Hi,
LibraryCallMonitor only traces processes configured in the
ProcessExecutionDetector plugin. You need to edit s2e-config.lua
to include rundll32.exe so that it is traced. Note that
LibraryCallMonitor works independently of EasyHook, you can use it
to trace calls regardless of whether the process is hooked or not.
Vitaly
I've used https://adrianherrera.github.io/post/malware-s2e/ to successfully hook functions in malware using CreateProcess to run another exe.
However, when CreateProcess uses rundll32.exe example.dll, args, although custom-hook.dll appears to be successfully injected into the new process and all available hooks are successfully hooked to that process, none of the APIs are actually hooked during execution.--
Does anyone know why? Notably, I expected the LibraryCallMonitor to report libraries called from the rundll32 process, but it actually reports calls from the 'example' process (corresponding the name of the dll run above). I suspect this might have something to do with it, i.e., I'm injected into the process belonging to rundll32 and not example.dll. But since they share the same process ID, I'm not sure.
Any help is appreciated.
You received this message because you are subscribed to the Google Groups "S2E Developer Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to s2e-dev+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/s2e-dev/c4089101-060c-4109-aed2-c4fa4d74fe7en%40googlegroups.com.
Which APIs are you trying to hook? If you are using the sample
code from the link, there is a function that looks like this:
LhInstallHook(GetProcAddress(GetModuleHandleA(moduleName),
functionName), hookFunctions[i], NULL, &hooks[i]);
GetModuleHandleA will fail if the DLL is not already loaded in the process, so you need to call LoadLibrary() on all the DLLs that you want to hook (and the the malware might need) to make sure they are loaded beforehand.
Vitaly
To view this discussion on the web visit https://groups.google.com/d/msgid/s2e-dev/da4b3192-c0f5-4387-a3c1-05127036f0c9n%40googlegroups.com.
Hi,
Could you run rundll in windbg and trace api calls there? You
should normally see that the first few bytes of a hooked function
are replaced by a jump to the hook, if not then hooking didn't
work.
Vitaly
To view this discussion on the web visit https://groups.google.com/d/msgid/s2e-dev/85f3591d-94e3-4727-b00c-9eddba079529n%40googlegroups.com.