CreateAndInject doesn't properly hook managed process.

Jan 28, 2009 at 1:20 AM
I have am using EasyHook to hook Direct3DCreate9 in D3D9.DLL.  If I hook an unmanaged C++ game the hook succeeds and the game works as expected (right now I'm not doing anything with the hook other than writing out a log line).  However, if I try to hook a managed game written in C# using either SlimDX (a C# wrapper around Direct3D) or an XNA game (XNA is a high level wrapper around D3D) my hooking application hangs on the call to EasyHook.RemoteHooking.CreateAndInject (it never returns) and the game launches and runs normally (I'm not sure if it is hooked or not, but I'm guessing not).

If I exit the game EasyHook.RemoteHooking.CreateAndInject will throw an exception saying that it couldn't find the target process (because it's now closed).

Just like in the sample FileMon application my program's EasyHook.IEntryPoint class's Run function calls EasyHook.LocalHook.Create(...), then ThreadACL.SetExclusiveACL(...), then EasyHook.RemoteHooking.WakeUpProcess().

I'm not sure how the process is running if the hook is never installed (since it should never wake up).
Feb 12, 2009 at 7:14 PM
A quick bump to see if anyone knows of a solution to this problem as it's still plaguing me.
Feb 14, 2009 at 1:22 AM
You are not the only person with this issue. I'm using a unmanaged module with unmanaged API, and the function CreateAndInject hung on the line WaitForMultipleObject after creating remote thread to target process. If you close the target process, your application will continue executing.

As what Chris suggested, can you try the sample application and see if the sample has the same issue?
Feb 14, 2009 at 2:01 AM
I later found out that this is a known issue listed in the issue tracker here on this site:
Feb 17, 2009 at 5:54 PM
Hmm I will probably try to fix this in the next days if I can find some time. I have to admit that I never tried to use CreateAndInject for managed applications. ;-)
Mar 5, 2009 at 9:41 AM
I couldn't get it to work either, but I just assumed my target was being belligerent.
Mar 5, 2009 at 1:47 PM
I have no time for EasyHook these days...

Also I have no clue where the bug could be. I think it has something to do with the way managed processes are initialized. But I don't see a reason why CreateAndInject should hang. Can you exactly determine the source code line where CreateAndInject starts to hang???

Mar 5, 2009 at 11:22 PM
Is the source code for EasyHook available in a repository somewhere so I could potentially check it out and post a patch for it if I fix this?  There are a couple change I have made to EasyHook that I wouldn't mind sharing if there were an easy way to commit a patch (I would rather not have to go through all the trouble of manually diffing and such).
Mar 6, 2009 at 6:01 PM
Edited Mar 6, 2009 at 6:08 PM
There is only one bug left so far. I will fix it today and release a first Stable preview tomorrow...

The problem you have with managed suspended process creation is not trivial. I don't see any chances for a solution!
NET seems to "hijack" the first active thread in a process regardless whether you created multiple suspended thread. NET will always hijack the one you resume, so there is simply no chance to execute easyhook first. Of course you could let run a thread for 100ms and suspend it. Then you would probably get what you want but this sounds like a very unstable/unreliable solution.
Mar 6, 2009 at 6:06 PM
Uh I think I got it right while I was typing ;-)...

I will just add another code block the the easyhook services and use them as a trampoline. Fortunately NET executables always have an exported main method. This way we can just execute the target in a wrapper which waits for RhWakeUpProcess() and then invokes the original main method of the target. My one and only idea to solve this issue!
Mar 6, 2009 at 6:11 PM
Back to your patches. Please visit the latest release (there is currently no file attached) and check whether your patches will fix bugs that are not in the list. Do you also have new features?
Mar 6, 2009 at 11:52 PM
It looks like other than the administrative rights issue and some solution/project changes (to make it easier for me to debug EasyHook while using another solution) you have all the fixes I have.