RhInjectLibrary takes about 15 sec

Jul 13, 2014 at 9:45 PM
Usually it takes much less, but I have one case when it takes 15 sec or more. Unmanaged code on both sides and unmanaged dll. EASYHOOK_INJECT_DEFAULT.

What can cause this?
Jul 14, 2014 at 2:36 PM
It seems that the delay is caused by the line:
Code = WaitForMultipleObjects(2, Handles, FALSE, INFINITE);
The NativeInjectionEntryPoint is also invoked 15 sec later.

Running in Administrator mode changes nothing. I also tried to put things like this:
SetThreadPriority(hRemoteThread, THREAD_PRIORITY_ABOVE_NORMAL);
ResumeThread(hRemoteThread);
but that changes nothing too.

If someone wants to try to reproduce, try any Origin game with "Origin overlay" enabled.
As I understand Origin in game overlay uses some form of hooking too, maybe there is a collision with easyhook.
Jul 14, 2014 at 7:05 PM
I found that HookCompleteInjection is also 15sec delayed, so it's happening somewhere after CreateRemoteThread exits and HookCompleteInjection is called.

I don't know how to debug the assembler code :(
Coordinator
Jul 15, 2014 at 9:24 AM
vertigo72 wrote:
I found that HookCompleteInjection is also 15sec delayed, so it's happening somewhere after CreateRemoteThread exits and HookCompleteInjection is called.

I don't know how to debug the assembler code :(
Debugging the ASM involves finding the address from the pointer ("RemoteInjectCode"), loading the disassembler view from Debug -> Windows and navigating to the address, and then inserting the breakpoint at the appropriate ASM line.

RemoteInjectCode will end up pointing at a copy of either Injection_ASM_x86 or Injection_ASM_x64 that has been inserted into the target processes memory. While stepping over these it is worth having the HookSpecific_x86/64.asm open and on this function so you can see the comments as you go. Finding which ASM line pauses will be beneficial in tracking down if something in there is the cause.