Cannot inject dll into CSRSS on Vista only
Cannot inject dll into CSRSS on Vista only
Hi,
Trying to use the following code to inject a test dll into CSRSS on Vista fails. The test DLL is an "empty" dll with no functionality.
Injection works well on any other process, and on Windows 7 .
PS- Open Process succeeds, the injection itself fails
Any idea?
int _tmain(int argc, _TCHAR* argv[])
{
BOOL b = FALSE;
InitializeMadCHook();
if (argc < 3)
{
printf("Usage: %S <pid> <dll>\n", argv[0]);
return 0;
}
int pid = _wtoi(argv[1]);
HANDLE htoken;
OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &htoken);
TOKEN_PRIVILEGES tokenpriv;
tokenpriv.PrivilegeCount = 1;
tokenpriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tokenpriv.Privileges[0].Luid);
AdjustTokenPrivileges(htoken, FALSE, &tokenpriv, sizeof(tokenpriv), NULL, NULL);
HANDLE hproc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, (DWORD)pid);
if (hproc)
{
printf("OpenProcess success, trying InjectLibrary\n");
b = InjectLibraryW(argv[2], hproc, 10000);
}
else
{
printf("OpenProcess failed %d\n", GetLastError());
return 0;
}
printf("inject in to process %d b = %s\n", pid, b? "TRUE": "FALSE");
return 0;
}
thanks
Trying to use the following code to inject a test dll into CSRSS on Vista fails. The test DLL is an "empty" dll with no functionality.
Injection works well on any other process, and on Windows 7 .
PS- Open Process succeeds, the injection itself fails
Any idea?
int _tmain(int argc, _TCHAR* argv[])
{
BOOL b = FALSE;
InitializeMadCHook();
if (argc < 3)
{
printf("Usage: %S <pid> <dll>\n", argv[0]);
return 0;
}
int pid = _wtoi(argv[1]);
HANDLE htoken;
OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &htoken);
TOKEN_PRIVILEGES tokenpriv;
tokenpriv.PrivilegeCount = 1;
tokenpriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tokenpriv.Privileges[0].Luid);
AdjustTokenPrivileges(htoken, FALSE, &tokenpriv, sizeof(tokenpriv), NULL, NULL);
HANDLE hproc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, (DWORD)pid);
if (hproc)
{
printf("OpenProcess success, trying InjectLibrary\n");
b = InjectLibraryW(argv[2], hproc, 10000);
}
else
{
printf("OpenProcess failed %d\n", GetLastError());
return 0;
}
printf("inject in to process %d b = %s\n", pid, b? "TRUE": "FALSE");
return 0;
}
thanks
Re: Cannot inject dll into CSRSS on Vista only
Call GetLastError() directly after calling InjectLibraryW() and show what it returns.
--Iconic
--Iconic
Re: Cannot inject dll into CSRSS on Vista only
Iconic,
The return error is 998. The process has of course all the necessary permissions, privileges and runs elevated.
But we found an even stranger thing: http://web.trustware.com/eyal/injection.png
As you can see, -executable- files manager to get injected properly into csrss.exe, but -dlls- don't!!
By the way, Process monitor shows Load Image performed by csrss.exe on that DLL, but.. it then fails (and doesn't appear in Process Explorer in csrss.exe)
We're at a loss..
The return error is 998. The process has of course all the necessary permissions, privileges and runs elevated.
But we found an even stranger thing: http://web.trustware.com/eyal/injection.png
As you can see, -executable- files manager to get injected properly into csrss.exe, but -dlls- don't!!
By the way, Process monitor shows Load Image performed by csrss.exe on that DLL, but.. it then fails (and doesn't appear in Process Explorer in csrss.exe)
We're at a loss..
Re: Cannot inject dll into CSRSS on Vista only
Are you running a 32-bit or 64-bit Windows Vista and what version of MCH? Also, are you sure no security software is interfering?
--Iconic
--Iconic
Re: Cannot inject dll into CSRSS on Vista only
It happens on Vista 32 bit as well as on 64 bit.
There are no security apps installed.
This was tested with 3.0.1
Thanks
There are no security apps installed.
This was tested with 3.0.1
Thanks
Re: Cannot inject dll into CSRSS on Vista only
Hmm, if I uploaded a test app binary (with my own hook library functions) you could see if that works, quite curious myself now. My package doesn't hook or inject like MCH, it's very different internally. Have you ruled out other libraries or is this something specific to MCH?
--Iconic
--Iconic
Re: Cannot inject dll into CSRSS on Vista only
Hi
Yes please, I will be able to test if you provide the test app.
Regards
Yes please, I will be able to test if you provide the test app.
Regards
Re: Cannot inject dll into CSRSS on Vista only
Apologize for the delay, been very busy lately. You can download my test injector here
www.bugczech.fu8.com/TestInjector.zip
Please refer to the ReadMe.txt file first. Let me know if injection is successful or not. You can use Process Explorer to verify this completely.
--Iconic
www.bugczech.fu8.com/TestInjector.zip
Please refer to the ReadMe.txt file first. Let me know if injection is successful or not. You can use Process Explorer to verify this completely.
--Iconic
Re: Cannot inject dll into CSRSS on Vista only
Any news on the result? I am more than curious to see what is going on myself
--Iconic
--Iconic
Re: Cannot inject dll into CSRSS on Vista only
Hi any news on that topic ?
i tried the example you posted but with no success on a vista 32 bit machine running it as admin
i tried the example you posted but with no success on a vista 32 bit machine running it as admin