My launcher, the dll and the process I am injecting into are all 32 bit.
Launcher:
Code: Select all
ZeroMemory(@si, SizeOf(si));
si.cb := SizeOf(si);
Args := '/SEPERATE';
UniqueString(Args);
DllPath := TPath.Combine(TPath.GetDirectoryName(ParamStr(0)), 'HookDll.dll');
bResult := CreateProcessExW('C:\Windows\SysWOW64\explorer.exe', nil, nil,
nil, False, 0, nil, 'C:\Windows\SysWOW64', si, pi, PChar(DllPath));
Code: Select all
bResult := HookAPI('User32.dll', 'FindWindowW', @FindWindowWCallBack, @FindWindowWNext);
OutputDebugString(PChar(Format('!!! HookAPI FindWindowW returned: %s', [BoolToStr(bResult, True)])));
bResult := HookAPI('ntdll.dll', 'NTQueryInformationProcess', @NTQueryInformationProcessCallBack, @NTQueryInformationProcessNext);
OutputDebugString(PChar(Format('!!! HookAPI NTQueryInformationProcess returned: %s', [BoolToStr(bResult, True)])));
bResult := HookAPI('ntdll.dll', 'NTQueryInformationToken', @NTQueryInformationTokenCallBack, @NTQueryInformationTokenNext);
OutputDebugString(PChar(Format('!!! HookAPI NTQueryInformationToken returned: %s', [BoolToStr(bResult, True)])));
I have also tried just calling CreateProcess with suspended flag then call InjectLibrary and resume but similar result.
Any ideas to why hooking ntdll doesn't work?