markhc
commented
2 years ago HookLibrary only imports NTDLL functions. NTDLL is always mapped at the same location in every running process. This is also the case for Kernel32.dll.
Closed Eleven-LA closed 2 years ago
markhc
commented
2 years ago HookLibrary only imports NTDLL functions. NTDLL is always mapped at the same location in every running process. This is also the case for Kernel32.dll.
The
startInjectionfunction calls theMapModuleToProcessfunction to implement the injection ofHookLibrary.dll,But theMapModuleToProcessfunction first maps theHookLibrary.dllinto its own memory and resolves the import table,and then usesWriteProcessMemoryto write the resolved image to the target process.At this time, shouldn't the function address pointed to byFirstThunkbelong to theInjectorCLIprocess? Why canHookLibrary.dllbe executed normally in the target process?The function address of the dll used by theHookLibrary.dllmay be different in the two processes.ResolveImports((PIMAGE_IMPORT_DESCRIPTOR)((DWORD_PTR)imageLocal + pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress), (DWORD_PTR)imageLocal);SIZE_T skipBytes = wipeHeaders ? pNtHeader->OptionalHeader.SizeOfHeaders : 0;(WriteProcessMemory(hProcess, (PVOID)((ULONG_PTR)imageRemote + skipBytes), (PVOID)((ULONG_PTR)imageLocal + skipBytes)