Code: Select all
#COMPILE DLL "C:\windows\system\ProcCreate.dll"
#DIM ALL
#INCLUDE "win32api.inc"
#INCLUDE "madCHook.inc"
GLOBAL CreateProcessWNext AS DWORD
FUNCTION CreateProcessWCallback(lpApplicationName AS STRING PTR, _
lpCommandLine AS STRING PTR, _
lpProcessAttributes AS SECURITY_ATTRIBUTES PTR, _
lpThreadAttributes AS SECURITY_ATTRIBUTES PTR, _
bInheritHandles AS LONG, _
dwCreationFlags AS DWORD, _
lpEnvironment AS LONG, _
lpCurrentDirectory AS DWORD, _
lpStartupInfo AS STARTUPINFOW PTR, _
lpProcessInformation AS PROCESS_INFORMATION PTR) AS LONG
OutputDebugString BYCOPY "ProcCreate.dll CreateProcessWNext() called... AppName: " & STR$(@lpApplicationName) & $CRLF
LOCAL result AS LONG
CALL DWORD CreateProcessWNext USING CreateProcessWCallback(lpApplicationName, _
lpCommandLine, _
lpProcessAttributes, _
lpThreadAttributes, _
bInheritHandles, _
dwCreationFlags, _
lpEnvironment, _
lpCurrentDirectory, _
lpStartupInfo, _
lpProcessInformation) TO result
FUNCTION = result
END FUNCTION
FUNCTION LIBMAIN (BYVAL hInstance AS LONG, BYVAL fwdReason AS LONG, BYVAL lpvReserved AS LONG) AS LONG
SELECT CASE fwdReason
CASE %DLL_PROCESS_ATTACH
OutputDebugString BYCOPY "ProcCreate.dll Attached to process" & $CRLF
CALL HookAPI("kernel32.dll", "CreateProcessW", CODEPTR(CreateProcessWCallback), CreateProcessWNext, 0)
CASE %DLL_PROCESS_DETACH
OutputDebugString BYCOPY "ProcCreate.dll Detached from process" & $CRLF
CALL UnhookAPI(CreateProcessWNext)
END SELECT
LIBMAIN = %TRUE
END FUNCTION
Code: Select all
FUNCTION PBMAIN
LOCAL res AS LONG
res = InjectLibrary(%CURRENT_SESSION, "c:\windows\system\ProcCreate.dll", 7000)
MSGBOX STR$(res)
res = UninjectLibrary(%CURRENT_SESSION, "c:\windows\system\ProcCreate.dll", 7000)
END FUNCTION