Not getting all calls from WindowMove function hook

Apr 28, 2014 at 8:29 AM
Hi,

I'm using EasyHook 2.7 and I use FileZilla for my testings, and I'm getting a weird behavior when I try to hook to the "WindowMove" function found in the User32.dll.

The weird behavior is that I do not get all calls to the WindowMove function that are made inside the process.
When I launch the application from Rohitab's WinApiMonitor I see a lot more calls than I get to my hook.

I'm not sure why is there a difference, and whether it is a bug or not.
My guess is that FileZilla somehow "remembers" the original address for the WindowMove function and calls it directly without passing through the hook's delegate.

If this is indeed the case, is there something I can do about it? If not, what a I doing wrong?

This is how I create the hook:
CreateHook("User32.dll", "MoveWindow", gcnew MoveWindowDelegate(this, &Hookers::MoveWindowImpl), this);


    void Hookers::CreateHook(String^ moduleName, String^ apiName, Delegate^ hookImpl, Object^ callback)
    {
        IntPtr targetAPI = IntPtr::Zero;

        targetAPI = EasyHook::LocalHook::GetProcAddress(moduleName, apiName);

        if(targetAPI != IntPtr::Zero)
        {
            EasyHook::LocalHook^ hook = EasyHook::LocalHook::Create(targetAPI, hookImpl, callback);
            hook->ThreadACL->SetExclusiveACL(gcnew array<Int32> {0});
            s_hooks->Add(hook);
        }
    }
I use CreateAndInject from EasyHook in order to start the process.

Here is a link for a the sample application that I used:
EasyHookTestingCopy

Thanks in advance,
Tal