Replace CreateProcess with CreateProcessEx

c++ / delphi package - dll injection and api hooking
Post Reply
Davita
Posts: 163
Joined: Tue Sep 13, 2005 7:31 pm

Replace CreateProcess with CreateProcessEx

Post by Davita »

Hello

I'm trying to avoid injection driver for my project. I want to inject my dll into newly started processes (both 32 & 64 bit). Now, I'm aware that CreateProcessEx internally calls CreateProcess and to avoid infinite recursion, in CreateProcess callback, I'm checking if the call is made from Ex variant, and if so I just pass the call to the original function. Here's the code:

Code: Select all

BOOL WINAPI CreateProcessWCallback (
    _In_opt_ LPCWSTR lpApplicationName,
    _Inout_opt_ LPWSTR lpCommandLine,
    _In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
    _In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
    _In_ BOOL bInheritHandles,
    _In_ DWORD dwCreationFlags,
    _In_opt_ LPVOID lpEnvironment,
    _In_opt_ LPCWSTR lpCurrentDirectory,
    _In_ LPSTARTUPINFOW lpStartupInfo,
    _Out_ LPPROCESS_INFORMATION lpProcessInformation
    ) {
    BOOL result = FALSE;
    EnterCriticalSection(&psProcSectionW);

    if(bSkipNextProcHookW) {
        result = CreateProcessWNext(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles,
                                dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
        bSkipNextProcHookW = FALSE;
    }
    else {
        bSkipNextProcHookW = TRUE;
        result = CreateProcessExW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles,
                                  dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, HM86W);
        if(!result && Is64bitOS())
            result = CreateProcessExW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles,
                                      dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, HM64W);
    }
    LeaveCriticalSection(&psProcSectionW);
    return result;
}
However, this approach is not stable at all. Sometimes it crashes explorer, sometimes it doesn't inject the dll, sometimes it won't start the app at all.
Any idea what I'm doing wrong (or maybe a better solution)? I'm using latest stable madCodeHook lib. I have Win 8.1 x64. I will try to test tomorrow on Win 7 x64 as well.

Thanks
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Replace CreateProcess with CreateProcessEx

Post by madshi »

Instead of calling CreateProcessEx() just call the original CreateProcessW() function with CREATE_SUSPENDED added to the flags. Then call InjectLibrary() on the still suspended process. Finally, after InjectLibrary() returned, resume the main thread, if the original flags did not include CREATE_SUSPENDED.

Please note that the current CreateProcessEx() implementation has some problems if you try to call it from within a 32bit process, if the new process is a 64bit process and if the exe module is outside of the first 2GB RAM. In that situation CreateProcessEx() might not work properly, unfortunately. I'm not sure if that's the cause of the instability.

I recommend to use the driver approach, it's simply a better solution.
Davita
Posts: 163
Joined: Tue Sep 13, 2005 7:31 pm

Re: Replace CreateProcess with CreateProcessEx

Post by Davita »

Thank you madshi. Helpful as usual :).
The problem is that, my clients wants to avoid driver. Another problem is that, hooking CreateProcess just misses some processes. Is there any way to create suspended processes with NtCreateProcess? I couldn't find any useful hints about in Google.

P.S. I found CreateProcessInternal, but looks like it is no longer used in Windows 8.1 (maybe in 8 too), because it never get called.
Thanks again :)
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Replace CreateProcess with CreateProcessEx

Post by madshi »

I'm not sure if you can create a suspended process with NtCreateProcess. It might not be necessary, though. It's possible that the main thread is manually started *after* calling NtCreateProcess by Windows. In that case you wouldn't even have to suspend the newly created process, you could call InjectLibrary on it right away. But I'm not sure about when the main thread is created and started (inside of NtCreateProcess, or afterwards).
Davita
Posts: 163
Joined: Tue Sep 13, 2005 7:31 pm

Re: Replace CreateProcess with CreateProcessEx

Post by Davita »

Thanks, I'll try that :)
Post Reply