hook advapi32 from child process (unmanaged code)

Jun 12, 2013 at 10:30 PM
I am trying to hook just a few functions in advapi32 on a child process. i'm using unmanaged c++ (but as a last resort will use managed code) I have zero experience in API hooking.

basically what i'm trying to :

1) process launched by non-administrator on win7 or win8
2) I have full control over child process creation
3) if I had to pre-install some component as administrator it would be less preferable but OK
4) initially plan to only work on 32-bit version, 64-bit later

i'm trying to create a PoC "Service Control Manager" wrapper that will run a service as user outside services.exe i.e. so an existing windows service can be launched almost like a normal process.

to do this (among other complexities) I need to hook
  • RegisterServiceCtrlHandlerA
  • RegisterServiceCtrlHandlerW
and replace with my own functions.

1) is this possible with easyhook?
2) Reading the unmanaged documentation could this be achieved with RhCreateAndInject? Or what methods do I need to investigate? Are there any example codes when you need to hook a few functions in a child process?