Hooking misses first few calls

Jun 15, 2009 at 3:20 PM


I wanted to know does dll ijnection misses the first few calls to an API when a new process starts up.

It is happening in my case


Any help will be appreciated.


Jun 16, 2009 at 3:08 AM

It does happen.  The call to RtlCreateSuspendedProcess create a suspended target process (with a suspended main thread.  I call it 1st thread) and wait for the host to create the hooking thread (I call it 2nd thread) by CreateRemoteThread.  It happens that some application do has a 3rd (or 4th...) thread running before the hooking thread (2nd thread) start.  One example is cl.exe from Visual Studio.  I don't know about its mechanism.  Anyone can help?