I'm trying to avoid injection driver for my project. I want to inject my dll into newly started processes (both 32 & 64 bit). Now, I'm aware that CreateProcessEx internally calls CreateProcess and to avoid infinite recursion, in CreateProcess callback, I'm checking if the call is made from Ex variant, and if so I just pass the call to the original function. Here's the code:
Code: Select all
BOOL WINAPI CreateProcessWCallback (
_In_opt_ LPCWSTR lpApplicationName,
_Inout_opt_ LPWSTR lpCommandLine,
_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ BOOL bInheritHandles,
_In_ DWORD dwCreationFlags,
_In_opt_ LPVOID lpEnvironment,
_In_opt_ LPCWSTR lpCurrentDirectory,
_In_ LPSTARTUPINFOW lpStartupInfo,
_Out_ LPPROCESS_INFORMATION lpProcessInformation
) {
BOOL result = FALSE;
EnterCriticalSection(&psProcSectionW);
if(bSkipNextProcHookW) {
result = CreateProcessWNext(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles,
dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
bSkipNextProcHookW = FALSE;
}
else {
bSkipNextProcHookW = TRUE;
result = CreateProcessExW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles,
dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, HM86W);
if(!result && Is64bitOS())
result = CreateProcessExW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles,
dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation, HM64W);
}
LeaveCriticalSection(&psProcSectionW);
return result;
}
Any idea what I'm doing wrong (or maybe a better solution)? I'm using latest stable madCodeHook lib. I have Win 8.1 x64. I will try to test tomorrow on Win 7 x64 as well.
Thanks