Injected a DLL into a process using unmanaged C++

Jan 30, 2010 at 2:05 AM

I may have missed a key step in injecting a DLL into a process using unmanaged C++.  I have a test program that works fine with the Detours library but I'm having trouble translating it to EasyHook.

I have built a dll that has a simple hooking of the MessageBoxA call:

TRACED_HOOK_HANDLE hHook;

extern "C" __declspec(dllexport)
void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* InRemoteInfo)
{
    _Print("Starting hooking\n");
    hHook= new HOOK_TRACE_INFO();

    FORCE(LhInstallHook(
        Real_MessageBoxA,
        Mine_MessageBoxA,
        (PVOID)0x12345678,
        hHook));

    _Print("hooking done\n");

    RhWakeUpProcess();

    _Print("waking up the process\n");
    Sleep(5000);

    _Print("leaving native injection entry point\n");
    return;

ERROR_ABORT:
    _Print("Error abort\n");
    return;
}

Real_MessageBoxA and Mine_MessageBoxA are taken from the Detours traceapi sample.  My DLL links to user32.lib, in the Detours style, so that it will have the address of MessageBoxA.

And I'm calling it from a modified UnmanagedHook project.  The dll loading and injection seems to be working from the point of view of NativeInjectionEntryPoint outputting all of the debugging prints.  However, none of my hooked functions seem to be called, which I've checked by looking for output in the log file, breakpoints in the debugger (attached to the target process), and popping up MessageBoxA()'s from my hook functions.  The target process continues to run as if it has not been hooked.  (I've even tried returning error conditions from the hooked functions but to no effect.)

I read in the managed API that we are supposed to set ACL's and other stuff.  Is this true for the Unmanaged C++ interface? 

Is there a simple working example of a DLL and C++ host process?  Suggestions?

-Jason

Jan 30, 2010 at 8:59 AM

From my remember, if I am right, Real_MessageBox is a definition macro with Detour !

Can you confirm that your Real_MessageBox is only & really a simple pointer to MessageBoxA ?

Yes, you have to play with ACL, be patient, because, playing with the ACL the first time was a pain...  but finally I was able to play with it & to include all threads wihtout any excluded threads.

Try the two ACLs method,  : the first including only your thread & executing all other threads, the second method, excluding the thread in which your code runs & including all others threads.

Why ? that's depends from where your code calling the ACL methids excluding and/or including threads are invoked ! (remote dettached thred used to inject, main code, ...) !