WinRT Injection

c++ / delphi package - dll injection and api hooking
Post Reply
choochy2003
Posts: 88
Joined: Fri Mar 21, 2008 4:52 am
Location: Adelaide, South Australia
Contact:

WinRT Injection

Post by choochy2003 »

What are the considerations for hooking WinRT Apps? I have a project with signed 32 and 64 bit DLLs that is set to inject into all seasons including services. It successfully injects into all Win32 and Win64 desktop applications as well as all services but does not seem to inject into WinRT apps.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: WinRT Injection

Post by madshi »

The hook dll must have NTFS read/execute rights for "ALL APPLICATION PACKAGES".
choochy2003
Posts: 88
Joined: Fri Mar 21, 2008 4:52 am
Location: Adelaide, South Australia
Contact:

Re: WinRT Injection

Post by choochy2003 »

Thanks Mathias!! That works fine now.

The only other thing I have noticed on Windows 8 is that the inject process seems to take a heap longer than on previous OS's. The injection process for the 64 bit seems to sit there for 5-10 seconds before it returns. Here is my debug view output

Code: Select all

0000001	0.00000000	[5952] LoadInjectionDriver	
00000002	0.00568468	[5952] InjectLibraryW x86	
00000003	0.08441624	[600] ** I am in process C:\Program Files (x86)\Stardock\Start8\Start8Srv.exe	
00000004	0.08543201	[1404] ** I am in process C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	
00000005	0.08593854	[2108] ** I am in process C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe	
00000006	0.08726583	[1760] ** I am in process C:\Program Files (x86)\Parallels\Parallels Tools\Services\WoW\coherence.exe	
00000007	0.09412354	[3008] ** I am in process C:\hook\Dbgview.exe	
00000008	0.09797350	[5952] InjectLibraryW x64	
00000009	0.14692056	[396] ** I am in process C:\Windows\System32\csrss.exe	
00000010	0.15230338	[504] ** I am in process C:\Windows\System32\winlogon.exe	
00000011	0.15231365	[444] ** I am in process C:\Windows\System32\wininit.exe	
00000012	0.15232663	[460] ** I am in process C:\Windows\System32\csrss.exe	
00000013	0.15768710	[544] ** I am in process C:\Windows\System32\services.exe	
00000014	0.15854590	[552] ** I am in process C:\Windows\System32\lsass.exe	
00000015	0.16191590	[884] ** I am in process C:\Windows\System32\dwm.exe	
00000016	0.16771619	[708] ** I am in process C:\Windows\System32\svchost.exe	
00000017	0.17259641	[964] ** I am in process C:\Windows\System32\svchost.exe	
00000018	0.18175705	[656] ** I am in process C:\Windows\System32\svchost.exe	
00000019	0.18584546	[800] ** I am in process C:\Windows\System32\svchost.exe	
00000020	0.19451044	[1740] ** I am in process C:\Program Files (x86)\Parallels\Parallels Tools\Services\prl_tools_service.exe	
00000021	0.19659269	[1632] ** I am in process C:\Program Files\Microsoft SQL Server\MSSQL11.DEVELOPMENT\MSSQL\Binn\sqlservr.exe	
00000022	0.19778717	[744] ** I am in process C:\Program Files (x86)\Stardock\Start8\Start8_64.exe	
00000023	0.20608960	[1228] ** I am in process C:\Windows\System32\spoolsv.exe	
00000024	0.20612220	[768] ** I am in process C:\Windows\System32\svchost.exe	
00000025	0.20641470	[896] ** I am in process C:\Windows\System32\svchost.exe	
00000026	0.20819177	[2036] ** I am in process C:\Program Files\Microsoft SQL Server\MSRS11.DEVELOPMENT\Reporting Services\ReportServer\bin\ReportingServicesService.exe	
00000027	0.21046782	[1020] ** I am in process C:\Windows\System32\svchost.exe	
00000028	0.21390966	[3044] ** I am in process C:\Program Files\Microsoft SQL Server\MSSQL11.DEVELOPMENT\MSSQL\Binn\fdlauncher.exe	
00000029	0.21450222	[1432] ** I am in process C:\Program Files (x86)\Embarcadero\RAD Studio\11.0\InterBaseXE3\bin\ibguard.exe	
00000030	0.21829090	[3204] ** I am in process C:\Windows\System32\conhost.exe	
00000031	0.22041510	[1528] ** I am in process C:\Program Files\Microsoft SQL Server\110\DTS\Binn\MsDtsSrvr.exe	
00000032	0.22360639	[1604] ** I am in process C:\Program Files\Microsoft SQL Server\MSAS11.DEVELOPMENT\OLAP\bin\msmdsrv.exe	
00000033	0.22415940	[4456] ** I am in process C:\Windows\System32\RuntimeBroker.exe	
00000034	0.22617978	[2680] ** I am in process C:\Program Files\Microsoft SQL Server\MSSQL11.DEVELOPMENT\MSSQL\Binn\SQLAGENT.EXE	
00000035	0.23219711	[1280] ** I am in process C:\Windows\System32\svchost.exe	
00000036	0.23306043	[3700] ** I am in process C:\Windows\System32\svchost.exe	
00000037	0.23310572	[3368] ** I am in process C:\Windows\System32\svchost.exe	
00000038	0.24245200	[2156] ** I am in process C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe	
00000039	0.24657272	[3592] ** I am in process C:\Windows\explorer.exe	
00000040	0.25084075	[4060] ** I am in process C:\Windows\System32\taskhostex.exe	
00000041	0.25086883	[5060] ** I am in process C:\Windows\System32\taskeng.exe	
00000042	0.25162530	[4624] ** I am in process C:\Windows\System32\SearchIndexer.exe	
00000043	0.25734168	[2700] ** I am in process C:\Windows\System32\conhost.exe	
00000044	0.25973788	[5952] ** I am in process C:\hook\Project1.exe	
00000045	0.26296237	[3408] ** I am in process C:\Windows\System32\msdtc.exe	
00000046	0.28836623	[2932] ** I am in process C:\Program Files (x86)\Parallels\Parallels Tools\prl_cc.exe	
00000047	0.28837621	[2380] ** I am in process C:\Windows\System32\dllhost.exe	
00000048	0.29007387	[1732] ** I am in process C:\Program Files (x86)\Parallels\Parallels Tools\Services\coherence.exe	
00000049	0.29100150	[1816] ** I am in process C:\Program Files (x86)\Parallels\Parallels Tools\Services\prl_tools.exe	
00000050	0.30069342	[5044] ** I am in process C:\Program Files\Microsoft Office\Office15\MSOSYNC.EXE	
00000051	0.30070096	[3196] ** I am in process C:\Program Files\Microsoft SQL Server\MSSQL11.DEVELOPMENT\MSSQL\Binn\fdhost.exe	
00000052	0.30234942	[1856] ** I am in process C:\Windows\System32\dllhost.exe	
00000053	0.30383310	[3144] ** I am in process C:\Program Files (x86)\Embarcadero\RAD Studio\11.0\InterBaseXE3\bin\ibserver.exe	
00000054	0.30666757	[1704] ** I am in process C:\Program Files (x86)\Parallels\Parallels Tools\Services\coherence.exe	
00000055	7.27089500	[5952] Finished Injection
As you can see there is a 6.9 second delay between the completion of the injection of all the processes and the InjectLibraryW returning. It seems to only be an issue for the 64 bit injection. Interestingly the uninjection times seem to correspond respectively, and again only for the 64 bit.

Code: Select all

00000001	0.00000000	[5952] UninjectLibraryW x64	
00000002	7.05475140	[5952] UninjectLibraryW x86	
00000003	7.06350994	[5952] StopInjectionDriver	
00000004	7.06468534	[5952] Finished Uninjection
I have tested this on multiple Windows 8 systems and with different Hooking DLLs all with the same result.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: WinRT Injection

Post by madshi »

InjectLibrary/UninjectLibrary has a timeout value which defaults to 7 seconds. So it seems that the timeout applies to you. You can workaround the issue by simply dialing down the timeout. Injection/uninjection should still work just fine, even if you choose a timeout of e.g. 100 milliseconds. The only different will be that madVR won't wait for injection/uninjection to complete before returning to you.

I'm not sure why injection in your case runs into the timeout, though. My best bet would be that those nasty WinRT processes that are often by default suspended, don't react to the injection request as long as they're still suspended. So madCodeHook will wait "endlessly" for them to report that injection succeeded. Injection *will* succeed, though, as soon as those processes are resumed by the OS. At the moment I have no solution for this, other than dialing down the timeout times.
choochy2003
Posts: 88
Joined: Fri Mar 21, 2008 4:52 am
Location: Adelaide, South Australia
Contact:

Re: WinRT Injection

Post by choochy2003 »

Yes, you are correct its due to the suspended processes. When I stop all suspended processes the Injection works instantly with no delay.

I hate to be a pain but is there no way the injection can check the process suspend state before injecting into each process?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: WinRT Injection

Post by madshi »

I don't even know an API to check that. Do you?
choochy2003
Posts: 88
Joined: Fri Mar 21, 2008 4:52 am
Location: Adelaide, South Australia
Contact:

Re: WinRT Injection

Post by choochy2003 »

I have spent a couple of hours researching this and from what I can tell there is no native API for checking a process's suspend state. From what I have read so far is that the only way to assume a process is suspended, is when all it’s threads are suspended. This means that all threads must be checked for the suspended status. Assume the process is not suspended when the first active thread is found.

Here are a couple of random articles, the first of which is the best:
[*]http://vtopan.wordpress.com/2009/04/15/ ... ead-state/
[*]http://www.autoitscript.com/forum/topic ... suspended/
[*]http://stackoverflow.com/questions/4510 ... ded-or-not
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: WinRT Injection

Post by madshi »

Ok, thanks for researching this. I'll put this on my to do list, but it's not ultra high priority for me now because you can work around it by using a low timeout value. The only benefit of implementing specific support for this will be that (Un)InjectLibrary will return quickly even when using a large timeout value. So it's not really a critical issue, IMHO.
choochy2003
Posts: 88
Joined: Fri Mar 21, 2008 4:52 am
Location: Adelaide, South Australia
Contact:

Re: WinRT Injection

Post by choochy2003 »

We have some fallbacks in case the uninjection fails or doesn't finish in time, so it shouldn't be a big issue for us in the short term.

The only one thing I did notice, which I am not sure if its of concern, is that if I increase the timeout value on both the injection and uninjection, the function call always runs up into the timeout. Thats regardless if I set it to 30000, 60000, or even 120000 and that also with only 1 suspended process on the workstation.

My worry is that does this mean that the un/injection halt on that suspended process and if so, does this affect the un/injection of processes further in the list of running processes being un/injectioned?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: WinRT Injection

Post by madshi »

Injection/uninjection runs in parallel for all processes. So if one process stalls, this does not delay injection into other processes.
choochy2003
Posts: 88
Joined: Fri Mar 21, 2008 4:52 am
Location: Adelaide, South Australia
Contact:

Re: WinRT Injection

Post by choochy2003 »

Great :D
Post Reply