NT DLL hooks not called

c++ / delphi package - dll injection and api hooking
Post Reply
remko
Posts: 6
Joined: Tue Jan 31, 2017 2:20 pm

NT DLL hooks not called

Post by remko »

Using madCodeHook 4.0.4 on Windows 10 (1709) I am launching a process with CreateProcessEx with last parameter injecting my dll.
My launcher, the dll and the process I am injecting into are all 32 bit.

Launcher:

Code: Select all

    ZeroMemory(@si, SizeOf(si));
    si.cb := SizeOf(si);

    Args := '/SEPERATE';
    UniqueString(Args);
    DllPath := TPath.Combine(TPath.GetDirectoryName(ParamStr(0)), 'HookDll.dll');
    bResult := CreateProcessExW('C:\Windows\SysWOW64\explorer.exe', nil, nil,
      nil, False, 0, nil, 'C:\Windows\SysWOW64', si, pi, PChar(DllPath));
Hook DLL:

Code: Select all

  bResult := HookAPI('User32.dll', 'FindWindowW', @FindWindowWCallBack, @FindWindowWNext);
  OutputDebugString(PChar(Format('!!! HookAPI FindWindowW returned: %s', [BoolToStr(bResult, True)])));

  bResult := HookAPI('ntdll.dll', 'NTQueryInformationProcess', @NTQueryInformationProcessCallBack, @NTQueryInformationProcessNext);
  OutputDebugString(PChar(Format('!!! HookAPI NTQueryInformationProcess returned: %s', [BoolToStr(bResult, True)])));

  bResult := HookAPI('ntdll.dll', 'NTQueryInformationToken', @NTQueryInformationTokenCallBack, @NTQueryInformationTokenNext);
  OutputDebugString(PChar(Format('!!! HookAPI NTQueryInformationToken returned: %s', [BoolToStr(bResult, True)])));
The hook code is called for FindWindowW but not for NTQueryInformationToken or NTQueryInformationProcess even though I can see with API Monitor that those functions are being called.

I have also tried just calling CreateProcess with suspended flag then call InjectLibrary and resume but similar result.

Any ideas to why hooking ntdll doesn't work?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: NT DLL hooks not called

Post by madshi »

The API names are incorrect. It's "Nt" not "NT".
remko
Posts: 6
Joined: Tue Jan 31, 2017 2:20 pm

Re: NT DLL hooks not called

Post by remko »

I feel silly now, thanks ;-)

BTW should HookApi not return False in that case?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: NT DLL hooks not called

Post by madshi »

Yes, it should.
Post Reply