Home > Software engineering >  Discuss a injection hook after the completion of the cleaning problem
Discuss a injection hook after the completion of the cleaning problem

Time:10-09

Problem description:

Will adopt the way of global hook DLL injection target process, and managed to hook the target function is Fun in the process, make it when they first enter my function called Fun_My, these are not problems, but when I want to uninstall hooks, if just code execution in my function Fun_My code, will collapse, because I have unloaded the DLL, the DLL has not in the target in the process, then Fun_My is invalid content, is not the correct code before, so the target process collapses,

In this case, my DLL execution detach to uninstall, how to ensure that the code is not in Fun_My execution,

, of course, I must be carried out in advance to unhook function, only the last hook to the function, may also in Fun_My execution, has not yet been performed returns, it is out of the question,

We have met, or thought about this problem, have what good treatment method, discussion on the technology and advice is welcome, thank you,

CodePudding user response:

If it is IAT/EAT HOOK to restore the import/export table, unloading, any other ways to have similar means of recovery,
Another kind is the binary code, and then directly remote injection, so no DLL can be,

CodePudding user response:

reference 1st floor xuddk727 response:
if it is IAT/EAT HOOK, first restore the import/export table, unloading, any other ways all have similar means of recovery,
Another kind is to binary code, and then directly remote injection, so no DLL can also,


Thank you for your answer, and my problem is not consistent, how to unhook handle I know, I mean, the code is executing Fun_My, please note that this address is in my DLL space, because of execution is Fun_My I hook function, if not performed in the Fun_My, haven't returned, what have I done unhook operation, this time will unload my DLL, and executing the Fun_My functions in the DLL, execute code in the module is unloaded, affirmation will collapse

CodePudding user response:

The unloading part also do a derived interface,

The Hook part into the Hook function set a tag, exit clearance
DLL unloaded first wait tag is invalid and unloading

CodePudding user response:

Reference WinAPIOverride32 source code?

CodePudding user response:

reference zgl7903 reply: 3/f
the unloading part also do a derived interface,

The Hook part into the Hook function set a tag, exit clearance
DLL unloaded first wait tag is invalid and uninstall


Thank you for your reply, I tried also, perhaps, the train of thought,

But this is not the ideal way, such as limit, just enter the function, is in the midst of a code, pressure and time is less than tag set, but will enter the function,

Or leave in the function of the time, although already restored, but assembly code table for stack, also cause problems,

Are special cases of the above said, of course, but this is the code, often a problem is to run in some special cases,

CodePudding user response:

Can you debug, is the line of code that went wrong,

CodePudding user response:

Thank you, but seemingly didn't see a problem, or thank you,

CodePudding user response:

See WinAPIOverride32 source code, mainly is the realization of the different ways of hook, according to unhook is routinely done, and no special processing, that is to say, it also exists the question,

CodePudding user response:

So it seems that you hook function calls, or frequent or processing takes longer, problem is essentially multithreading safety, can simulate COM that add a reference counting, and built-in tags unhook in your handler function

CodePudding user response:

references 9 f xuddk727 response:
so it seems that you hook function calls, or frequent or processing takes longer, problem is essentially multithreading safety, can simulate COM that add a reference counting, and built-in tags in your handler unhook


Thank you for your reply, I tried also, perhaps, the train of thought,

But this is not the ideal way, such as limit, just enter the function, is in the midst of a code, pressure and time is less than tag set, but will enter the function,

Or leave in the function of the time, although already restored, but assembly code table for stack, also cause problems,

Are special cases of the above said, of course, but this is the code, often a problem is to run in some special cases,


Also said the peace of multithreading safety are still a little different, that is critical to modify access such as do, namely only serial are allowed, but can be after the first, but this is never to enter,

CodePudding user response:

You unload the DLL is here for the sake of what

CodePudding user response:

11 references xuddk727 response:
you unload the DLL is here for the sake of what


Because I have the monitoring program is closed, that I do global hook, affirmation is to unhook, corresponding DLL injection will detach

CodePudding user response:

You of this problem is similar to a DLL how to uninstall the problems of its own,
At the time of your function need to unload the DLL, at the time of call uninstall function, push the return address, enter the code you need to perform after unloading,
At the end of your unloading function, manual popup return stack, so that ret return, to get into the code you set,

CodePudding user response:

reference 13 floor Saleayas reply:
you of this problem is similar to the DLL to unload their own problems,
At the time of your function need to unload the DLL, at the time of call uninstall function, push the return address, enter the code you need to perform after unloading,
At the end of your unloading function, manual popup return stack, so that ret return, to get into the code you set, and



Thank you for answer, and for you to say is another problem, now my question is, have after unloading, and other places are continuing to call execute a function of the DLL in the address no longer exists, so the collapse,

CodePudding user response:

If your DLL without unloading (FreeLibrary) UnhookWindowsHookEx should not lead to crash program, (can only call CallNextHookEx Hook under test and should not be any other things)

UnHookSafe ()
{
If (HHK)
{
UnhookWindowsHookEx (HHK);
While (bHookDoing) sleep (0);
HHK=NULL;
}
}

Write the log

CodePudding user response:

reference 15 floor zgl7903 response:
if your DLL without unloading (FreeLibrary) UnhookWindowsHookEx should not lead to crash program, (can only call CallNextHookEx Hook under test and should not be any other things)

UnHookSafe ()
{
If (HHK)
{
UnhookWindowsHookEx (HHK);
While (bHookDoing) sleep (0);
HHK=NULL;
}
}

Writing log



Because hook after injection of the target in the process of other functions to myself, if I am the main process of closed, you need to invoke the UnhookWindowsHookEx, then leads to the target in the process of DLL is unloaded, but probably is executed in my hook function,, and then I DLL is uninstalled, so the collapse,


CodePudding user response:

See, the DLL delay and the unloading

CodePudding user response:

refer to 17th floor xuddk727 response:
understand, then DLL delay and the discharge


Now is doing just that, after loading not uninstall,
Always feel this way not enough grace, so to ask and discuss,
Because I have been debugging other similar application, they are indeed uninstalled, and there will be no problem, at least I tested for a long time many times, no problem,
So see if everyone is to deal with the problem of good advice,

CodePudding user response:

refer to the 18th floor rageliu response:
Quote: refer to 17th floor xuddk727 response:

Understand, then DLL delay and the discharge


Now is doing just that, after loading not uninstall,
Always feel this way not enough grace, so to ask and discuss,
nullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnull
  • Related