Try to fix EasyHook#295 once and for all:

The sleep needs to be after ForceLdrInitializeThunk to have an effect. Also instead of an arbitrary sleep, we can actually poll the result in a loop, at the risk of a deadlock instead of an injection error.
AndrasteFramework · Nov 6, 2023 · e1d0d0c · e1d0d0c
1 parent 9bcf1a6
commit e1d0d0c
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/EasyHookDll/RemoteHook/thread.c b/EasyHookDll/RemoteHook/thread.c
@@ -1237,11 +1237,13 @@ EASYHOOK_NT_EXPORT RhInjectLibrary(
 		THROW(STATUS_NO_MEMORY, L"Unable to allocate memory in current process.");
 
 	// Ensure that if we have injected into a suspended process that we can retrieve the remote function addresses
-	Sleep(1000);
 	FORCE(NtForceLdrInitializeThunk(hProc));
 
-	// The first GetRemoteModuleHandle call in GetRemoteFuncAddress can return NULL in some applications started in a suspended. Call GetRemoteFuncAddress once to prevent an access violation error.
-	GetRemoteFuncAddress(InTargetPID, hProc, "kernel32.dll", "LoadLibraryW");
+	// It may take a while for the Ldr to initialize the thunk, so we just continuously poll and wait.
+	while(GetRemoteFuncAddress(InTargetPID, hProc, "kernel32.dll", "LoadLibraryW") == NULL)
+	{
+		Sleep(100);
+	}
 
 	// Determine function addresses within remote process
     Info->LoadLibraryW   = (PVOID)GetRemoteFuncAddress(InTargetPID, hProc, "kernel32.dll", "LoadLibraryW");