Hooking already running process

[Zarathustrius]

Hi,

Is it possible to hook a process that already is running using Detours?

I used one of creatwth procedures (DetourCreateProcessWithDllExW) as the base for my tests and created a procedure that opens a process (OpenProcess) instead of its creation (CreateProcess), almost all the other logic is the same.
The code runs smoothly and does all the steps just like DetourCreateProcessWithDllExW do, but no hooking occurs as well as I don't see a DLL injected in the target app (looking using SysInternals Process Explorer).

My code:

typedef LONG(NTAPI* NtSuspendProcess)(IN HANDLE ProcessHandle);
typedef LONG(NTAPI* NtResumeProcess)(IN HANDLE ProcessHandle);

HANDLE WINAPI DetourAttachToProcessDll(_In_ DWORD dwTargetPid,
                              _In_ DWORD dwDesiredAccess,
                              _In_ BOOL bInheritHandles,
                              _In_ LPCSTR lpDllName,
                              _In_opt_ PDETOUR_OPEN_PROCESS_ROUTINE pfOpenProcess)
{
    if (pfOpenProcess == NULL) {
        pfOpenProcess = OpenProcess;
    }

    NtSuspendProcess pfnNtSuspendProcess = (NtSuspendProcess)GetProcAddress(GetModuleHandle("ntdll"), "NtSuspendProcess");
    NtResumeProcess pfnNtResumeProcess = (NtResumeProcess)GetProcAddress(GetModuleHandle("ntdll"), "NtResumeProcess");

    HANDLE hProcess = pfOpenProcess(dwDesiredAccess, bInheritHandles, dwTargetPid);
    if (!hProcess) {
        return NULL;
    }

    pfnNtSuspendProcess(hProcess);

    if (!DetourUpdateProcessWithDll(hProcess, &lpDllName, 1) &&
        !DetourProcessViaHelperA(dwTargetPid, lpDllName, CreateProcessA)) {
        CloseHandle(hProcess);
        return NULL;
    }

    pfnNtResumeProcess(hProcess);

    return hProcess;
}

As you can see, it consumes PID and desired access flags that equal PROCESS_ALL_ACCESS for the tests.

Thank you!

[sylveon]

DetourUpdateProcessWithDll updates the import table of a process so it doesn't work if the process is already running. It only works when the process has been started suspended so hasn't loaded DLLs yet. To inject in an already running process, you have to use VirtualAllocEx + WriteProcessMemory + CreateRemoteThread + LoadLibrary.

[Zarathustrius]

Thank you very much! Is there a sample code I could try?

[soodlikesgithub]

@Zarathustrius I am also trying to inject DLL into the running process, was your trial successful using the above suggestion?

[SuibianP]

#281 (reply in thread)

#162