Win32 Captures DLL injection into applications created against "any processor",

Question

Win32 Captures DLL injection into applications created against "any processor",

I am working on a project that captures all user interactions. MSDN reports ( this )

SetWindowsHookEx can be used to insert a DLL into another process. A 32-bit DLL cannot be injected into a 64-bit process, and a 64-bit DLL cannot be injected into a 32-bit process. If the application requires the use of hooks in other processes, a 32-bit call to the SetWindowsHookEx application is required to insert the 32-bit DLL into the 32-bit processes and a 64-bit call to the SetWindowsHookEx application is required to enter the 64-bit DLL into 64-bit processes.

My question is: what happens if the application was created against Any CPU . I need to call SetWindowsHookEx from a DLL built against Any CPU .

I wrote HookLogger_32.exe, loading HookFunctions_32.dll (both x86) and HookLogger_64.exe, loading HookFunctions_64.dll (both x64), setting WH_CBT and WH_MOUSE globally (not a specific thread).

HookLogger_32.exe, HookLogger_64.exe, HookFunctions_32.dll and HookFunctions_64.dll are written in C ++.

When I click on a .NET application built against Any CPU , these DLL files are entered (via SetWindowHookEx ). Windows OS freezes and I have to force restart my machine.

When the same .NET application is created against x86 or x64, and when I click on the application after starting HookLoggers (both 32 and 64 bits), everything works fine.

Any reasons for this behavior are undefined.

The platform I'm working on is a 64-bit machine.

+7

hook dll-injection setwindowshookex

sri Jan 27 '12 at 9:41

source share

4 answers

Yahia · Answer 1 · 2012-02-04T20:10:37+0000

You need to add the corresponding bitnes from the DLL, that is, "any processor" will become 32 or 64 bits at runtime ... and your DLL should correspond to the runtime bit!

Something useful in your situation is known as a “side by side assembly” (two versions of the same assembly, one 32 and the other 64 bits) ... I think you will find them useful:

Here you can find a good step-by-step guide that contains many useful informational parts - describes the .NET DLL wrapping the C ++ / CLI DLL, referencing its own DLL

UPDATE:

To make the hook very simple and reliable, see this well-tested and free library - among other things, it works with AnyCPU!

Davita · Answer 2 · 2012-02-04T22:57:25+0000

I assume that your main problem is that you are trying to embed the .NET assembly in your own process, and that will certainly not work. I'm not even sure if SetWindowsHookEx supports embedding the .NET assembly in the CLR process. The solution to your problem:

Rewrite / recompile your dll with a built-in compiler like C ++ / Delphi / VB etc. for x86 and x64 platforms.
Make sure that your dll depends only on system libraries. For example, it should not depend on any dll that does not come with windows, because you can compromise the target process. You can use the Dependency Walker tool to define dependencies.
As mentioned in MSDN, you must have an executable injector for each processor that you want to support. In this case, x86 and x64.

Or you could use a better injection / interception library like madCodeHook or Detours. Thus, you will overcome the problem number 3, without mentioning the dozens of pros that they provide.

Louis ricci · Answer 3 · 2012-02-07T13:04:26+0000

Just from your description of the problem, my guess is ... Your any compilation program with a processor loads the x86 stub, which launches your 32-bit hook, and then checks for the presence of the x86 stub and sees that the environment supports the 64-bit version and launches the 64-bit CLR version.

In this case, your 32-bit DLL converter receives a WH_SHELL message and tries to insert into a process (end x86) that has already ended, or by inserting a 32-bit hook into a 64-bit CLR process. So your "very ambiguous and needs to be developed" about a system crash.

If you want to talk in detail about what your code does, then additional help will be provided (and less generalizations and "just use program A"). You actually enter code into this process or call SetWindowsHookEx using the dwThreadId process.

Zenexer · Answer 4 · 2012-02-08T07:12:16+0000

On a 32-bit computer, it should be pretty obvious that this is a bit. Any processor application takes care.

A 64-bit computer receives two separate .NET Framework installations: one for each bit. A .NET application compiled with any CPU, since the target usually runs on a 64-bit installation, but can also work on a 32-bit installation if it refers to another application that directly targets x86. Thus, you can only be sure of what you get if you know how the application runs: as an independent process or through a link.

I would not make any assumptions. Do not assume that this process is 64-bit on a 64-bit computer: it may be 32-bit. Check it correctly to see what mode it is working in. Then enter the 32-bit or 64-bit version, respectively.

The reason you should use the same bitte as the target process is because for technical reasons that I will not receive, such hooks cannot cross the so-called SysWOW barrier. SysWOW allows 32-bit applications to run on a 64-bit computer, 16-bit applications to run on a 32-bit computer, etc. You cross the barrier when you talk between applications running on opposite sides of SysWOW — that is, one works in SysWOW (32-bit) and the other doesn't (64-bit). Simply put, the process must be entirely in or out of SysWOW. Thus, you cannot add 32-bit code to a 64-bit process and vice versa.

Win32 Captures DLL injection into applications created against "any processor",

More articles: