Hooking LoadLibrary Call
I want to load a different version of a DLL than is present in the working directory of the application. For this I need to hook the LoadLibrary call so that when the application makes a call to load the DLL I can substitute it with the newer version of that DLL transparently. I tried using NCodeHook and have the following code in my DLL which I inject into the application using NInjectLib but it crashes while loading kernel32.dll. Can anybody please tell me if this is the correct way of injecting the call or are there any other alternatives.
// CodeHook.cpp : Defines the entry point for the DLL application. // #include "stdafx.h" #include <NCodeHookInstantiation.h> #include "CodeHook.h" #ifdef _MANAGED #pragma managed(push, off) #endif typedef HMODULE (WINAPI *LoadLibraryFPtr)(LPCTSTR dllName); #pragma data_seg("SHARED") LoadLibraryFPtr origFunc = NULL; #pragma data_seg() #pragma comment(linker, "/section:SHARED,RWS") HMODULE WINAPI LoadLibraryHook(LPCTSTR dllName) { // tell the truth if (origFunc != NULL) { return origFunc(dllName); } } BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { return TRUE; } CODEHOOK_API void Initialize (void) { NCodeHookIA32 nch; origFunc = nch.createHookByName("kernel32.dll", "LoadLibrary", LoadLibraryHook); } #ifdef _MANAGED #pragma managed(pop) #endif
Note: fixed geshi
Hooking LoadLibrary Call
NInjectLib doesn't support injecting a dll into a suspended process right now. I'm not sure why this is the case. Injection works, if done at the ProcessStart event of an attached debugger (IDAStealth works this way). However it doesn't work if a process is started with the CREATE_SUSPENDED flag. I'll have to look into thisSee this thread for an example
I called the Initialize
I called the Initialize function in the DLL_PROCESS_ATTACH and still got the same error. Following is the output of the injected process -
'app.exe': Loaded 'D:\Bin\app.exe', Symbols loaded.
'app.exe': Loaded 'C:\WINDOWS\system32\ntdll.dll'
'app.exe': Loaded 'C:\WINDOWS\system32\kernel32.dll'
Debugger:: An unhandled non-continuable exception was thrown during process load
The thread 'Win32 Thread' (0x1188) has exited with code 0 (0x0).
Is there some issue with the code that I posted earlier.
If you can also point me to an example of something similar that would be helpful.
Hooking LoadLibrary Call
Since I don't know how you are injecting the dll I cannot answer your question. Keep in mind, that NInjectLib as for now doesn't support injecting into a suspended process.
I am trying to inject the DLL
I am trying to inject the DLL using the method described in -
http://www.codeproject.com/KB/threads/completeinject.aspx
I also tried using the NInjectLib but the result is same.
So I am thinking there might be some issue with the code that is trying to hook the LoadLibrary call as it seems to be crashing in kernel32.dll.
Hooking LoadLibrary Call
There is at least one issue with the code you posted earlier - you are setting a hook to a function which doesn't exist: LoadLibrary.
There are always two functions for every API which expects a string as one of its parameters, an ascii and a unicode version, i.e. LoadLibraryA / LoadLibraryW.
Besides, you should probably insert some OutputDebugString calls into your injected dll and check with an attached debugger where the code actually crashes.
Please understand that i cannot solve all the problems for you. I think you should make yourself familiar with the basic concepts first.
If you find bugs however, I'll be glad to fix them
Hooking LoadLibrary Call
See this thread for a working example which you can use unless there is a new version of the library