About PsSetCreateProcessNotifyRoutine in 64bit OS

c++ / delphi package - dll injection and api hooking
Post Reply
power888
Posts: 54
Joined: Sat May 23, 2009 8:55 am

About PsSetCreateProcessNotifyRoutine in 64bit OS

Post by power888 »

Hi. madshi...

I got some issues of injection..

Already, I knew that madCHook used PsSetCreateProcessNotifyRoutine.

So, In XP, there is 8 limits to injection (It's OK)

and In Win7 (32Bit), all dll-hook is injected.. (maybe It's limit is 64)

But with 32bit application under Win7 64 Bit OS,
==> only some injection is injected. (maybe it have 8 limits)
==> and at same time, 64 bit application under 64 bis OS, ==> all dll-hook is injected.. (Worked well)

How can I do to avoid injection issues with 32 bit app under 64 bits OS?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: About PsSetCreateProcessNotifyRoutine in 64bit OS

Post by madshi »

For a 64bit OS you need a 64bit driver. The driver installs a PsSetCreateProcessNotifyRoutine and that routine is called for both 32bit and 64bit processes. So there's no difference between 32bit and 64bit processes here. Also, if injection works for some processes, then PsSetCreateProcessNotifyRoutine must work correctly. So the PsSetCreateProcessNotifyRoutine can't be the problem.

Please double check whether injection works alright with one of the precompiled demos (don't recompile them, test the binaries from the zip file, to make sure the problem doesn't come from your compiling process):

http://madshi.net/PrintMonitor.zip
http://madshi.net/HookProcessCreation.zip

Btw, I've just released a new madCodeHook build, so you might want to double check with that build:

http://madshi.net/madCollection.exe (madCodeHook 3.1.6, installer 2.7.8.0)
power888
Posts: 54
Joined: Sat May 23, 2009 8:55 am

Re: About PsSetCreateProcessNotifyRoutine in 64bit OS

Post by power888 »

Thanks for reply...

I had tested again with your printManager64. But same status..

My Test scenario..
Environment : Win7 - 64bit OS
1) load and Inject librarys (for example, I had loaded 7 dll)
2) Run ProcessExplorer.exe (for checking attached dlls in processor)
3) Run notepad.exe(x64) and Excel.exe(x86) or notepad.exe(x86)
4) execute PrintMonitor64.exe
5) Now, HookPrintAPIs64.dll is attached notepad.exe(x64), and HookPrintAPIs32.dll is attached Excel.exe(x86) and notepad.exe(x86)
6) Terminate notepad.exe(x64), Excel.exe(x86) and notepad.exe(x86)
7) execute again notepad.exe(x64), Excel.exe(x86) and notepad.exe(x86)
8 ) ** HookPrintAPIs64.dll is attached notepad.exe(x64), BUT HookPrintAPIs32.dll is not attached Excel.exe(x86) and notepad.exe(x86)
** With Win7-32Bits, worked fine.
------------------------------------------------------------------------------------
** my loading driver/dll method

if (!LoadInjectionDriver(DriverNameW, SysFile32W, SysFile64W)) {
OutputDebugStringA("LoadInjectionDriver Error");
return false;
}
result = InjectLibraryW(DriverNameW, DllFile32W, ALL_SESSIONS, true, szIncludeProcessW, szExcludeProcessW); // for 32
result = InjectLibraryW(DriverNameW, DllFile64W, ALL_SESSIONS, true, szIncludeProcessW, szExcludeProcessW); // for 64
------------------------------------------------------------------------------------

and same status happened with MadCHook 3.1.6
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: About PsSetCreateProcessNotifyRoutine in 64bit OS

Post by madshi »

7 dlls? Wow! Are you using one driver for all 7 dlls? Or are you using one driver for each dll? In the latter case you'd consume 7 PsSetCreateProcessNotifyRoutine slots, of course. So if possible it would be a good idea to use one driver for all 7 dlls.

Anyway, I just started my win7 x64 PC and then did the following test:

(1) download PrintMonitor demo
(2) start ProcessExplorer.exe
(3) run notepad.exe(x64) and notepad.exe(x86) (no Excel installed on this PC)
(4) execute PrintMonitor64.exe
(5) HookPrintAPIs??.dll are properly injected
(6) close both notepads friendly, and restart both
(7) HookPrintAPIs??.dll are properly injected
(8) terminate both notepads with "processes" tab in task manager, and restart both
(9) HookPrintAPIs??.dll are properly injected

So there's no problem here. Everything works as intended. If I can't reproduce a problem, I can't do anything about it. Does everything work for you if you only start the PrintMonitor demo, but none of your own projects?

Version 3.1.4 unfortunately had a bug which made it somewhat incompatible with all other versions, when using RDP. Is it possible that one of your drivers was compiled with 3.1.4 and that you've tested this with RDP? Try recompiling all drivers with 3.1.6. Also try using only one driver for all hook dlls. If you can't get it to work, I'd need a demo project (with full source code) with which I can reproduce the problem on my PC.
power888
Posts: 54
Joined: Sat May 23, 2009 8:55 am

Re: About PsSetCreateProcessNotifyRoutine in 64bit OS

Post by power888 »

Hi?

After reduce 7 drivers to on driver (using one driver for all dlls), problem is cleared..

BTW, Is there any mehod that check Dll is loaded or not?
(for example IsInjectLibrary(DriverName, DllFileName) like IsInjectionDriverRunning API)
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: About PsSetCreateProcessNotifyRoutine in 64bit OS

Post by madshi »

There currently is no simple API that allows you to check whether a dll was injected to another process. However, IIRC, psapi has a dll enumeration API for other processes?
power888
Posts: 54
Joined: Sat May 23, 2009 8:55 am

Re: About PsSetCreateProcessNotifyRoutine in 64bit OS

Post by power888 »

yes.. then I used Enumerate dll for process (psapi)

Thanks
Post Reply