madshi.net

I am trying to use NewProcess and my executable is failing to launch. How can I check to see what went wrong? The old way I would use something like: H := WinExec(PChar(t+#32+szfile), lpici.nShow); if H < 32 then MessageBox(lpici.hWnd, pchar(syserrormessage(h)), 'Error', MB_ICONERROR or MB_OK);

I set up to hook this call but I never see anything call it. Wouldn't this be the lowest level hook for CreateProcess?

It's a false alarm from Webroot most likely. To remove it open Explorer and browse to C:\Windows\System32 and delete MadCHook.dll

You may have to delete it in safe mode if it is in use.

Note that the program using it will likely no longer function.

I want to map the mutex to the original creator of the mutex.

here is the code I am using to get the mutex list: procedure ttest.getmutexlist; var dirhandle: thandle; oadir: jwawindows.pobject_attributes; status: ntstatus; wdir: unicode_string; mut: unicode_string; name: array[0..17] of widechar; mutant: array[0..6] of widechar; ctx: ULONG; p: PDIRECTORY_BASIC...

Ideally I would like to list all processes that have a handle to the mutex but just the original .exe that created it would be fine.

I know it *can* be done as somehow ProcessExplorer lists the mutex of a given process. I just want to do the reverse of that. Having said that when I use madkernel to get at the information it always returns my process as the owner. When I try to get the handle manually it always says ACCESS DENIED ...

Is it possible to find the process owner of a given mutex? If so, how? Thanks!

Ahh, ok. I was thinking of a session and handle. The problem is I get a BSOD the second I call InjectLibrarySession. I have a service that waits for an IPC message telling it to inject. The dll is currently a dummy. It has no functions at all as I was hoping this would aid debugging. The call inject...

I am trying to use the getcurrentsessionid function but it always returns 0

Is there something obvious I am missing that needs to be done to initialize this? Thanks!