Injecting a hook DLL into a process before its imports get called?

Date : November 19 2020, 12:41 AM
will be helpful for those in need You can create the target process suspended and use CreateRemoteThread() for injection, but mind the following limitations:
You should copy the thread main routine for the remote thread to the address space of the target process. This code cannot contain any external references (e.g. CRTL or direct WinApi calls). I would usually limit this code to loading of the DLL and either executing function from it, or relying on the DllMain to do the job you need. In order to call LoadLibrary and GetProcAddress methods, I obtain their addresses and copy structure containing this information to the target process and pass the address of the remote structure as an argument for the thread main routine in CreateRemoteThread(). You can use VirtualAllocEx() to allocate memory in the remote process. Remote thread in this situation will be executed before main thread, including process and some Win32/64 initialization. Therefore, not every Win32 API is safe to call in this condition.
Hook into Windows sizing events: hook is not called

Date : March 29 2020, 07:55 AM
like below fixes the issue Your assumption that the passed lParam is a pointer to a MSG is just wrong. Check the MSDN article for the callback, scroll to the bottom. You'll see that when nCode == HCBT_MOVESIZE then lParam is a pointer to RECT.
wParam gives you the handle to the window.
How to Version Imports for Cabal Hook

Date : March 29 2020, 07:55 AM
like below fixes the issue Usually yes, code that is dependent on a version of a library manages it via CPP macros, using macros defined by Cabal itself. See http://www.edsko.net/2014/09/13/haskell-cpp-macros/ for some examples. In your case:
#if MIN_VERSION_Cabal(1,22,0)
    -- something working in Cabal 1.22 or above
    -- something working in Cabal versions prior to 1.22
how to hook delay imports

Date : March 29 2020, 07:55 AM
I hope this helps you . I wanted to do hooks without microsoft detours so I went to IAT hooking as it was the simplest method , but I found that some of the functions I want to hook are in the delay import table I tried to hook it like I hooked iat table : , the working code after RbMm comment :
 HMODULE lib = GetModuleHandleA(0);
 PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)((uintptr_t)lib + dos->e_lfanew);
 while (dload->DllNameRVA)
  char *dll = (char*)((uintptr_t)lib + dload->DllNameRVA);
  if (!strcmp(dll,"mydll.dll")) {
      MessageBoxA(0,"found mydll","info",0);
      PIMAGE_THUNK_DATA firstthunk = (PIMAGE_THUNK_DATA)((uintptr_t)lib + dload->ImportNameTableRVA);
      PIMAGE_THUNK_DATA functhunk = (PIMAGE_THUNK_DATA)((uintptr_t)lib + dload->ImportAddressTableRVA);
      while (firstthunk->u1.AddressOfData)
      if (firstthunk->u1.Ordinal & IMAGE_ORDINAL_FLAG) {}
      else {
          PIMAGE_IMPORT_BY_NAME byName = (PIMAGE_IMPORT_BY_NAME)((uintptr_t)lib + firstthunk->u1.AddressOfData);
          if (!strcmp((char*)byName->Name,"func")) {
              MessageBoxA(0,"found func","info",0);
              DWORD oldProtect;
              DWORD tmp;
              VirtualProtect(&functhunk->u1.Function, sizeof(uintptr_t), PAGE_EXECUTE_READWRITE, &oldProtect);
              functhunk->u1.Function = (uintptr_t)hControlService;
              VirtualProtect(&functhunk->u1.Function, sizeof(uintptr_t), oldProtect, &tmp);
              MessageBoxA(0, "hooked func", "info", 0);
How receive hook from Bitbucket on JIRA and process this hook data?

Date : March 29 2020, 07:55 AM
should help you out I figured it out, it's simple via WebHooks
I used the plugin JIRA Automation
Deviarev2 Hook API: Hook into existing process winapi calls?

Date : March 29 2020, 07:55 AM
wish of those help It's actually much easier to hook APIs in your own process (actually when you want to hook in another process you need to DLL inject into that process anyway, so basically when you're hooking in your own process you can just skip that step). It might be a bug with the library you are using. Try Microsoft Detours or if you're up to it, patch the memory yourself, it's not that hard actually, a few hours work if you're new to the subject.
What you need to be wary of is that some C++ compilers will in some cases (I think debug builds) use some jump stub or something like this, which can interfere with the hooking process. In that case you must take some extra care when hooking - MS Detours probably does this properly. You can try debug/release builds if that affects your success. What I mean is to get the proper address of the API. If the function is in a DLL like is the case with WinAPI you can be sure you are getting the right address if you use LoadLibrary and GetProcAddress.
