Originally posted by: Lehem Hok
Hi,
The documentation of DllMain states that:
"You must not call LoadLibrary in the entry-point function, because you may create dependency loops in the DLL load order. This can result in a DLL being used before the system has executed its initialization code. Similarly, you must not call the FreeLibrary function in the entry-point function on detach, because this can result in a DLL being used after the system has executed its termination code."
However your code does that.
Do you rely on some knowledge why what your are doing is OK inspite of the documentation ?
Thanks,
Lehem
Reply
Originally posted by: Fish
I tried to repalce the MessageBoxA function in user32.dll by using sm_pHookMgr->HookImport("User32.DLL", "MessageBoxA", (PROC)CModuleScope::MyMessage);
However, when i try to compile it, my VC6++ compiler runs into error and tells me that MyMessage is not a member of CModuleScope! Can someone please help with this error? Thank you!
ReplyOriginally posted by: Conrad
After I played with the demo for a while, randomly, HookSrv.exe or Explorer.exe crashes if I set
WindowsHook=Yes
HookAll=Yes
I tried to figure out what happened, while debugging HookSrv, I got system exception (stack overflow). When I checked the log file, I got around 3000 lines of
HookSrv.exe(680) - Process (680) shuts down
If I set
HookAll=No
Hook=NOTEPAD, TestApp
Everything works fine.
It seems to be that some system(other) module does not like the MyTextOutA (MyTextOutW) very well:-)
Any idea?
Originally posted by: Conrad
Great Work, I' m impressed not only by its deep insight into the API interception, but also by its elegant OO design.
Please allow me to ask some stupid questions, since I'm sort of beginner for this Topic.
For Windows Hook Interceptor approach, I want to intercept some API calls, e.g. CopyFile. If I have applications which is totally not windows messaging based, what I mean is that the app is just a simple win32 app which calls the API, no window or hidden window (message queue) is involved, will this app be hooked up by OS?
My WishList :- ), if sequence diagram can be provided, that will be wonderful.
Regards,
Conrad
Originally posted by: Al
Platform Win NT 4
I'm using method 1), the registry to inject my dll hook code. It gets loaded ok into most apps (notepad, explorer -even a dos box cmd.exe), except one, where it does not get loaded at all.
I've checked the target app, it appears to have loaded User32.dll (checked it with Process Explorer from sysinternals (www.sysinternals.com) and it's in the dll list. but my hook dll is not. I've also noticed that the systray process also seems to have User32.dll loaded, but again, my dll is not.
Are there any further restictions on method 1 that are not mentioned? does it matter how the target process links with user32.dll?
Al.
ReplyOriginally posted by: Mangesh Pimpalkar
It was indeed a very good article.
He has given good information about spying.
thanks a lot.
Mangesh.
Originally posted by: JEFF ZHANG
Hi, Ivo:
First congratulate you on winning so many comments ^-^
Current I am puzzled by one problem: re-hook dll. Let me explain. When you SetWindowHookEx get called, you pass the target thread ID. Well, I have tested to Set the same GetMsg and CBTProc hook dll to the same thread(incluing 0, the system wide) multiple times, and GetLastError() is 0 indicating the success. But once one unset will unload the dll(I checked the modules on the target thread/process).
My question is: If I want to track some specific window, say an activeX, I have to remember the thread ID I used, if 2 activeX on the same thread, and I hooked twice, and one of the activeX window got destroyed, I SHOULD JUST IGNORE this event, only after the 2nd activeX is getting destroyed, I unhook once. Is it right?
My need seems strange and unususally, So would you please give me a kind reply, thank you very much.
P.S. one of the application of this is on my article http://www.codeguru.com/misc/MessagerSpy.html
ReplyOriginally posted by: xu beer
CSocket socket;
socket.Connect("202.202.1.1",90);
My hook is :
....
sm_pHookMgr->HookImport("wsock32.DLL", "connect", (PROC)CModuleScope::MY_connect);
sm_pHookMgr->HookImport("ws2_32.dll", "connect", (PROC)CModuleScope::MY_connect);
...
But, my hook will be failed!
Help!
ReplyOriginally posted by: Keo
Excelent presentation about the subject. But when I run HookSvr and try to open any application (Bloc-Notes or what ever) ZoneAlarm (Vsmon craches).
Any idea??
I really apreciate the article.
ReplyOriginally posted by: Sylvain
CHAR szLibraryToLoad[] = "c:\\...\\mydll.dll";
pAttachProcessMemory = VirtualAllocEx(
However, your article is very interesting,
Sylvain
You say you can use CreateRemoteThread by passing name of the DLL as a parameter. I think it's false, because the data pointer isn't in the target process adress space.
You have to use VirtualAllocEx :
LPVOID pAttachProcessMemory = NULL; DWORD dwBytesWritten = 0;
ProcessToAttach,
NULL,
sizeof(szLibraryToLoad),
MEM_COMMIT,
PAGE_EXECUTE_READWRITE );
WriteProcessMemory(
hProcessToAttach,
pAttachProcessMemory,
szLibraryToLoad, sizeof(szLibraryToLoad),
&dwBytesWritten );
CreateRemoteThread( hProcessToAttach, NULL, 0,
(LPVOID)LoadLibrary, (LPVOID)pAttachProcessMemory, 0,
&dwRemoteThread );