[listito]

There's something very strange going on, some dll(i believe a malware) seems to be injected into all processes, and when i'm using some programs sometimes it executes invalid instructions into the dll and crashes the program, and when i try to unload the dll it suddenly terminates the program, is there any way to know if there is some driver or something terminating my process?

[rkhunter]

I think if you notice suspicious actions (injects in your case), you are need to use antirootkit, Xuetr, for example, or Rku. Look it here http://www.kernelmode.info/forum/viewto ... ?f=11&t=10.

[GamingMasteR]

Process Monitor

[listito]

would xuert detect setwindowshookex as a ring3 hook?

how can process monitor help to detect what terminated my process?

[GamingMasteR]

Procmon can log the terminated thread stack trace, this will help you to find where to begin if the termination happens from dll inside the process.

[listito]

thanks, procmon gives me 2 (thread exit) the first one is weird and the call comes from ntdll.dll

the second one is interesting :

CALL DWORD PTR DS:[<&KERNEL32.GetQueuedC>; kernel32.GetQueuedCompletionStatus

from xul.dll, it's a firefox plugin i'm reversing and i want to prevent plugin-container.exe from being closed, if i set a breakpoint anywhere, it quits after some seconds, anyone could help me with that? maybe hooking this api call would be a solution?

BOOL WINAPI GetQueuedCompletionStatus(
__in HANDLE CompletionPort,
__out LPDWORD lpNumberOfBytes,
__out PULONG_PTR lpCompletionKey,
__out LPOVERLAPPED *lpOverlapped,
__in DWORD dwMilliseconds
);

i'm gonna try it :)