RhInjectLibrary yields STATUS_INVALID_PARAMETER_4 e_e??

Nov 23, 2010 at 11:37 PM

Hello world,

I was very giddy hooking into another process might prove so simple. I've been using Easyhook for a while to hook into various loaded APIs. But I needed to hook into GetPrivateProfileInt to help out an old app, only prob was the approach I'd been using (overwriting the LoadLibrary strings prior to letting the app go) would not get there before it is too late.

The setup seems very simple...

    DbgAttachDebugger(); //does this do anything??

    NTSTATUS InjectionStatus = 

    DbgDetachDebugger(); //guess not...

The DLL exports the proper entrypoint as described in the docs ("_NativeInjectionEntryPoint@4") except it's not possible to export with the underscore (http://msdn.microsoft.com/en-us/library/f6xx1b1z%28VS.80%29.aspx -- see bit about the underscore) and I looked at the import table in the .dll and there was no underscore there either.

I don't however suspect that is the problem, because the docs say STATUS_INVALID_PARAMETER_4 means the library cannot be loaded. Funny because I load the library from the same process everytime, just never at this point I suppose.

There should be nothing in the way of this working. I tried every variation I could imagine over the course of what at least seemed like hours.

I've not had a ton of success attracting help here in the past.


But whatever you can spare would be a blessing.



Nov 24, 2010 at 3:22 AM

I don't have a solution, but the same error happens to my app now and then in the field.

Nov 24, 2010 at 8:59 AM
Edited Nov 27, 2010 at 12:22 AM

I want to add, I'm not trying to devise an app that hooks into other apps so to speak. I just need to integrate the functionality into a launcher which always starts up the same executable / basically helps it cope with the modern world.

The process being hooked into is very generic / circa 2000 / no frills. Just need to somehow hook GetPrivateProfileInt before it gets to that point. So far we've been using "IniFilemapping" for this, but it requires a one time restart (and super user privileges) and doesn't work when the app is in a path with non-ascii characters

EDITED: I think it should be possible to use CreateRemoteThread/LoadLibrary to to inject a thread into the process, and then I think LhSetInclusiveACL can hook the dll's routine into the main thread.  LoadLibrary I read has the same address in every process, so you can use the address of your program's LoadLibrary procaddress. And set the thread argument to a string in the remote process which contains the address of your library (already there in our case.)

Nov 27, 2010 at 12:28 AM
Edited Nov 27, 2010 at 12:32 AM

Ultimately I pulled this off without Easyhook / with CreateRemoteThread. The injection was incredibly simple, however the real crux of the problem became that of communicating the thread where the hooks would ultimately reside to the remote thread (across process boundaries)

I setup something compact but very tricky for communicating between the processes, though any traditional technique would do. What I did is just crosswire the stdin/out between the two processes via an anonymous pipe. The exchange must be very precise, but it seems stable/portable because the cin/out operations block one another. Anyway they just pass a series of "launchcodes" / acknowledgments between one another to get the job done, then detach from the pipe via the last code. Working out the API for all of that took most of day. I can't say I recommend it, but managing the pipes properly would've been a ton of circuitous code for sure.

Makes me wonder if I even need the Easyhook library for the interface hooking. I haven't found a builtin Win32 API for getting the job done, though may look into Detours (whatever that is exactly) ... Easyhook has been indispensable, but the forums have always been a wasteland of desperate souls not getting the answers they need :(