Cannot inject dll into CSRSS on Vista only

[ros17]

Hi,

Trying to use the following code to inject a test dll into CSRSS on Vista fails. The test DLL is an "empty" dll with no functionality.
Injection works well on any other process, and on Windows 7 .
PS- Open Process succeeds, the injection itself fails

Any idea?

int _tmain(int argc, _TCHAR* argv[])
{
BOOL b = FALSE;
InitializeMadCHook();
if (argc < 3)
{
printf("Usage: %S <pid> <dll>\n", argv[0]);
return 0;
}
int pid = _wtoi(argv[1]);
HANDLE htoken;
OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &htoken);
TOKEN_PRIVILEGES tokenpriv;
tokenpriv.PrivilegeCount = 1;
tokenpriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tokenpriv.Privileges[0].Luid);
AdjustTokenPrivileges(htoken, FALSE, &tokenpriv, sizeof(tokenpriv), NULL, NULL);
HANDLE hproc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, (DWORD)pid);
if (hproc)
{
printf("OpenProcess success, trying InjectLibrary\n");
b = InjectLibraryW(argv[2], hproc, 10000);
}
else
{
printf("OpenProcess failed %d\n", GetLastError());
return 0;
}

printf("inject in to process %d b = %s\n", pid, b? "TRUE": "FALSE");
return 0;
}

thanks

[iconic]

Call GetLastError() directly after calling InjectLibraryW() and show what it returns.

--Iconic

[ros17]

Iconic,
The return error is 998. The process has of course all the necessary permissions, privileges and runs elevated.
But we found an even stranger thing: http://web.trustware.com/eyal/injection.png
As you can see, -executable- files manager to get injected properly into csrss.exe, but -dlls- don't!!
By the way, Process monitor shows Load Image performed by csrss.exe on that DLL, but.. it then fails (and doesn't appear in Process Explorer in csrss.exe)

We're at a loss..

[iconic]

Are you running a 32-bit or 64-bit Windows Vista and what version of MCH? Also, are you sure no security software is interfering?

--Iconic

[ros17]

It happens on Vista 32 bit as well as on 64 bit.
There are no security apps installed.
This was tested with 3.0.1
Thanks

[iconic]

Hmm, if I uploaded a test app binary (with my own hook library functions) you could see if that works, quite curious myself now. My package doesn't hook or inject like MCH, it's very different internally. Have you ruled out other libraries or is this something specific to MCH?

--Iconic

[ros17]

Hi

Yes please, I will be able to test if you provide the test app.

Regards

[iconic]

Apologize for the delay, been very busy lately. You can download my test injector here

www.bugczech.fu8.com/TestInjector.zip

Please refer to the ReadMe.txt file first. Let me know if injection is successful or not. You can use Process Explorer to verify this completely.

--Iconic

[iconic]

Any news on the result? I am more than curious to see what is going on myself

--Iconic

[Gallo_Teo]

Hi any news on that topic ?
i tried the example you posted but with no success on a vista 32 bit machine running it as admin