dll injection for the WTSAPI32.DLL's functions

c++ / delphi package - dll injection and api hooking
dmz498
Posts: 4
Joined: Tue Sep 27, 2016 6:28 am

dll injection for the WTSAPI32.DLL's functions

Post by dmz498 »

Hi,

I want to hook the WTSQuerySessionInformationW function using MadCodeHook 3.1.11.
All of the WTSAPI32.DLL's functions don't seem to be hooked with MadCodeHook. Is there any reason why those functions aren't hooked?

May I know how to hook those functions with MadCodeHook?


I used HookAPI, Functions for kernel32.dll, user32.dll and winstal.dll were hooked and called properly.

code:
HookAPI("wtsapi32.dll", "WTSQuerySessionInformationW", HookWTSQuerySessionInformationW, (PVOID *)&RealWTSQuerySessionInformationW);

1. use HookAPI "WTSQuerySessionInformationW
2. I checked the injected dll using process explorer (sysinternals)
3. When my test app calls WTSQuerySessionInformationW, HookWTSQuerySessionInformationW isn't called.

Last edited by dmz498 on Tue Sep 27, 2016 7:31 am, edited 2 times in total.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: dll injection for the WTSAPI32.DLL's functions

Post by iconic »

@dmz,

Are you using HookAPI() or HookCode()? From what I see, HookCode() will fail if the module containing the to-be-hooked API is not already loaded whereas HookAPI() will succeed regardless, on return. Post your pertinent code please so we can see what you're doing exactly

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: dll injection for the WTSAPI32.DLL's functions

Post by madshi »

If you're using HookAPI() and if it fails, please also call GetLastError() afterwards and let us know the result.

Some users tried doing "if HookAPI() == 1". I hope you're not doing that to test for success?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: dll injection for the WTSAPI32.DLL's functions

Post by iconic »

In that case BOOL(TRUE) can and usually is -1 depending on the compiler settings, it's why you shouldn't test for an integral value explicitly and instead determine if it's non-zero to determine TRUE

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: dll injection for the WTSAPI32.DLL's functions

Post by madshi »

Thought BOOL(EAN) was always 1 in MSVC++. Good to know it can be -1 in MSVC++, too. For some reason Delphi uses -1. Of course you're right that the proper way to check for a boolean is to test for non-zero. Or in MSVC++ simply "if (SomeBoolValueOrBoolReturningFunction)".
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: dll injection for the WTSAPI32.DLL's functions

Post by iconic »

@dmz,

Check param 3, you're missing an &

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: dll injection for the WTSAPI32.DLL's functions

Post by madshi »

The & usually isn't needed there. My demos don't have it, either.

@dmz498, how to you check if the API hook works or doesn't work? Are you testing the HookAPI() return value at all? Or why did you come to the conclusion that the API hooks don't seem to be working?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: dll injection for the WTSAPI32.DLL's functions

Post by iconic »

As you previously mentioned, if it's failing he can post the GetLastError code which could help. & is optional but we've yet to see what his callback looks like or how it's setup

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: dll injection for the WTSAPI32.DLL's functions

Post by madshi »

I'm getting the impression dmz498 isn't checking the HookAPI() return value at all, but the hook callback function simply isn't called, although dmz498 expects it to. Which could have a multitude of different reasons, the simplest one being that no one actually called the hooked API.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: dll injection for the WTSAPI32.DLL's functions

Post by iconic »

He is saying his app is indeed calling WTSQuerySessionInformation, even ansi will call WTSQuerySessionInformationW as you know. Hmmmm

--Iconic
dmz498
Posts: 4
Joined: Tue Sep 27, 2016 6:28 am

Re: dll injection for the WTSAPI32.DLL's functions

Post by dmz498 »

I'm sorry for the late reply.
I checked the return value is (-1).

=> how to you check if the API hook works or doesn't work?
So, I hooked both the winsta.dll's WinStationQueryInformationW and WTSQuerySessionInformationW. [I quess WinStationQueryInformationW is a subroutine of WTSQuerySessionInformationW.]
When calling WTSQuerySessionInformationW from test app, HookWinstationQueryInformationW was only called properly.

Thank you for the reply.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: dll injection for the WTSAPI32.DLL's functions

Post by madshi »

"-1" means success. However, if at the time you called HookAPI() the "wtsapi32.dll" wasn't loaded yet, HookAPI() will always return success because it can't know yet if installing the API hook will work or not.

Try calling LoadLibrary('wtsapi32.dll') before calling HookAPI(). Does HookAPI() still return -1 if you do that? And does the API hook work in that case?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: dll injection for the WTSAPI32.DLL's functions

Post by iconic »

WTSQuerySessionInformationW is ONLY exported from wtsapi32.dll and WinStationQueryInformationW is ONLY exported from winsta.dll - not the same dll involving both routines

--Iconic
dmz498
Posts: 4
Joined: Tue Sep 27, 2016 6:28 am

Re: dll injection for the WTSAPI32.DLL's functions

Post by dmz498 »

iconic wrote:WTSQuerySessionInformationW is ONLY exported from wtsapi32.dll and WinStationQueryInformationW is ONLY exported from winsta.dll - not the same dll involving both routines

--Iconic
I already know that. So, I used it instead of WTSQuerySessionInforamtionW.
Thanks.
dmz498
Posts: 4
Joined: Tue Sep 27, 2016 6:28 am

Re: dll injection for the WTSAPI32.DLL's functions

Post by dmz498 »

madshi wrote:"-1" means success. However, if at the time you called HookAPI() the "wtsapi32.dll" wasn't loaded yet, HookAPI() will always return success because it can't know yet if installing the API hook will work or not.

Try calling LoadLibrary('wtsapi32.dll') before calling HookAPI(). Does HookAPI() still return -1 if you do that? And does the API hook work in that case?
After calling LoadLibrary, the hook is working properly.

Thank you...
Post Reply