Can we hook some func in another process then change return address?

[Teerayoot]

I want to inject dll into another process then hook some function in order to change return adreess to our code or fill hex 0xEBFE byte so we can pause there and debug that process.

Can we do this tecnique?

For injecting you can use ForceLibrary, createprocess with the suspend flag, inject, resume process.

Hooking a function is just a matter of calling WriteProcessMemory and correctly modifying a call/jmp to the address of your code, and returning properly. Make SURE you take care of the stack correctly.

no,micro$oft's detours is the best,using it's api
DetourCreateProcessWithDll or DetourContinueProcessWithDll
u can inject a dll into another process very easily.
it also provide some apis with which one can hook functions in a simple way.

[Teerayoot]

Thank you,Viasek for infos.

Ok,anyway can we hook System api like

"NtQueryInformationProcess" that getprocaddressed in normal process?

Note : I using madcodehook very easy and painless.

Injecting a DLL into another process can be done quite easily with the regular Windows API only:
-first allocate memory in the target process with CreateRemoteThread,
-then copy some loader code and the arguments using WriteProcessMemory,
-then use CreateRemoteThread to start the loader code, which in turn calls LoadLibrary

This technique is very generic, and allows to execute any code into any process... This is useful for hooking as well, as it allows to hook only a specific process instead of the whole system....

in ntdll.dll
you can find return address and simple you can hook them,
the address from my ntdll.dll

;Native API
SYSTEM_CALL equ 7FFE0300h
NtAllocateVirtualMemory equ 77F5b54Eh