It is currently Mon Oct 26, 2020 5:07 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 19 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: API-hooking question [SOLVED!] :)
PostPosted: Mon Sep 21, 2020 5:37 pm 
Offline
Enthusiast
Enthusiast

Joined: Mon Dec 12, 2016 1:37 pm
Posts: 145
chi, thank you for clarification. I just tried to follow a rule: if EjectDLL-procedure is provided, then it should be called before exit. Otherwise, it is unnecessary(pointless). There is no call this procedure from anywhere else in the program. But... just a moment... This is not a reserved/service name like DetachProcess, which is called automatically at the end. In other words if target process died, then everything else along with it. No need to care/worry about leak resources, random bugs in the future etc. Sorry for the tediousness. It's just haven't logic. Have a code which is just a ballast.
Quote:
The dll gets automatically detached when the program exit (DetachProcess).

I already understood it, but now it contain nothing(only beep). If this can be called from the DetachProcess-procedure, then *func pointer must be sent to the DLL(result of calling InjectDll).

Your opinion is important for me because you fixed engine(this is stated in the header). And probably you know its mechanism well.
Also I don't want it to look like a conversation between two people(chat). Perhaps this is interesting only for me. It is also possible that other serious forum members receive a notification after each new message.

Therefore, if you don't want to reply, then I will understand it.
Thanks for everything anyway!


Top
 Profile  
Reply with quote  
 Post subject: Re: API-hooking question [SOLVED!] :)
PostPosted: Mon Sep 21, 2020 10:09 pm 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Sat May 05, 2007 5:31 pm
Posts: 767
Location: Linz, Austria
Don't know if I understood correctly, but...

... you have 3 options:


1) DLL with AttachProcess()...Hook(...) + DetachProcess()...UnHook(...). Only call InjectDll: The dll gets injected, automatically calling AttachProcess, automatically calling DetachProcess on app close.

2) DLL with AttachProcess()...Hook(...) + DetachProcess()...UnHook(...). Call InjectDll + EjectDll: The dll gets injected, automatically calling AttachProcess, EjectDll automatically calling DetachProcess.

3) DLL with custom functions e.g. _Init()...Hook(...) + _Exit()...UnHook(...). Call InjectDll and CallRemoteFunction(... _Init), Call EjectDll and CallRemoteFunction(... _Exit): Same as (2) but with custom functions (with additional parameters). (If you declared AttachProcess/DetachProcess, both functions are also called...)


With (1) you can close the injector app after injecting... (2) + (3) needs the injector/ejector app open until you eject.



Note to self: Don't name your DLL "dll.dll"! I was not able to CallRemoteFunction() _Init + _Exit successfully unless I changed the name to "mydll.dll"

_________________
Et cetera is my worst enemy


Top
 Profile  
Reply with quote  
 Post subject: Re: API-hooking question [SOLVED!] :)
PostPosted: Tue Sep 22, 2020 8:56 am 
Offline
Enthusiast
Enthusiast

Joined: Mon Dec 12, 2016 1:37 pm
Posts: 145
Quote:
Don't know if I understood correctly

I'm afraid not.
Ok I'll use one more try. 2all, I'm so sorry(last attempt).

In fact is that I don't know what's inside AttachThread. And what does it do. It's just a black box. I suspect... No not like this(wrong). I'm sure AttachThread is not equivalent to InjectDll(the same goes for the DetachProcess and EjectDLL pair). The documentation just tells me that this is a special routine that starts automatically. And these 4 names are reserved and cannot be used otherwise. It's all. Thus, if the special procedure DetachProcess does not contain string with call the EjectDLL-procedure from the engine, then it will never be called by itself(automatically). That's all I wanted to say.
But even if you do it, it won't work. Because the DLL cannot extract itself from the process. I think so. Therefore, I keep the injector always on(for the entire duration of the target process). This is the reason that I call the EjectDLL-procedure from the injector(as shown in the example by the author himself). Peyman, thank you very much!

Quote:
Don't name your DLL "dll.dll"!

Thank you, this is important note. Of course. This case reminds me of the same conflict when naming of bat-files. Don't give names for bat-files as similar commands. Never!

I found this very useful. Please take a look. Perhaps this will be useful for you too.


Best regards, ZX80.


Top
 Profile  
Reply with quote  
 Post subject: Re: API-hooking question [SOLVED!] :)
PostPosted: Thu Sep 24, 2020 4:43 pm 
Offline
Enthusiast
Enthusiast
User avatar

Joined: Sat May 05, 2007 5:31 pm
Posts: 767
Location: Linz, Austria
Worth to read ;) https://docs.microsoft.com/en-us/window ... ls/dllmain

_________________
Et cetera is my worst enemy


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ]  Go to page Previous  1, 2

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 40 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  

 


Powered by phpBB © 2008 phpBB Group
subSilver+ theme by Canver Software, sponsor Sanal Modifiye