Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
  • 16:06
    abdullahtoqeer523 opened #317
  • Jan 15 06:53
    abdullahtoqeer523 commented #310
  • Jan 12 18:55
    xmoer closed #276
  • Jan 11 11:55
    spazzarama closed #311
  • Jan 11 11:54
    spazzarama closed #316
  • Jan 11 11:54
    spazzarama commented #316
  • Jan 11 06:37
    nkrapivin opened #316
  • Dec 17 2019 20:18
    spazzarama commented #315
  • Dec 17 2019 20:18
    spazzarama closed #315
  • Dec 17 2019 20:18
    spazzarama commented #315
  • Dec 17 2019 10:51
    etomm opened #315
  • Dec 04 2019 06:34
    wuwangbang commented #275
  • Oct 24 2019 01:26
    MuffinMario commented #260
  • Oct 17 2019 15:53
    sajid36 commented #314
  • Oct 17 2019 15:46
    sajid36 opened #314
  • Oct 11 2019 19:35
    fmiceli24 commented #313
  • Oct 11 2019 17:40
    fmiceli24 commented #313
  • Oct 10 2019 19:12
    fmiceli24 edited #313
  • Oct 10 2019 19:11
    fmiceli24 opened #313
  • Oct 10 2019 03:39
    daxiongok commented #121
@spazzarama I want to use olydb64 to analyze the problem. But hooked method will be canceled. Actually I was a web developer.
I am very fresher guy in the C# area.
You should be busy on some your own problems.
Can you please tell me how to anlayze the problem ? like debug or other tricky methods.
@spazzarama have a nice day
-_-~~~ Anybody online ?
@MechanicalPen I find you have got the same problem. can you please help on self pointer?
Jerome Haltom
When using EasyHook I consistently get the maanged debugging assistant. Is this normal?
@suncodeer If you are hooking into a c++ method of an object, the first memory location is a pointer to the object.
not sure if that is your actual problem but it's what I had to do to get mine working. It looks like:
    [UnmanagedFunctionPointer(CallingConvention.ThisCall, SetLastError = true, CharSet = CharSet.Unicode)]
    [return: MarshalAs(UnmanagedType.Bool)]
    delegate bool SmflAudio2_SoundBuffer_loadFromFile(IntPtr self, IntPtr filename);

on the c++ side the code looks like;

sf::SoundBuffer buffer; buffer.loadFromFile("sound.wav");

How does one convert a project which uses Easyhook (v2.7.6684) to (v2.7.6789)?
Justin Stenning
6789 is a bug fix release, just update the package from Nuget.
Many thanks Justin, I'll try it! Cheers!
I get his error message, that it is not digitally signed?
\packages\EasyHook.2.7.6789\tools\install.ps1 is not digitally signed. The script will not execute on the system. For more information, see about_Execution_Policies at
At line:1 char:3
  • & 'D:\test100\Source (Zhook 2.7.6684 - WinFS v180906)\Win-FS-Reg-Redirect\packag ...
  • ~~~~~~~~~~~~~~~~
    • CategoryInfo : SecurityError: (:) [], PSSecurityException
    • FullyQualifiedErrorId : UnauthorizedAccess
I was still able to build, but with this newer Easyhook library I now get this error (never got this error on the older 6684 version), would it be because of the lack of digital signature?
There was an error while injecting into target:
System.ApplicationException: STATUS_INTERNAL_ERROR: Unknown error in injected C++ completion routine. (Code: 15)
at EasyHook.RemoteHooking.CreateAndInject(String InEXEPath, String InCommandLine, Int32 InProcessCreationFlags, InjectionOptions InOptions, String InLibraryPath_x86, String InLibraryPath_x64, Int32& OutProcessId, Object[] InPassThruArgs)
at test1.Program.Main(String[] args) in D:\projects\test1\Program.cs:line 57
This is line 57, which hasn't changed from v2.7.6684, which use to work??
                    // start and inject into a new process
                        targetExe, // executable to run
                        targetArg, // command line arguments for target
                        0, // additional process creation flags to pass to CreateProcess
                        EasyHook.InjectionOptions.DoNotRequireStrongName, // allow injectionLibrary to be unsigned
                        injectionRegLibrary, // 32-bit library to inject (if target is 32-bit)
                        injectionRegLibrary, // 64-bit library to inject (if target is 64-bit)
                        out targetPID, // retrieve the newly created process ID
                        regChannelName // the parameters to pass into injected library
                                       // ...
Never mind, I got it to work out for me! I am a newbie at this and I just learned a great deal about "Set-ExecutionPolicy Unrestricted -Scope Process -Force" and "Update-Package -Reinstall"! Thank you for helping me out on my adventure. :)
Patricio Ferraggi
Is There a way to change the place where you drop the libraries? unless I have them all the in root of my client application
it justs fails on injection
even if I pass the address as a parameter


I'm using the latest EasyHook dll (32 and 64 v2.7.6789.0 ) and I'm hooking WriteConsoleW API successfully on Windows 7. I'm using the same 64 bit dll on Windows 10 and my dll is injected successfully but my hooked function is never called when running on Windows 10.
The LhInstallHook returned successfully when hooked WriteConsoleW from kernel32.dll
The process that I'm trying to hook is cmd.exe on Windows 10.
I debugged the process after my dll was injected and saw that the WindowsConsoleW entry does not contain the trampoline code to point to my WriteConsoleW function.

What can be the problem?
How can I debug it?

Any input on this would be appreciated!


I'm using unmanaged code in c++
Hey, I just read the tutorials, but I'm a bit confused. The ServerInterface stuff is compiled in the injectable dll but then it seems to be running in the host for the message output? Am I getting this right?
How would I go about getting the data back to the main process that did the injection?
I guess I could make a static list and poll it for data or?
I must be missing something here...
Wait.. so the interface can be made host-side?
And then... the dll depends on the exe for it? O___O
What sorcery is this...
Ok, I think I found what I wanted
Justin Stenning
The dll that is injected is connecting to the IPC channel that is created in the host. The example filemon is more confusing as it doesn’t have the interface separated into another assembly and then the injected code is referencing the exe as if it is an assembly (which in .net it is but still confusing :)
@tostercx above
direct3dhook project on GitHub provides a clearer example if you want to check another one - also it uses a bi-directional IPC setup
Thanks, will do :)
Justin Stenning
@Raagh there is a path setting in Config, but I can’t remember if that is something that can be changed by you or needs a recompile.
I wrote an application that's designed to hook another at startup, and attempt to properly unhook when the app window is closed. Using Process Explorer, I can see a variety of DLLs (including my payload DLL) get loaded into the target process as expected, however when closing the app window, I see a lot, but not ALL, of those DLLs get unloaded. I still see EasyHook32.dll, and EasyLoad32.dll (twice for some reason), listed as loaded into the target process. Am I not disconnecting/unloading correctly, or is this a limitation of EasyHook?
Im having trouble installing multiple hooks in C++, CreateFile works, but None of the registry functions seem to work
Franco Miceli
Hi. I am having an issue where the NativeInjectionEntryPoint is being called after many DLLs are loaded by the program. Is there a way to inject my hooks before any other DLL gets loaded? I have already tested this with CreateProcess(CREATE_SUSPENDED) -> RhInjectLibrary() -> ResumeThread() and also with RhCreateAndInject() -> RhWakeUpProcess(). But the other DLLs get loaded before and cannot intervene them. Is there a way I can hook the process by being the first DLL loaded/injected? Thanks!
Franco Miceli
I have checked this behavior both with APIMonitor and ProcessMonitor
Justin Stenning
@fmiceli24 I’ve replied to your issue, basically that is what RhCreateAndInject is for. When and where do you call RhWakeUpProcess?
Franco Miceli
I call RhWakeUpProcess right after all hooks are installed within NativeInjectionEntryPoint.
doesnt look like anyone uses this but im trying to inject a c++ dll using c# however i keep getting badimageformat
the dll injects and works fine with any public injector btw even my own coded in c++
Justin Stenning
@Icesythe7 you will need to use the native exports directly instead of the managed helper, otherwise it will assume a managed assembly
Ie RhInstallLibrary/Ex in NativeAPI namespace - check docs
@fmiceli24 and are you using RhCreateAndInject?