Can't get RhCreateAndInject to work

Mar 4, 2011 at 3:33 AM

I've previously used Easyhook in many projects without any problem, altough  this is the first time I need to use RhCreateAndInject to play with resource APIs. 

I don't actually get any error but the hooked functions do not seem to be called.

My main binary is fairly simple, using mspaint.exe, notepad.exe ,etc. to test launch:

#include "stdafx.h"

#pragma comment ( lib, "easyhook32.lib" )

int _tmain(int argc, _TCHAR* argv[])
{
	ULONG pid;
	NTSTATUS nt;

	if (!NT_SUCCESS(nt = RhCreateAndInject(L"\\windows\\syswow64\\notepad.exe", L"", NULL,
		EASYHOOK_INJECT_DEFAULT, L"\\Temp\\hk\\Debug\\hookdll.dll", 0, 0, 0, &pid)))
	{
		printf("Failed to start and inject process, reason: 0x%08x\n", nt);
	}
	else
		printf("Injection successful (PID %d).", pid);

	getchar();

	return 0;
}

Note that I use the SYSWOW64 binary to hook on the 32bit process (i'm running Win7 x64).

The Hook DLL also does not seems to do anything "out of spec":

#include "stdafx.h"
#include "hookdll.h"

typedef HGLOBAL (WINAPI * PFNLOADRESOURCE)(HMODULE, HRSRC);
typedef HRSRC (WINAPI * PFNFINDRESOURCEW)(HMODULE, LPWSTR, LPWSTR);
typedef LPVOID (WINAPI * PFNLOCKRESOURCE)(HGLOBAL);
typedef DWORD (WINAPI * PFNSIZEOFRESOURCE)(HMODULE, HRSRC);

HOOK_TRACE_INFO* g_pHookLoadResource = NULL;
HOOK_TRACE_INFO* g_pHookFindResourceW = NULL;
HOOK_TRACE_INFO* g_pHookLockResource = NULL;
HOOK_TRACE_INFO* g_pHookSizeofResource = NULL;

static PFNLOADRESOURCE g_pfnLoadResource;
static PFNFINDRESOURCEW g_pfnFindResourceW;
static PFNLOCKRESOURCE g_pfnLockResource;
static PFNSIZEOFRESOURCE g_pfnSizeofResource;

#pragma  comment ( lib , "easyhook32.lib")

//////////////////////////////////////////////////////////////////////////
//
// Hooked functions follow ...
//
//////////////////////////////////////////////////////////////////////////
HGLOBAL WINAPI _LoadResource(HMODULE hModule, HRSRC hResInfo)
{
	DebugBreak();
	OutputDebugString(__FUNCTIONW__);

	return g_pfnLoadResource(hModule, hResInfo);	
}

HRSRC WINAPI _FindResourceW(HMODULE hModule, LPWSTR lpName, LPWSTR lpType)
{
	DebugBreak();
	OutputDebugString(__FUNCTIONW__);

	return g_pfnFindResourceW(hModule, lpName, lpType);
}

LPVOID WINAPI _LockResource(HGLOBAL hResData)
{
	DebugBreak();
	OutputDebugString(__FUNCTIONW__);

	return g_pfnLockResource(hResData);
}

DWORD WINAPI _SizeofResource(HMODULE hModule, HRSRC hResInfo)
{
	DebugBreak();
	OutputDebugString(__FUNCTIONW__);

	return g_pfnSizeofResource(hModule, hResInfo);
}

#define INSTALLHOOK(pfn,userfn,phk) {	wchar_t s[200];									\
										NTSTATUS nt = LhInstallHook(pfn,userfn,0,phk);  \
										wsprintf(s, L" LhInstallHook(%s [0x%08x],%s,0,%s) RC == 0x%08x \n",L#pfn,pfn,L#userfn,L#phk,nt); \
										OutputDebugString(s); }

//////////////////////////////////////////////////////////////////////////
// Hook installation
//////////////////////////////////////////////////////////////////////////
inline void InstallHooks() 
{	
	ULONG ACLEntries[1] = {0};

	g_pHookLoadResource = new HOOK_TRACE_INFO();
	g_pHookFindResourceW = new HOOK_TRACE_INFO();
	g_pHookLockResource = new HOOK_TRACE_INFO();
	g_pHookSizeofResource = new HOOK_TRACE_INFO();

	g_pfnLoadResource		= (PFNLOADRESOURCE) GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadResource");
	g_pfnLockResource		= (PFNLOCKRESOURCE) GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LockResource");
	g_pfnSizeofResource		= (PFNSIZEOFRESOURCE) GetProcAddress(GetModuleHandle(L"kernel32.dll"), "SizeofResource");
	g_pfnFindResourceW		= (PFNFINDRESOURCEW) GetProcAddress(GetModuleHandle(L"kernel32.dll"), "FindResourceW");

	assert(g_pfnLoadResource);
	assert(g_pfnFindResourceW);
	assert(g_pfnSizeofResource);
	assert(g_pfnLockResource);

	INSTALLHOOK(g_pfnLoadResource, _LoadResource, g_pHookLoadResource);	
	INSTALLHOOK(g_pfnLockResource, _LockResource, g_pHookLockResource);
	INSTALLHOOK(g_pfnSizeofResource, _SizeofResource, g_pHookSizeofResource);
	INSTALLHOOK(g_pfnFindResourceW, _FindResourceW, g_pHookFindResourceW);

	LhSetInclusiveACL(ACLEntries, 1, g_pHookLoadResource);
	LhSetInclusiveACL(ACLEntries, 1, g_pHookFindResourceW);
	LhSetInclusiveACL(ACLEntries, 1, g_pHookLockResource);
	LhSetInclusiveACL(ACLEntries, 1, g_pHookSizeofResource);
}

extern "C"  __declspec(dllexport) 
void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* rmi)
{
	InstallHooks();
	RhWakeUpProcess();	

}

 

 

Any ideas?

 

Thank you for such wonderful library.

 

Mar 4, 2011 at 4:03 AM

Found the culprit.

1) I was removing hooks in DLL_PROCESS_DETACH.

2) Forced to hook all threads by setting the ACL to (DWORD)-1 and LhSetExclusiveACL for all hooks.

 

:D