WinRT Injection
-
- Posts: 88
- Joined: Fri Mar 21, 2008 4:52 am
- Location: Adelaide, South Australia
- Contact:
WinRT Injection
What are the considerations for hooking WinRT Apps? I have a project with signed 32 and 64 bit DLLs that is set to inject into all seasons including services. It successfully injects into all Win32 and Win64 desktop applications as well as all services but does not seem to inject into WinRT apps.
Re: WinRT Injection
The hook dll must have NTFS read/execute rights for "ALL APPLICATION PACKAGES".
-
- Posts: 88
- Joined: Fri Mar 21, 2008 4:52 am
- Location: Adelaide, South Australia
- Contact:
Re: WinRT Injection
Thanks Mathias!! That works fine now.
The only other thing I have noticed on Windows 8 is that the inject process seems to take a heap longer than on previous OS's. The injection process for the 64 bit seems to sit there for 5-10 seconds before it returns. Here is my debug view output
As you can see there is a 6.9 second delay between the completion of the injection of all the processes and the InjectLibraryW returning. It seems to only be an issue for the 64 bit injection. Interestingly the uninjection times seem to correspond respectively, and again only for the 64 bit.
I have tested this on multiple Windows 8 systems and with different Hooking DLLs all with the same result.
The only other thing I have noticed on Windows 8 is that the inject process seems to take a heap longer than on previous OS's. The injection process for the 64 bit seems to sit there for 5-10 seconds before it returns. Here is my debug view output
Code: Select all
0000001 0.00000000 [5952] LoadInjectionDriver
00000002 0.00568468 [5952] InjectLibraryW x86
00000003 0.08441624 [600] ** I am in process C:\Program Files (x86)\Stardock\Start8\Start8Srv.exe
00000004 0.08543201 [1404] ** I am in process C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
00000005 0.08593854 [2108] ** I am in process C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
00000006 0.08726583 [1760] ** I am in process C:\Program Files (x86)\Parallels\Parallels Tools\Services\WoW\coherence.exe
00000007 0.09412354 [3008] ** I am in process C:\hook\Dbgview.exe
00000008 0.09797350 [5952] InjectLibraryW x64
00000009 0.14692056 [396] ** I am in process C:\Windows\System32\csrss.exe
00000010 0.15230338 [504] ** I am in process C:\Windows\System32\winlogon.exe
00000011 0.15231365 [444] ** I am in process C:\Windows\System32\wininit.exe
00000012 0.15232663 [460] ** I am in process C:\Windows\System32\csrss.exe
00000013 0.15768710 [544] ** I am in process C:\Windows\System32\services.exe
00000014 0.15854590 [552] ** I am in process C:\Windows\System32\lsass.exe
00000015 0.16191590 [884] ** I am in process C:\Windows\System32\dwm.exe
00000016 0.16771619 [708] ** I am in process C:\Windows\System32\svchost.exe
00000017 0.17259641 [964] ** I am in process C:\Windows\System32\svchost.exe
00000018 0.18175705 [656] ** I am in process C:\Windows\System32\svchost.exe
00000019 0.18584546 [800] ** I am in process C:\Windows\System32\svchost.exe
00000020 0.19451044 [1740] ** I am in process C:\Program Files (x86)\Parallels\Parallels Tools\Services\prl_tools_service.exe
00000021 0.19659269 [1632] ** I am in process C:\Program Files\Microsoft SQL Server\MSSQL11.DEVELOPMENT\MSSQL\Binn\sqlservr.exe
00000022 0.19778717 [744] ** I am in process C:\Program Files (x86)\Stardock\Start8\Start8_64.exe
00000023 0.20608960 [1228] ** I am in process C:\Windows\System32\spoolsv.exe
00000024 0.20612220 [768] ** I am in process C:\Windows\System32\svchost.exe
00000025 0.20641470 [896] ** I am in process C:\Windows\System32\svchost.exe
00000026 0.20819177 [2036] ** I am in process C:\Program Files\Microsoft SQL Server\MSRS11.DEVELOPMENT\Reporting Services\ReportServer\bin\ReportingServicesService.exe
00000027 0.21046782 [1020] ** I am in process C:\Windows\System32\svchost.exe
00000028 0.21390966 [3044] ** I am in process C:\Program Files\Microsoft SQL Server\MSSQL11.DEVELOPMENT\MSSQL\Binn\fdlauncher.exe
00000029 0.21450222 [1432] ** I am in process C:\Program Files (x86)\Embarcadero\RAD Studio\11.0\InterBaseXE3\bin\ibguard.exe
00000030 0.21829090 [3204] ** I am in process C:\Windows\System32\conhost.exe
00000031 0.22041510 [1528] ** I am in process C:\Program Files\Microsoft SQL Server\110\DTS\Binn\MsDtsSrvr.exe
00000032 0.22360639 [1604] ** I am in process C:\Program Files\Microsoft SQL Server\MSAS11.DEVELOPMENT\OLAP\bin\msmdsrv.exe
00000033 0.22415940 [4456] ** I am in process C:\Windows\System32\RuntimeBroker.exe
00000034 0.22617978 [2680] ** I am in process C:\Program Files\Microsoft SQL Server\MSSQL11.DEVELOPMENT\MSSQL\Binn\SQLAGENT.EXE
00000035 0.23219711 [1280] ** I am in process C:\Windows\System32\svchost.exe
00000036 0.23306043 [3700] ** I am in process C:\Windows\System32\svchost.exe
00000037 0.23310572 [3368] ** I am in process C:\Windows\System32\svchost.exe
00000038 0.24245200 [2156] ** I am in process C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
00000039 0.24657272 [3592] ** I am in process C:\Windows\explorer.exe
00000040 0.25084075 [4060] ** I am in process C:\Windows\System32\taskhostex.exe
00000041 0.25086883 [5060] ** I am in process C:\Windows\System32\taskeng.exe
00000042 0.25162530 [4624] ** I am in process C:\Windows\System32\SearchIndexer.exe
00000043 0.25734168 [2700] ** I am in process C:\Windows\System32\conhost.exe
00000044 0.25973788 [5952] ** I am in process C:\hook\Project1.exe
00000045 0.26296237 [3408] ** I am in process C:\Windows\System32\msdtc.exe
00000046 0.28836623 [2932] ** I am in process C:\Program Files (x86)\Parallels\Parallels Tools\prl_cc.exe
00000047 0.28837621 [2380] ** I am in process C:\Windows\System32\dllhost.exe
00000048 0.29007387 [1732] ** I am in process C:\Program Files (x86)\Parallels\Parallels Tools\Services\coherence.exe
00000049 0.29100150 [1816] ** I am in process C:\Program Files (x86)\Parallels\Parallels Tools\Services\prl_tools.exe
00000050 0.30069342 [5044] ** I am in process C:\Program Files\Microsoft Office\Office15\MSOSYNC.EXE
00000051 0.30070096 [3196] ** I am in process C:\Program Files\Microsoft SQL Server\MSSQL11.DEVELOPMENT\MSSQL\Binn\fdhost.exe
00000052 0.30234942 [1856] ** I am in process C:\Windows\System32\dllhost.exe
00000053 0.30383310 [3144] ** I am in process C:\Program Files (x86)\Embarcadero\RAD Studio\11.0\InterBaseXE3\bin\ibserver.exe
00000054 0.30666757 [1704] ** I am in process C:\Program Files (x86)\Parallels\Parallels Tools\Services\coherence.exe
00000055 7.27089500 [5952] Finished Injection
Code: Select all
00000001 0.00000000 [5952] UninjectLibraryW x64
00000002 7.05475140 [5952] UninjectLibraryW x86
00000003 7.06350994 [5952] StopInjectionDriver
00000004 7.06468534 [5952] Finished Uninjection
Re: WinRT Injection
InjectLibrary/UninjectLibrary has a timeout value which defaults to 7 seconds. So it seems that the timeout applies to you. You can workaround the issue by simply dialing down the timeout. Injection/uninjection should still work just fine, even if you choose a timeout of e.g. 100 milliseconds. The only different will be that madVR won't wait for injection/uninjection to complete before returning to you.
I'm not sure why injection in your case runs into the timeout, though. My best bet would be that those nasty WinRT processes that are often by default suspended, don't react to the injection request as long as they're still suspended. So madCodeHook will wait "endlessly" for them to report that injection succeeded. Injection *will* succeed, though, as soon as those processes are resumed by the OS. At the moment I have no solution for this, other than dialing down the timeout times.
I'm not sure why injection in your case runs into the timeout, though. My best bet would be that those nasty WinRT processes that are often by default suspended, don't react to the injection request as long as they're still suspended. So madCodeHook will wait "endlessly" for them to report that injection succeeded. Injection *will* succeed, though, as soon as those processes are resumed by the OS. At the moment I have no solution for this, other than dialing down the timeout times.
-
- Posts: 88
- Joined: Fri Mar 21, 2008 4:52 am
- Location: Adelaide, South Australia
- Contact:
Re: WinRT Injection
Yes, you are correct its due to the suspended processes. When I stop all suspended processes the Injection works instantly with no delay.
I hate to be a pain but is there no way the injection can check the process suspend state before injecting into each process?
I hate to be a pain but is there no way the injection can check the process suspend state before injecting into each process?
Re: WinRT Injection
I don't even know an API to check that. Do you?
-
- Posts: 88
- Joined: Fri Mar 21, 2008 4:52 am
- Location: Adelaide, South Australia
- Contact:
Re: WinRT Injection
I have spent a couple of hours researching this and from what I can tell there is no native API for checking a process's suspend state. From what I have read so far is that the only way to assume a process is suspended, is when all it’s threads are suspended. This means that all threads must be checked for the suspended status. Assume the process is not suspended when the first active thread is found.
Here are a couple of random articles, the first of which is the best:
[*]http://vtopan.wordpress.com/2009/04/15/ ... ead-state/
[*]http://www.autoitscript.com/forum/topic ... suspended/
[*]http://stackoverflow.com/questions/4510 ... ded-or-not
Here are a couple of random articles, the first of which is the best:
[*]http://vtopan.wordpress.com/2009/04/15/ ... ead-state/
[*]http://www.autoitscript.com/forum/topic ... suspended/
[*]http://stackoverflow.com/questions/4510 ... ded-or-not
Re: WinRT Injection
Ok, thanks for researching this. I'll put this on my to do list, but it's not ultra high priority for me now because you can work around it by using a low timeout value. The only benefit of implementing specific support for this will be that (Un)InjectLibrary will return quickly even when using a large timeout value. So it's not really a critical issue, IMHO.
-
- Posts: 88
- Joined: Fri Mar 21, 2008 4:52 am
- Location: Adelaide, South Australia
- Contact:
Re: WinRT Injection
We have some fallbacks in case the uninjection fails or doesn't finish in time, so it shouldn't be a big issue for us in the short term.
The only one thing I did notice, which I am not sure if its of concern, is that if I increase the timeout value on both the injection and uninjection, the function call always runs up into the timeout. Thats regardless if I set it to 30000, 60000, or even 120000 and that also with only 1 suspended process on the workstation.
My worry is that does this mean that the un/injection halt on that suspended process and if so, does this affect the un/injection of processes further in the list of running processes being un/injectioned?
The only one thing I did notice, which I am not sure if its of concern, is that if I increase the timeout value on both the injection and uninjection, the function call always runs up into the timeout. Thats regardless if I set it to 30000, 60000, or even 120000 and that also with only 1 suspended process on the workstation.
My worry is that does this mean that the un/injection halt on that suspended process and if so, does this affect the un/injection of processes further in the list of running processes being un/injectioned?
Re: WinRT Injection
Injection/uninjection runs in parallel for all processes. So if one process stalls, this does not delay injection into other processes.
-
- Posts: 88
- Joined: Fri Mar 21, 2008 4:52 am
- Location: Adelaide, South Australia
- Contact:
Re: WinRT Injection
Great