Process Injection Issue

c++ / delphi package - dll injection and api hooking
Post Reply
choochy2003
Posts: 88
Joined: Fri Mar 21, 2008 4:52 am
Location: Adelaide, South Australia
Contact:

Process Injection Issue

Post by choochy2003 »

Madshi

It seems there is a slight nuance in the Injection of Task Manager when starting it with CTRL-ALT-DEL on Windows XP. If I start the Task Manager via Right Clicking on the Taskbar or via direct execution, the injection of the hook DLL works fine. However, if I press CTRL-ALT-DEL and click Task Manager it seems that the Hook DLL does not get injected at all (this is verified using Process Explorer). Also this strangely does not happen on any Windows Versions other than Windows XP.

This is using the latest release with Delphi XE3 Update 2.

Regards

Chris
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Process Injection Issue

Post by madshi »

Hi Chris,

probably you're only injecting into user processes but not into system processes? My best guess is that when starting the taskman via Ctrl+Alt+Del, it's running as a system process. You could work around it by doing another InjectLibrary() call for system processes with an include list of "taskman.exe". This way the 2nd InjectLibrary() call would inject your hook dll into all "taskman.exe" processes, regardless of whether they run as system or user processes. At the same time the 2nd InjectLibrary() call would not affect any other system processes.
choochy2003
Posts: 88
Joined: Fri Mar 21, 2008 4:52 am
Location: Adelaide, South Australia
Contact:

Re: Process Injection Issue

Post by choochy2003 »

Madshi

You are a very smart guy :D That now works fine.

Strange. I assumed because Task Manager always starts under the user session and its a standard process not a service that it should be exactly the same. And all other OS's it does not do this.

Thanks

Chris
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Process Injection Issue

Post by madshi »

:D

There is a similar problem with RunAs processes in one specific OS. Those processes start as a system process, then the madCodeHook driver is informed about the new process, and only after that the process switches to the requested user. So basically madCodeHook makes its decisions based on the wrong user. Nothing I can do about it, bug in the OS. I don't remember which OS the RunAs problem occurred on. Maybe also XP. Maybe Ctrl+Alt+Del even does use RunAs internally...
Post Reply