These are chat archives for EasyHook/EasyHook

3rd
May 2017
Nikolaj Mariager
@TinkerWorX
May 03 2017 19:15
Is there any way to hook a function in a dll before DllMain is called? What I have right now is a hook to LoadLibrary, and I immediately inject my hooks right after LoadLibrary is done loading the module. But anything called from DllMain isn't detected.
ultratrunks
@ultratrunks
May 03 2017 20:11
@spazzarama knows the most about this, however I'm pretty sure the answer to that is "no". I believe the reason for that is whats called "early loading", and you can never be sure which modules are loaded yet while you are in DllMain(). Which is why Microsoft recommends you do as little as possible in DllMain() and only call APIs out of kernel32.dll. I've learned from experience that if you get too fancy in DllMain() you just end up crashing the application. You may get away with it sometimes, but you may find that you are just getting lucky most of the time and wining the race condition, which means you could have sporadic instability later on. Why is it important for you to do this?
Nikolaj Mariager
@TinkerWorX
May 03 2017 20:16
Well, I'm hooking a function
When I add a breakpoint with a debugger, the breakpoint is hit every time, no problem.
But when I add a hook, nothing happens.
Only explanation I can think of is the hook isn't installed until after the calls.
ultratrunks
@ultratrunks
May 03 2017 20:34
Is the native app calling the function on its own, or are you trying to call it from within your injected dll?
Nikolaj Mariager
@TinkerWorX
May 03 2017 20:34
It's calling it on it's own.
I'm just trying to extract some information from it.
ultratrunks
@ultratrunks
May 03 2017 20:35
Are you attaching the debugger manual after the application starts?
Nikolaj Mariager
@TinkerWorX
May 03 2017 20:35
It's attached while the process starts. Using IDAPro
ultratrunks
@ultratrunks
May 03 2017 20:36
No idea what that is, I've always just used VS to attach the debugger. Is it possible the function is already called before the debugger is attached?
Nikolaj Mariager
@TinkerWorX
May 03 2017 20:40
I'm not sure I follow. The debugger catches all calls, no problems. It's just my hooks that aren't working. I think I need to compare when I install the hooks with when my breakpoints are hit.
ultratrunks
@ultratrunks
May 03 2017 20:48
When you start an external application... for example notepad.exe... and you want to debug it, time does elapse between when notepad.exe starts and your debugger finally latches into it. I was just wondering if you knew that the call you are trying to hook happened BEFORE your debugger attached.
Nikolaj Mariager
@TinkerWorX
May 03 2017 20:49
Time doesn't have to elapse, you can launch a process with all threads paused, start the debugger, and then resume the threads.
It's what I do when installing hooks as well, to make sure I get in as early as possible. :P
ultratrunks
@ultratrunks
May 03 2017 21:22
I see gotcha. Have you managed to hook anything from this application successfully?
Nikolaj Mariager
@TinkerWorX
May 03 2017 21:22
Yeah, plenty. It's just this one function. And tracing it back leads to the entry point, so it seems I obviously can't get anything when my hooks aren't installed until after DllMain is finished.
ultratrunks
@ultratrunks
May 03 2017 21:28
Hmm, well, that's a pickle. Well... for testing purposes have you considered AppInit_Dlls before?
Its a feature of Microsoft that will inject your DLL very early in a processes construction. Any process that loads User32.dll will have the DLL you specified injected. Could be a helpful experiment.
Justin Stenning
@spazzarama
May 03 2017 21:39
@TinkerWorX I can remember someone else having issues during dllmain as you are not meant to load any other dlls at this point. I can't remember all the details but check the issue history and this chat log
@TinkerWorX what threadacl are you setting?
Nikolaj Mariager
@TinkerWorX
May 03 2017 21:42
this.sub_6F04E470LocalHook.ThreadACL.SetExclusiveACL(new int[0]);
It's the one I use for everything else.
Justin Stenning
@spazzarama
May 03 2017 21:42
that means it will not intercept the current thread
0 ==> becomes GetCurrentThreadId
Nikolaj Mariager
@TinkerWorX
May 03 2017 21:43
I admit the ACL have always confused me a bit. Any way to just intercept all?
Justin Stenning
@spazzarama
May 03 2017 21:43
i haven't tried a negative number before :)
-1 perhaps
with exclusive
Nikolaj Mariager
@TinkerWorX
May 03 2017 21:44
"perhaps" ? :P I thought you made most of this
Justin Stenning
@spazzarama
May 03 2017 21:45
i took over the project - um a long time ago now 2008? But I didn't write the threadacl stuff. I think a helper for InterceptAllThreads would be good, perhaps you could add a feature request for it (if it isn't there already)
took over sounds hostile, it had been abandoned and Chris was happy for me to continue his good work :)
Nikolaj Mariager
@TinkerWorX
May 03 2017 21:47
I might take a look. I often need to just hook everything, especially when tinkering.
Justin Stenning
@spazzarama
May 03 2017 21:48
anyway, it would explain why not hooked while still in dllmain or whatever u are doing