@Madshi
Inject a DLL globally (all_sessions or system_processes) and switch sessions to a different user, csrss in the newest session is not injected when the process is newly created. Verified with Process Explorer on XP+ regardless of OS bitdepth. Problem lies within csrss not executing any pending APCs or calling NtTestAlert (which iirc you hook to make this possible from your driver)
P.S: Using madCodeHook v2.x in Delphi 7
--Iconic
switching user session new csrss not injected
Re: switching user session new csrss not injected
Actually I have extra code in place which checks for native processes and skips injection into them. csrss is a native process, IIRC, so injection is intentionally not performed. I'm not sure if it would work if I tried.
Re: switching user session new csrss not injected
@Madshi
After the new session's csrss is "initialized" it _can_ be injected by madCodeHook since it does load kernel32.dll but it is never injected from your driver when it's being newly created, most likely due to a native subsystem check you mentioned that you are performing. If you inject a DLL system-wide and use XP fast-user switching to login as another user the other instance of csrss will now be running. If you then immediately switch back to the previous session you can open up Process Explorer and see that the newest csrss has not loaded your DLL as noted... if you reinject as it's still running in your original session you will see that your DLL is now loaded correctly.
--Iconic
After the new session's csrss is "initialized" it _can_ be injected by madCodeHook since it does load kernel32.dll but it is never injected from your driver when it's being newly created, most likely due to a native subsystem check you mentioned that you are performing. If you inject a DLL system-wide and use XP fast-user switching to login as another user the other instance of csrss will now be running. If you then immediately switch back to the previous session you can open up Process Explorer and see that the newest csrss has not loaded your DLL as noted... if you reinject as it's still running in your original session you will see that your DLL is now loaded correctly.
--Iconic
Re: switching user session new csrss not injected
I would say that's rather a bug in the user mode part. The driver intentionally doesn't inject into native processes, so user mode should not do that, too. However, it doesn't seem to hurt, so it's probably not something worth worrying about. I don't remember why I excluded native processes from injection, but I'm sure I had a good reason. I vaguely remember stability issues, but I'm not really sure.
Re: switching user session new csrss not injected
You probably exclude a native process from injection due to the fact that a true native process such as smss wouldn't depend on/load kernel32.dll since ntdll is all it really needs, making 99% of injected DLLs useless or crash prone. I am not worried about this particular instance of csrss as madCodeHook does a nice job but thought I would bring this to your attention as it is odd surrounding the tested circumstances
--Iconic
--Iconic