How to hook an existing local process?

microsoft / Detours

Detours is a software package for monitoring and instrumenting API calls on Windows. It is distributed in source code form.

MIT License

5.02k stars 981 forks source link

How to hook an existing local process? #162

Closed 0xThiebaut closed 3 years ago

0xThiebaut commented 3 years ago

I am looking to hook an existing local process but can't find any clear documentation on how to do so.

I have tried, without success:

Using CreateToolhelp32Snapshot to iterate threads followed by OpenThread to call DetourUpdateThread.
Using OpenProcess to call DetourUpdateProcessWithDll.

I checked #76 but feel the suggested approach is for the process itself. Is their any documentation on how Detours can be used for an existing local process?

sylveon commented 3 years ago

You will need to inject a DLL into the target process and can then use DetourUpdateThread in that injected DLL.

A few ways you can inject a DLL is by using SetWindowsHookEx, SetWinEventHook, or CreateRemoteThread + LoadLibrary.

0xThiebaut commented 3 years ago

I went with CreateRemoteThread + LoadLibraryA. Thanks!