About PsSetCreateProcessNotifyRoutine in 64bit OS
About PsSetCreateProcessNotifyRoutine in 64bit OS
Hi. madshi...
I got some issues of injection..
Already, I knew that madCHook used PsSetCreateProcessNotifyRoutine.
So, In XP, there is 8 limits to injection (It's OK)
and In Win7 (32Bit), all dll-hook is injected.. (maybe It's limit is 64)
But with 32bit application under Win7 64 Bit OS,
==> only some injection is injected. (maybe it have 8 limits)
==> and at same time, 64 bit application under 64 bis OS, ==> all dll-hook is injected.. (Worked well)
How can I do to avoid injection issues with 32 bit app under 64 bits OS?
I got some issues of injection..
Already, I knew that madCHook used PsSetCreateProcessNotifyRoutine.
So, In XP, there is 8 limits to injection (It's OK)
and In Win7 (32Bit), all dll-hook is injected.. (maybe It's limit is 64)
But with 32bit application under Win7 64 Bit OS,
==> only some injection is injected. (maybe it have 8 limits)
==> and at same time, 64 bit application under 64 bis OS, ==> all dll-hook is injected.. (Worked well)
How can I do to avoid injection issues with 32 bit app under 64 bits OS?
Re: About PsSetCreateProcessNotifyRoutine in 64bit OS
For a 64bit OS you need a 64bit driver. The driver installs a PsSetCreateProcessNotifyRoutine and that routine is called for both 32bit and 64bit processes. So there's no difference between 32bit and 64bit processes here. Also, if injection works for some processes, then PsSetCreateProcessNotifyRoutine must work correctly. So the PsSetCreateProcessNotifyRoutine can't be the problem.
Please double check whether injection works alright with one of the precompiled demos (don't recompile them, test the binaries from the zip file, to make sure the problem doesn't come from your compiling process):
http://madshi.net/PrintMonitor.zip
http://madshi.net/HookProcessCreation.zip
Btw, I've just released a new madCodeHook build, so you might want to double check with that build:
http://madshi.net/madCollection.exe (madCodeHook 3.1.6, installer 2.7.8.0)
Please double check whether injection works alright with one of the precompiled demos (don't recompile them, test the binaries from the zip file, to make sure the problem doesn't come from your compiling process):
http://madshi.net/PrintMonitor.zip
http://madshi.net/HookProcessCreation.zip
Btw, I've just released a new madCodeHook build, so you might want to double check with that build:
http://madshi.net/madCollection.exe (madCodeHook 3.1.6, installer 2.7.8.0)
Re: About PsSetCreateProcessNotifyRoutine in 64bit OS
Thanks for reply...
I had tested again with your printManager64. But same status..
My Test scenario..
Environment : Win7 - 64bit OS
1) load and Inject librarys (for example, I had loaded 7 dll)
2) Run ProcessExplorer.exe (for checking attached dlls in processor)
3) Run notepad.exe(x64) and Excel.exe(x86) or notepad.exe(x86)
4) execute PrintMonitor64.exe
5) Now, HookPrintAPIs64.dll is attached notepad.exe(x64), and HookPrintAPIs32.dll is attached Excel.exe(x86) and notepad.exe(x86)
6) Terminate notepad.exe(x64), Excel.exe(x86) and notepad.exe(x86)
7) execute again notepad.exe(x64), Excel.exe(x86) and notepad.exe(x86)
8 ) ** HookPrintAPIs64.dll is attached notepad.exe(x64), BUT HookPrintAPIs32.dll is not attached Excel.exe(x86) and notepad.exe(x86)
** With Win7-32Bits, worked fine.
------------------------------------------------------------------------------------
** my loading driver/dll method
if (!LoadInjectionDriver(DriverNameW, SysFile32W, SysFile64W)) {
OutputDebugStringA("LoadInjectionDriver Error");
return false;
}
result = InjectLibraryW(DriverNameW, DllFile32W, ALL_SESSIONS, true, szIncludeProcessW, szExcludeProcessW); // for 32
result = InjectLibraryW(DriverNameW, DllFile64W, ALL_SESSIONS, true, szIncludeProcessW, szExcludeProcessW); // for 64
------------------------------------------------------------------------------------
and same status happened with MadCHook 3.1.6
I had tested again with your printManager64. But same status..
My Test scenario..
Environment : Win7 - 64bit OS
1) load and Inject librarys (for example, I had loaded 7 dll)
2) Run ProcessExplorer.exe (for checking attached dlls in processor)
3) Run notepad.exe(x64) and Excel.exe(x86) or notepad.exe(x86)
4) execute PrintMonitor64.exe
5) Now, HookPrintAPIs64.dll is attached notepad.exe(x64), and HookPrintAPIs32.dll is attached Excel.exe(x86) and notepad.exe(x86)
6) Terminate notepad.exe(x64), Excel.exe(x86) and notepad.exe(x86)
7) execute again notepad.exe(x64), Excel.exe(x86) and notepad.exe(x86)
8 ) ** HookPrintAPIs64.dll is attached notepad.exe(x64), BUT HookPrintAPIs32.dll is not attached Excel.exe(x86) and notepad.exe(x86)
** With Win7-32Bits, worked fine.
------------------------------------------------------------------------------------
** my loading driver/dll method
if (!LoadInjectionDriver(DriverNameW, SysFile32W, SysFile64W)) {
OutputDebugStringA("LoadInjectionDriver Error");
return false;
}
result = InjectLibraryW(DriverNameW, DllFile32W, ALL_SESSIONS, true, szIncludeProcessW, szExcludeProcessW); // for 32
result = InjectLibraryW(DriverNameW, DllFile64W, ALL_SESSIONS, true, szIncludeProcessW, szExcludeProcessW); // for 64
------------------------------------------------------------------------------------
and same status happened with MadCHook 3.1.6
Re: About PsSetCreateProcessNotifyRoutine in 64bit OS
7 dlls? Wow! Are you using one driver for all 7 dlls? Or are you using one driver for each dll? In the latter case you'd consume 7 PsSetCreateProcessNotifyRoutine slots, of course. So if possible it would be a good idea to use one driver for all 7 dlls.
Anyway, I just started my win7 x64 PC and then did the following test:
(1) download PrintMonitor demo
(2) start ProcessExplorer.exe
(3) run notepad.exe(x64) and notepad.exe(x86) (no Excel installed on this PC)
(4) execute PrintMonitor64.exe
(5) HookPrintAPIs??.dll are properly injected
(6) close both notepads friendly, and restart both
(7) HookPrintAPIs??.dll are properly injected
(8) terminate both notepads with "processes" tab in task manager, and restart both
(9) HookPrintAPIs??.dll are properly injected
So there's no problem here. Everything works as intended. If I can't reproduce a problem, I can't do anything about it. Does everything work for you if you only start the PrintMonitor demo, but none of your own projects?
Version 3.1.4 unfortunately had a bug which made it somewhat incompatible with all other versions, when using RDP. Is it possible that one of your drivers was compiled with 3.1.4 and that you've tested this with RDP? Try recompiling all drivers with 3.1.6. Also try using only one driver for all hook dlls. If you can't get it to work, I'd need a demo project (with full source code) with which I can reproduce the problem on my PC.
Anyway, I just started my win7 x64 PC and then did the following test:
(1) download PrintMonitor demo
(2) start ProcessExplorer.exe
(3) run notepad.exe(x64) and notepad.exe(x86) (no Excel installed on this PC)
(4) execute PrintMonitor64.exe
(5) HookPrintAPIs??.dll are properly injected
(6) close both notepads friendly, and restart both
(7) HookPrintAPIs??.dll are properly injected
(8) terminate both notepads with "processes" tab in task manager, and restart both
(9) HookPrintAPIs??.dll are properly injected
So there's no problem here. Everything works as intended. If I can't reproduce a problem, I can't do anything about it. Does everything work for you if you only start the PrintMonitor demo, but none of your own projects?
Version 3.1.4 unfortunately had a bug which made it somewhat incompatible with all other versions, when using RDP. Is it possible that one of your drivers was compiled with 3.1.4 and that you've tested this with RDP? Try recompiling all drivers with 3.1.6. Also try using only one driver for all hook dlls. If you can't get it to work, I'd need a demo project (with full source code) with which I can reproduce the problem on my PC.
Re: About PsSetCreateProcessNotifyRoutine in 64bit OS
Hi?
After reduce 7 drivers to on driver (using one driver for all dlls), problem is cleared..
BTW, Is there any mehod that check Dll is loaded or not?
(for example IsInjectLibrary(DriverName, DllFileName) like IsInjectionDriverRunning API)
After reduce 7 drivers to on driver (using one driver for all dlls), problem is cleared..
BTW, Is there any mehod that check Dll is loaded or not?
(for example IsInjectLibrary(DriverName, DllFileName) like IsInjectionDriverRunning API)
Re: About PsSetCreateProcessNotifyRoutine in 64bit OS
There currently is no simple API that allows you to check whether a dll was injected to another process. However, IIRC, psapi has a dll enumeration API for other processes?
Re: About PsSetCreateProcessNotifyRoutine in 64bit OS
yes.. then I used Enumerate dll for process (psapi)
Thanks
Thanks