New processes not being injected
New processes not being injected
When I inject the DLL (ALL_SESSIONS | SYSTEM_PROCESSES) all current process are injected and the hooks work well. But new processes that are started do not get automatically injected. Can you think of any reason for this?
I assume the new processes are not being injected because the hook works for the current processes, but not on any new processes.
Details below:
-----------------
Static lib build (commercial)
DLL to inject is in applications root directory
Calling InjectLibrary()/UninjectLibrary() from an NT service
WinXP Pro
Visual Studio .NET 2003
Windows Server 2003 SDK
Brian Young
KinoCode, Inc.
www.kinocode.com
I assume the new processes are not being injected because the hook works for the current processes, but not on any new processes.
Details below:
-----------------
Static lib build (commercial)
DLL to inject is in applications root directory
Calling InjectLibrary()/UninjectLibrary() from an NT service
WinXP Pro
Visual Studio .NET 2003
Windows Server 2003 SDK
Brian Young
KinoCode, Inc.
www.kinocode.com
Nope, the flags you specified ensure that newly created processes (processes created AFTER you inject also load your library) otherwise, what good is an injection system which only injects into current process, that would defeat the whole purpose of "SYSTEM WIDE" injection.I assume the new processes are not being injected because the hook works for the current processes, but not on any new processes.
--Iconic
Can you please use the ProcessExplorer from sysinternals to check whether the hook dll is loaded or not loaded into newly created processes - just to be sure?
Also please reboot your PC and try the precompiled demos shipping with madCodeHook (without running any of your software after the reboot). Do these demos work or do they show the same problem?
Also please reboot your PC and try the precompiled demos shipping with madCodeHook (without running any of your software after the reboot). Do these demos work or do they show the same problem?
Results
This problem was completely my fault. I ended up deleting the InitializeMadCHook() call in a code merge. It created some interesting results though.
If program ran first that called the InitializeMadCHook(), such as one of the precompiled demos, then my hook worked properly even with the lack of this call in my code. But, if my program ran first, without the InitializeMadCHook() call, then the demo would also have the same problem hooking new processes.
Sorry to waste your time iconic and madshi and thank you very much for the quick help with my problem!
If program ran first that called the InitializeMadCHook(), such as one of the precompiled demos, then my hook worked properly even with the lack of this call in my code. But, if my program ran first, without the InitializeMadCHook() call, then the demo would also have the same problem hooking new processes.
Sorry to waste your time iconic and madshi and thank you very much for the quick help with my problem!
Hmm... by the way, I am using:iconic wrote:the flags you specified ensure that newly created processes (processes created AFTER you inject also load your library)
(ALL_SESSIONS) and (not CURRENT_PROCESS)
to avoid wasting time with system processes (I only need to hook user applications). Sometimes, on some machines, the hooking doesn't seem to work at all I was wondering if this may be the culprit...?
HOLD THE PHONE!!!!
Madshi...are you saying that if someone manages to prevent InitializeMadCHook() from running then this kewl code hooking technique can be rendered useless?
then maybe we're gonna have to make sure InitializeMadCHook is ran as soon as possible...even in a system driver loaded at boot time...btw is this possible? to run MadCode Hook from a system driver?
i'm kinda planning on moving to driver development since i saw that in user realm there are many ways to bypass any security software...
so i was wondering if you, madshi, ever tried hooking let's say the ndis driver from a kernel mode driver...donnow if it makes lots of sense yet
Madshi...are you saying that if someone manages to prevent InitializeMadCHook() from running then this kewl code hooking technique can be rendered useless?
then maybe we're gonna have to make sure InitializeMadCHook is ran as soon as possible...even in a system driver loaded at boot time...btw is this possible? to run MadCode Hook from a system driver?
i'm kinda planning on moving to driver development since i saw that in user realm there are many ways to bypass any security software...
so i was wondering if you, madshi, ever tried hooking let's say the ndis driver from a kernel mode driver...donnow if it makes lots of sense yet
Well, if someone manages to prevent HookAPI or InjectLibrary from running, then madCodeHook won't work correctly, either. No big surprise here.denisb wrote:HOLD THE PHONE!!!!
Madshi...are you saying that if someone manages to prevent InitializeMadCHook() from running then this kewl code hooking technique can be rendered useless?
InitializeMadCHook is needed to be called for each hook dll which was compiled with MSVC++ and is using the static lib. InitializeMadCHook doesn't even exist when using Delphi and it's not as important when using the dynamic MSVC++ lib.denisb wrote:then maybe we're gonna have to make sure InitializeMadCHook is ran as soon as possible...even in a system driver loaded at boot time...
No. madCodeHook is strictly user land only - and it will stay that way.denisb wrote:btw is this possible? to run MadCode Hook from a system driver?