|
|
If you want to hook some APIs in another process (e.g. Notepad) or if you want to do system wide API hooking, you have to write a little DLL which does all the hooking work. This DLL then needs to be loaded into the target process(es) to do its work there. There's no official win32 API to inject a DLL into another process. Windows does offer some ways to inject DLLs, but they all come with their own share of problems.
Just to mention one, "SetWindowsHookEx()" is often (mis)used for injecting DLLs, but doing so has the following disadvantages: (1) It effects performance, because you have to set up a real message hook, which then gets called all the time, although you are not interested in the results at all. (2) It works only for processes which handle messages, not all processes do so. For example most console applications don't. (3) It works only if the target process is not blocked, frozen or crashed. (4) The DLL might be loaded into the target process later than expected. As a result you might miss some important API calls. (5) It doesn't work for system processes.
madCodeHook offers various injection related APIs, which work without any of the mentioned disadvantages.
The "CreateProcessEx" function basically works exactly like the well known Windows API "CreateProcess". But it has one additional parameter that lets you define a DLL which you want to have injected into the to-be-started process. When called, "CreateProcessEx" starts the specified process, but patches it in such a way, that it behaves as if it had a "LoadLibrary" call right in the first line of it's source code.
A 64bit process can use this API to start both 32bit and 64bit processes. Unfortunately due to some limitations in the win32 API, this API doesn't allow you to create a 64bit process from within a 32bit process. The underlying win32 API "CreateProcess" itself supports starting a 64bit process, but the DLL injection part doesn't work, because a 32bit process only has limited access to a 64bit process. So if you want to use CreateProcessEx for starting a 64bit process, your own process must be 64bit, too.
The bitdepth of the hook DLL *always* needs to match the bitdepth of the target process. Otherwise CreateProcessExA/W will fail.
|
The function "InjectLibrary" is able to inject your DLL into one specific already running 32bit or 64bit process. You can inject 32bit DLLs into 32bit processes and 64bit DLLs into 64bit processes. Don't worry, you can't do anything wrong. madCodeHook will simply refuse to inject a DLL with a non-matching bitdepth.
If you call this API from inside a 32bit process, you cannot inject 64bit processes. If you call this API from inside a 64bit process, you can inject hook DLLs into both 32bit and 64bit processes. The bitdepth of the DLL and the target process must always match, though.
|
You can also inject your hook DLL system (or session) wide. This works only if you have administrator rights, though. System wide DLL injection generally consists of two separate parts:
(1) Injection into already running processes and
(2) automatic injection into newly created processes.
Automatic injection into newly created processes is handled by a little kernel mode driver. This driver is available as an external file (or rather 2 files, one for 32bit OSs and one for 64bit OSs). You need to configure this driver and sign it afterwards, otherwise it won't work. After you've done that, your program needs to "activate" the driver by using the following APIs, all of which need admin rights:
|
Once the injection driver has been activated (see above), you can call the following APIs to inject your hook DLL system or session wide. If you call these APIs from within a 32bit process, you can only inject 32bit hook DLLs. If you call these APIs from within a 64bit process, you can inject both 32bit and 64bit DLLs.
|