how to hook Create Process in Win7

c++ / delphi package - dll injection and api hooking
power888
Posts: 54
Joined: Sat May 23, 2009 8:55 am

how to hook Create Process in Win7

Post by power888 »

Hi. All.

I have a question about hooking create process in Win7
(UAC is activated, and run process using pop up menu-. run as Administrator)

I had hooked CreateProcessW and CreateProcessA and CreateProcessWithLogon..
When I start process with double click, everything is OK. (hooked worked well)
But start process with [run as Administrator], hooked is not worked. (UAC is activated)..

How can I do?

Please help me...
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: how to hook Create Process in Win7

Post by madshi »

There are a couple other CreateProcess APIs, e.g. CreateProcessAsUser, IIRC. If all else fails you could try hooking NtCreateProcess(Ex).

What do you need a create process hook for? Maybe there's an easier alternative?
power888
Posts: 54
Joined: Sat May 23, 2009 8:55 am

Re: how to hook Create Process in Win7

Post by power888 »

Thanks for your reply..

I had tested below APIs
- CreateProcessA
- CreateProcessW
- CreateProcessWithLogonW
- CreateProcessAsUserW
- CreateProcessAsUserA

But above is hooking failed when run as Administrator.

So, will test NTCreateProcess..

BTW, my object is that
when certain process is created, first, check HASH or internal name or etc of process.. and determine whether continue process or stop it...
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: how to hook Create Process in Win7

Post by madshi »

If all else fails, you could perform the checks in the initialization of your hook dll, and then, if the process start is not allowed, call "TerminateProcess(GetCurrentProcess())". Not nice, not clean, but should work.
power888
Posts: 54
Joined: Sat May 23, 2009 8:55 am

Re: how to hook Create Process in Win7

Post by power888 »

NTCreateProcess(Ex) is failed when UAC is activated and execute process with [run as Administrator]..

I thought that your suggestion will worked. But First, I need to know which process will terminated or not.
so, I want to check it from createprocessxx API or other API hooking
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: how to hook Create Process in Win7

Post by madshi »

In the hook dll initialization you can simply use GetCurrentProcessId() and GetModuleFileName(0) to get the ID and full path + exe name of the newly started process. Then you can decide whether to allow the new process or not. Pretty straightforward, actually. BUT, very ugly and not clean. It'd be better to properly hook the process creation APIs. So I'd recommend to try to catch the run as admin process creation somehow (don't know how). But you may still want to implement my suggestion as a last resort, so if your process creation hooks fail (for whatever reason), my suggestion would be your last line of defence...
power888
Posts: 54
Joined: Sat May 23, 2009 8:55 am

Re: how to hook Create Process in Win7

Post by power888 »

Thanks..

OK. I understand your meaning..

Firts, Try how to hook create process (with run as administrator)..

and above is impossible, i will apply your suggesstion..

Thanks
power888
Posts: 54
Joined: Sat May 23, 2009 8:55 am

Re: how to hook Create Process in Win7

Post by power888 »

Hi. madshi..

found API..

When I used CreateProcessInternalW, hooked is worked well..

Thanks for your help
vic4key
Posts: 5
Joined: Wed Jun 24, 2015 5:57 am
Location: /dev/null
Contact:

Re: how to hook Create Process in Win7

Post by vic4key »

Currently, It doesn't work on Windows 8.1~.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: how to hook Create Process in Win7

Post by madshi »

What exactly doesn't work? Some more details would be helpful.
vic4key
Posts: 5
Joined: Wed Jun 24, 2015 5:57 am
Location: /dev/null
Contact:

Re: how to hook Create Process in Win7

Post by vic4key »

It's same the question at top of this topic. It isn't working when I start process with "Run as Administrator" in right popup menu.
I've hooked some routines but it didn't work.
Currently, I'm trying to test with NtCreateSection but it's crashed! :?
See my code below:
Ps: Ahh, I'm using Windows 8.1 x86!

Code: Select all

extern "C" BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
	switch (fdwReason) {
		case DLL_PROCESS_ATTACH:
			catMsg(T("***** DLL_PROCESS_ATTACH *****"));

			ATTACH(T("kernelbase.dll"), T("CreateProcessW"), &HfnCreateProcessW, &pfnCreateProcessW)
			ATTACH(T("kernelbase.dll"), T("CreateProcessInternalW"), &HfnCreateProcessInternalW, &pfnCreateProcessInternalW)

			ATTACH(T("advapi32.dll"), T("CreateProcessAsUserW"), &HfnCreateProcessAsUserW, &pfnCreateProcessAsUserW)
			ATTACH(T("advapi32.dll"), T("CreateProcessWithLogonW"), &HfnCreateProcessWithLogonW, &pfnCreateProcessWithLogonW)

			ATTACH(T("ntdll.dll"), T("NtCreateProcessEx"), &HfnNtCreateProcessEx, &pfnNtCreateProcessEx)
			ATTACH(T("ntdll.dll"), T("NtCreateProcess"), &HfnNtCreateProcess, &pfnNtCreateProcess)
			//ATTACH(T("ntdll.dll"), T("NtCreateSection"), &HfnNtCreateSection, &pfnNtCreateSection)

			ATTACH(T("shell32.dll"), T("ShellExecuteW"), &HfnShellExecuteW, &pfnShellExecuteW)
			ATTACH(T("shell32.dll"), T("ShellExecuteExW"), &HfnShellExecuteExW, &pfnShellExecuteExW)
		break;
		case DLL_PROCESS_DETACH:
			DETACH(T("kernelbase.dll"), T("CreateProcessW"), &pfnCreateProcessW)
			DETACH(T("kernelbase.dll"), T("CreateProcessInternalW"), &pfnCreateProcessInternalW)

			DETACH(T("advapi32.dll"), T("CreateProcessAsUserW"), &pfnCreateProcessAsUserW)
			DETACH(T("advapi32.dll"), T("CreateProcessWithLogonW"), &pfnCreateProcessWithLogonW)

			DETACH(T("ntdll.dll"), T("NtCreateProcessEx"), &pfnNtCreateProcessEx)
			DETACH(T("ntdll.dll"), T("NtCreateProcess"), &pfnNtCreateProcess)
			//DETACH(T("ntdll.dll"), T("NtCreateSection"), &pfnNtCreateSection)

			DETACH(T("shell32.dll"), T("ShellExecuteW"), &pfnShellExecuteW)
			DETACH(T("shell32.dll"), T("ShellExecuteExW"), &pfnShellExecuteExW)

			catMsg(T("***** DLL_PROCESS_DETACH *****"));
		break;
		default:;
	}

	return true;
}
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: how to hook Create Process in Win7

Post by madshi »

"Isn't working" and "didn't work" is not a description worthy of a developer... :wink:

There are a couple of things you could/should be investigating: E.g. which process is calling the CreateProcess (or whatever other) API? Is your hook dll loaded in that process? If yes, does HookAPI report success or failure? If not, why not?

A crash when hooking a "new" API in 99.9% of the cases means that there's an error somewhere in your hook callback function definition or the next hook function variable definition. Make sure all parameters are correct and the calling convention, too. And both need to be 100% identical in the hook callback function, next hook definition and the original API, of course.
vic4key
Posts: 5
Joined: Wed Jun 24, 2015 5:57 am
Location: /dev/null
Contact:

Re: how to hook Create Process in Win7

Post by vic4key »

Thanks for your feedback!

1. I checked, it hook success but I think in Windows 8.1 ( can be Windows 8 ) or later has changed the method to create a new process (Administrator privilege) make my code not working.

2. The code hook NtCreateSection same as code hook of other routines. So on I don't think error occur by my hook code. You can see full of my code here: http://pastebin.com/T1tJcRN6
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: how to hook Create Process in Win7

Post by madshi »

HfnNtCreateSection is missing NTAPI.
vic4key
Posts: 5
Joined: Wed Jun 24, 2015 5:57 am
Location: /dev/null
Contact:

Re: how to hook Create Process in Win7

Post by vic4key »

Oh yeah. I forgot. I wasn't careful. Thanks!
Have you known another method/routine to detect a process that run with Administrator?
Post Reply