Thank you for all of the responses guys! Here's a little update on my story:
Care to explain why? Is it protected with some tough protector like VMProtect?
I am trying to alter explorer.exe and have different wallpapers for different virtual desktops. Due to legal issues and this being a school project, I cannot simply patch the file. I also have to perform pretty long operations to make what I want possible, so I strongly prefer to use a high level language compared to resizing the sections of the executable and injecting instructions somewhere in there, hoping it all works.
Sounds like a bad side effect of hooking. You're either clobbering some register values or stack, or memory.
First, try injecting DLL that does nothing. If that causes problems, your DLL or injector are flawed. Then try installing hooks that do nothing. If they work, problem is in your code. If app still behaves weird, hooks are causing the problem - try again with different hooking lib.
I have a long, complex method to convert from and to UNICODE_STRING which works in my separate tests. I am pretty sure something there is messed up though because injecting my DLL or hooking a function without any changes in it never causes problems.
And don't get me even started on all possible race and re-entrancy problems.. :)
I had a hilarious case with this when calling a CreateFile from my DLL and accidentally hooking it, causing an overflow. Got around it, but that's not even the point.
Try to go low level and write your own hooking procedures.
And that is almost exactly what I went for...
What I tried yesterday and was extremely happy to see working is manually patching the memory. My new plans are as follows:
I dynamically calculate the address of the instruction I want to modify and I overwrite it with a jump to a function in my already injected DLL. The first instruction in my function is the one I replaced (so I don't interrupt the the code flow) and then I have full access to explorer's memory (since the DLL is in its memory space). I was thinking about finding the HDC that holds the wallpaper, calculating the addresses dynamically and using it in my injected DLL function to replace the wallpaper whenever I want.
Please tell me if there are any flaws in my plan, if there's something I should keep in mind or just anything that I could generally do!
Edited by Niiabo, 24 March 2016 - 10:43 PM.