Suggestion: Replacing kernel32 functions by ntdll functions in injection assembler (unmanaged)

Feb 7, 2011 at 10:37 AM

It will be even more stable if you replace kernel function by ntdll ones. Some processes do not have kernel32 DLL loaded (w7 smss.exe) or they have modified "GetProcAddress" function adress (as i noticed recently in some cases .. like hooking process started from VS2010).

I think its OK to replace only LoadLibraryW -> LdrLoadDll and GetProcAddress -> LdrGetProcedureAddress (optionally GetModuleHandle -> LdrGetDllHandle to check kernel32 is loaded). The other needed functions can be found simply by calling LdrGetProcedureAddress in injected assembler.

Using this .. STATUS_INTERNAL_ERROR and injected process crash problems will be reduced to minimum.


Feb 7, 2011 at 4:57 PM

I second that motion.