Hooking misses first few calls

Jun 15, 2009 at 3:20 PM

Hi,

I wanted to know does dll ijnection misses the first few calls to an API when a new process starts up.

It is happening in my case

Thanks,

Any help will be appreciated.

 

Jun 16, 2009 at 3:08 AM

It does happen.  The call to RtlCreateSuspendedProcess create a suspended target process (with a suspended main thread.  I call it 1st thread) and wait for the host to create the hooking thread (I call it 2nd thread) by CreateRemoteThread.  It happens that some application do has a 3rd (or 4th...) thread running before the hooking thread (2nd thread) start.  One example is cl.exe from Visual Studio.  I don't know about its mechanism.  Anyone can help?