory, ZwOpenSection, and ObOpenObjectByPointer, and had them all return some unsuccessful status when called. I was able to preventing newly created process from being injected, but madCodeHook still succeeds in injecting hooks into all currently running processes.... Why??? Aren't you doing all the injection stuff in your driver?
Top
madshi
Site Admin
Posts: 10764
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

The injection into currently running processes is done by using remote threads in user land. The driver is only used for injecting dlls into newly created processes.

Why don't you simply uninstall/delete that program, if you don't like it?
Top
Post Reply

Return to “madCodeHook”