WriteProcessMemory(hProc, RemoteInjectCode, GetInjectionPtr(), ...). The location is "RemoteInjectCode", so find that location within the target process and open the disassembler and add a break point. That code will be executed by a later call to NtCreateThreadEx.
[UnmanagedFunctionPointer(CallingConvention.ThisCall, SetLastError = true, CharSet = CharSet.Unicode)] [return: MarshalAs(UnmanagedType.Bool)] delegate bool SmflAudio2_SoundBuffer_loadFromFile(IntPtr self, IntPtr filename);
on the c++ side the code looks like;
// start and inject into a new process EasyHook.RemoteHooking.CreateAndInject( targetExe, // executable to run targetArg, // command line arguments for target 0, // additional process creation flags to pass to CreateProcess EasyHook.InjectionOptions.DoNotRequireStrongName, // allow injectionLibrary to be unsigned injectionRegLibrary, // 32-bit library to inject (if target is 32-bit) injectionRegLibrary, // 64-bit library to inject (if target is 64-bit) out targetPID, // retrieve the newly created process ID regChannelName // the parameters to pass into injected library // ... );
I'm using the latest EasyHook dll (32 and 64 v2.7.6789.0 ) and I'm hooking WriteConsoleW API successfully on Windows 7. I'm using the same 64 bit dll on Windows 10 and my dll is injected successfully but my hooked function is never called when running on Windows 10.
The LhInstallHook returned successfully when hooked WriteConsoleW from kernel32.dll
The process that I'm trying to hook is cmd.exe on Windows 10.
I debugged the process after my dll was injected and saw that the WindowsConsoleW entry does not contain the trampoline code to point to my WriteConsoleW function.
What can be the problem?
How can I debug it?
Any input on this would be appreciated!