Windows 7

[KozmoK]

Create Hook is failing on windows 7 with MH_ERROR_MEMORY_ALLOC

Any Idea how to resolve this? Its contained a injected DLL. It works fine on Windows 10

[Nucleoprotein]

What function you are hooking ? Maybe a code sample ?

[KozmoK]

Sorry.

This function is inside an application. I only have the offset that was returned from a signature scan. I have tried many different ways, here is one way that works fine on windows 10

int __fastcall sub_143F8AD40(int64 a1, int64 a2)

int __fastcall hkDispatchMessage(void pMessageManagerImpl, fb::Message pMessage) {

return oDispatchMessage(pMessageManagerImpl, pMessage);

}

MH_STATUS hStat = MH_CreateHook((LPVOID)gSDK->offset_DispatchMessage, &hkDispatchMessage, reinterpret_cast<void**>(&oDispatchMessage));

if (hStat != MH_OK)
{
    gLog->Write("Dispatch_CreateHook error - exiting aux plugin %x", hStat);
    return;
}

MH_STATUS err = MH_QueueEnableHook((LPVOID)gSDK->offset_DispatchMessage);

if (err != MH_OK)
{
    gLog->Write("EnableHook Error for dwMessage - exiting aux plugin %x", err);
    return;
}

MH_ApplyQueued();

Output:

Dispatch_CreateHook error - exiting aux plugin 9

[Nucleoprotein]

I do not think this is MinHook problem. First off - do not use offset if that code can be relocated by system, you need to calculate VA relatively to module base - I think this is you main problem, ie gSDK->offset_DispatchMessage is pointing to wrong code on Windows 7.

EDIT: You are injecting your DLL to proces and hooking executable or DLL code ? Also you can calculate absolute virtual address using HANDLE returned by GetModuleHandle as module base ie. void* base = GetModuleHandle(NULL); void* address = base + offset; Use NULL as argument for GetModuleHandle if hooking app in which you injected you DLL, for hooking DLL you need to use it's name.

[KozmoK]

I think your right, this is somehow my code issue. I am injecting my dll into a executable. This is x64 by the way. I did not put that in my original post.

I am using a signature finder function (i.e. Pattern) that finds the function within the injected module. Its always the same offset whether its in win 7 or win 10. I can pull that address up in IDA and look at the code directly.

for some reason win 7 does not like me using a offset directly.

Also, the same code worked 2-3 weeks ago, there must have been some update on win7

[m417z]

Closing this old issue since it's probably no longer relevant. If you were using an old version, you might have been experiencing this issue: https://github.com/TsudaKageyu/minhook/issues/10. If not, it needs more investigation.