API-hooking question [SOLVED!] :)

[ZX80]

chi, thank you for clarification. I just tried to follow a rule: if EjectDLL-procedure is provided, then it should be called before exit. Otherwise, it is unnecessary(pointless). There is no call this procedure from anywhere else in the program. But... just a moment... This is not a reserved/service name like DetachProcess, which is called automatically at the end. In other words if target process died, then everything else along with it. No need to care/worry about leak resources, random bugs in the future etc. Sorry for the tediousness. It's just haven't logic. Have a code which is just a ballast.

The dll gets automatically detached when the program exit (DetachProcess).

I already understood it, but now it contain nothing(only beep). If this can be called from the DetachProcess-procedure, then *func pointer must be sent to the DLL(result of calling InjectDll).

Your opinion is important for me because you fixed engine(this is stated in the header). And probably you know its mechanism well.
Also I don't want it to look like a conversation between two people(chat). Perhaps this is interesting only for me. It is also possible that other serious forum members receive a notification after each new message.

Therefore, if you don't want to reply, then I will understand it.
Thanks for everything anyway!

[chi]

Don't know if I understood correctly, but...

... you have 3 options:


1) DLL with AttachProcess()...Hook(...) + DetachProcess()...UnHook(...). Only call InjectDll: The dll gets injected, automatically calling AttachProcess, automatically calling DetachProcess on app close.

2) DLL with AttachProcess()...Hook(...) + DetachProcess()...UnHook(...). Call InjectDll + EjectDll: The dll gets injected, automatically calling AttachProcess, EjectDll automatically calling DetachProcess.

3) DLL with custom functions e.g. _Init()...Hook(...) + _Exit()...UnHook(...). Call InjectDll and CallRemoteFunction(... _Init), Call EjectDll and CallRemoteFunction(... _Exit): Same as (2) but with custom functions (with additional parameters). (If you declared AttachProcess/DetachProcess, both functions are also called...)


With (1) you can close the injector app after injecting... (2) + (3) needs the injector/ejector app open until you eject.



Note to self: Don't name your DLL "dll.dll"! I was not able to CallRemoteFunction() _Init + _Exit successfully unless I changed the name to "mydll.dll"

[ZX80]

Don't know if I understood correctly

I'm afraid not.
Ok I'll use one more try. 2all, I'm so sorry(last attempt).

In fact is that I don't know what's inside AttachThread. And what does it do. It's just a black box. I suspect... No not like this(wrong). I'm sure AttachThread is not equivalent to InjectDll(the same goes for the DetachProcess and EjectDLL pair). The documentation just tells me that this is a special routine that starts automatically. And these 4 names are reserved and cannot be used otherwise. It's all. Thus, if the special procedure DetachProcess does not contain string with call the EjectDLL-procedure from the engine, then it will never be called by itself(automatically). That's all I wanted to say.
But even if you do it, it won't work. Because the DLL cannot extract itself from the process. I think so. Therefore, I keep the injector always on(for the entire duration of the target process). This is the reason that I call the EjectDLL-procedure from the injector(as shown in the example by the author himself). Peyman, thank you very much!

Don't name your DLL "dll.dll"!

Thank you, this is important note. Of course. This case reminds me of the same conflict when naming of bat-files. Don't give names for bat-files as similar commands. Never!

I found this very useful. Please take a look. Perhaps this will be useful for you too.


Best regards, ZX80.

[chi]

Worth to read https://docs.microsoft.com/en-us/window ... ls/dllmain