I managed to complete the API hooking project i was talking about some time ago
I use this tecnique:
1) prepare a memory mapped file with into the code i want to execute
2) run the target process suspended
3) copy the code at program entry point in the MMF
4) overwrite the code at program entry point with some code that maps MMF by name and jumps into it
5) resume the program

this works fine, and i widh to thanks killexx a lot
but for some programs i get "Application was not correctly initialized" as soon as i start this work...
Killexx told me that is a PE Loader problem, so i thought i could avoid this by injectiong the code at run-time.
this is pretty like the previous tecnique, but
1) i freeze the process main thread,
2) i save the CONTEXT
3) I do the operations as previously descripted
4) i fix the CONTEXT.EIP to program EP
5) i resume the thread

the code injected this time will not jump back to PEP after having put back original code, but will:
a) launch another thread and enter in a loop
b) this new thread will suspend the first one
c) will put back the original CONTEXT
d) will resume the original thread

ok. all this seems to work! the pain comes as soon as i want to close the second thread (the one generated just to fix the main thread):
- if i use a ret it will obviously fall back in nonsense crap somewhere in memory
- i cannot simply freeze it, 'cause it seems that windows doesn't like it too much (i have read that for correct message handling every thread needs to run for a little now and then), and anyway i'd prefer to close it
- a call to ExitThread() doesn't seem to work...

does anybody have an idea?

thank you very much

garph0

PS i know about CreateRemoteThread, but i want all this to work also under win9x

hi,


well.. problably my mail wasn't too clear (maybe too simplified) on this subject: strictly speaking it's not a prb of PELdr (win2k) itself:
AFAIK (from personal investigation on ntoskrnl , books , some threads in comp.xxx.nt../ms.plublic.xx/.kerne ng, REACTOS srcs snooping, etc..) the guilt for pbs with remote threads , CREATE_SUSPENDED, should be equally charged to CSRSS, SMSS, and the executive (NtCreateXX e Ldrxx) thread finalization code (mostly APC delivering & lpc ApiPort registration).
So i tend to summarize the pb as a PE loader pb since it actually fails to load/resolve correctly the modules.

for the u've with injected code/threads under win9x i continue to think that u've missed something in the register/stack restoration in ret OEP.. ehm no i've not tested ur code with xircon =) no time atm..


i cant see a reason why ExitThread does not work for this thread.. r u sure it's not till suspended ? NTStatus ?

Best Regards,

kill3xx

Ok, so now i know the problem is somewhere in my code, and not in the way i've done all the stuff
Now i'm going to rewrite the whole thing, i hope i'll not run in toubles again )
Thank you very much for the help

regards
garph0

Ok, so now i know the problem is somewhere in my code, and not in the way i've done all the stuff
Now i'm going to rewrite the whole thing, i hope i'll not run in toubles again )
Thank you very much for the help

regards
garph0

excuse me for the double message above... it seems i need some more sleeping

well people, the injector works (well, seems to)
i have rewritten the thing, and it seems that the problem was not with the PE loader, but with my code.

so now i'd like to thank you all for your help. hope i'll be able too, if you need


garph0

Well, for exiting your injected thread safely, i'd do in this "safe" way :

in the main thread, after creating the new thread to execute your stuff, issue a WaitForSingleObject on the new thread object. In this way, calling ExitThread in the new thread context will cause the event to be signaled and catched from the main, which then can resume normal execution, restoring context, etc.....

Hope i got ur problem, don't listen to kill3x coz he's leim (hi killo!!!!) ))

xOANINO
[UCF]

mmm well the idea is nice, but there is a problem:
the second thread has the task of restore the main thread to its original status before resuming it, so i cannot have a lock in the main thread waiting for the secondary to terminate, 'cause the secondary thread will overwrite my program memory & CONTEXT with the original ones

hope i've been clear, my english is not very good

regards
garph0