Hooking CreateRemoteThread [modified]
-
I seem to have an abundancy of questions at this time of year. :laugh: Anyways, I have a
CreateRemoteThreadhook that refuses to work. Here's the code:HANDLE WINAPI MyCreateRemoteThread(HANDLE hProcess,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
SIZE_T dwStackSize,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
DWORD dwCreationFlags,
LPDWORD lpThreadId)
{
if (GetpIDFromHandle(hProcess)==SelfpID){
SetLastError(ERROR_ACCESS_DENIED);
return NULL;
}
else {
/* Call real CreateRemoteThread and return normally */ }This format seems to work for every other function I've thought of so far (the ones in KERNEL32.DLL, at least), but it doesn't work for CreateRemoteThread. Sure, the hook is reached and if another process is trying to create a thread in my process's context the SetLastError is executed, but then the calling process crashes. I thought it was a problem with the calling process at first (I wrote one just to test), so I took another program that uses CreateRemoteThread and it crashed too. Is there anything wrong with my code? Thanks in advance. EDIT: Clarification - GetpIDFromHandle returns the process ID given a process handle (this works perfectly fine) and SelfpID is a global variable containing the self process ID.
modified on Sunday, November 15, 2009 11:34 PM
-
I seem to have an abundancy of questions at this time of year. :laugh: Anyways, I have a
CreateRemoteThreadhook that refuses to work. Here's the code:HANDLE WINAPI MyCreateRemoteThread(HANDLE hProcess,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
SIZE_T dwStackSize,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
DWORD dwCreationFlags,
LPDWORD lpThreadId)
{
if (GetpIDFromHandle(hProcess)==SelfpID){
SetLastError(ERROR_ACCESS_DENIED);
return NULL;
}
else {
/* Call real CreateRemoteThread and return normally */ }This format seems to work for every other function I've thought of so far (the ones in KERNEL32.DLL, at least), but it doesn't work for CreateRemoteThread. Sure, the hook is reached and if another process is trying to create a thread in my process's context the SetLastError is executed, but then the calling process crashes. I thought it was a problem with the calling process at first (I wrote one just to test), so I took another program that uses CreateRemoteThread and it crashed too. Is there anything wrong with my code? Thanks in advance. EDIT: Clarification - GetpIDFromHandle returns the process ID given a process handle (this works perfectly fine) and SelfpID is a global variable containing the self process ID.
modified on Sunday, November 15, 2009 11:34 PM
hxhl95 wrote:
ure, the hook is reached and if another process is trying to create a thread in my process's context
How is that possible? If you are installing a hook for this api in your process, the hook function will only be called if you call CreateRemoteThread() from your process. If some other process calls CreateRemoteThread to your process context, there is no way the above API to execute...isnt it?
nave [My Articles] [My Blog]
-
hxhl95 wrote:
ure, the hook is reached and if another process is trying to create a thread in my process's context
How is that possible? If you are installing a hook for this api in your process, the hook function will only be called if you call CreateRemoteThread() from your process. If some other process calls CreateRemoteThread to your process context, there is no way the above API to execute...isnt it?
nave [My Articles] [My Blog]
-
hxhl95 wrote:
it's working.
:confused: Let me clarify your question Process A Installs a hook for the API CreateRemoteThread() in its process context. Process B Try to create a remote thread in "Process A". At this time you are telling that the hook function you installed is getting executed?????
nave [My Articles] [My Blog]
-
hxhl95 wrote:
it's working.
:confused: Let me clarify your question Process A Installs a hook for the API CreateRemoteThread() in its process context. Process B Try to create a remote thread in "Process A". At this time you are telling that the hook function you installed is getting executed?????
nave [My Articles] [My Blog]
Process A: Installs a system-wide hook for CreateRemoteThread() Process B: Calls CreateRemoteThread in "Process A". My installed hook function gets executed, but returning NULL causes Process B to crash. Any other calls to CreateRemoteThread that don't involve Process A are fine.
-
Process A: Installs a system-wide hook for CreateRemoteThread() Process B: Calls CreateRemoteThread in "Process A". My installed hook function gets executed, but returning NULL causes Process B to crash. Any other calls to CreateRemoteThread that don't involve Process A are fine.
-
ok that make sense :) So what does the function?
GetpIDFromHandle()do ? also is the variableSelfpIDsome shared variable? When the crash occures didnt you get the call stack?nave [My Articles] [My Blog]
Sorry, I failed to clarify that. GetpIDFromHandle returns a process ID given a process handle, SelfpID is the process ID of process A. (since when the hooked function is reached, calls to GetCurrentProcessId will only return the pID of the caller, not Process A) I'll get a dump of the call stack after I get back home. :)
-
Sorry, I failed to clarify that. GetpIDFromHandle returns a process ID given a process handle, SelfpID is the process ID of process A. (since when the hooked function is reached, calls to GetCurrentProcessId will only return the pID of the caller, not Process A) I'll get a dump of the call stack after I get back home. :)
hxhl95 wrote:
since when the hooked function is reached, calls to GetCurrentProcessId will only return the pID of the caller, not Process A
you could use GetProcessId()[^].
nave [My Articles] [My Blog]