A) So I successfully hooked CreateProcessInternalW when icon dbl click to execute in desktop.
B) But, I unsuccessfully hooked when icon right click and execute as admin in desktop.
Both Dllmain called, and Hook API return TRUE, but in case B, CreateProcessInternalW nor ZwResumeThread neither called. so I can't control process creation.
i use madCodeHook 3.1.6
i use VMWare 10.0.0.2, Clean VM, Windows 8 Enterprise K
-------------------
Code: Select all
typedef NTSTATUS( WINAPI *PFZWRESUMETHREAD )
(
HANDLE ThreadHandle,
PULONG SuspendCount
);
extern PFZWRESUMETHREAD pfZwResumeThread;
typedef BOOL( WINAPI *PFCreateProcessInternalWcb )(
HANDLE hToken,
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation,
PHANDLE hNewToken
);
extern PFCreateProcessInternalWcb pfCreateProcessInternalWcb;
------------------
NTSTATUS WINAPI zwResumeThreadHookProc( IN HANDLE ThreadHandle, OUT PULONG SuspendCount OPTIONAL )
{
OutputDebugStringA( "Start-ZwResumeThread" );
return pfZwResumeThread( ThreadHandle, SuspendCount );
}
BOOL WINAPI createProcessInternalWcb( HANDLE hToken, LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation, PHANDLE hNewToken )
{
DWORD dwLastError = ::GetLastError();
OutputDebugStringA( "[Start-CreateProcessInternalW]" );
return pfCreateProcessInternalWcb( hToken,
lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreationFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
lpProcessInformation,
hNewToken );
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
if( GetCurrentProcessId() <= 4 )
return TRUE;
switch( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH:
{
OSVERSIONINFOW osi;
dwScanedPID = 0;
ZeroMemory( &osi, sizeof( osi ) );
osi.dwOSVersionInfoSize = sizeof( osi );
::GetVersionExW( &osi );
WCHAR wszBuffer[ MAX_PATH + 1 ] = { 0, };
GetSystemDirectoryW( wszBuffer, MAX_PATH );
_vecWhiteList.push_back( std::wstring( wszBuffer ) + L"\\consent.exe" );
memset( wszBuffer, '\0', sizeof( WCHAR ) * (MAX_PATH + 1) );
GetWindowsDirectoryW( wszBuffer, MAX_PATH );
_vecWhiteList.push_back( std::wstring( wszBuffer ) + L"\\explorer.exe" );
DebugLogA( "[Start-DllMain] iMonLope Hook, DLL_PROCESS_ATTACH, HOOK VER = %s", HOOK_DLL_VERINFO );
InitializeMadCHook();
if( isVistaOrHigherOS() == true )
SetMadCHookOption( USE_NEW_IPC_LOGIC, NULL );
if( osi.dwMajorVersion == 5 )
{
OutputDebugStringA( "Windows XP/2003/2003R2, CreateProcess Hook" );
HookAPI( "kernel32.dll", "CreateProcessInternalW", createProcessInternalWcb, (PVOID*)&pfCreateProcessInternalWcb );
HookAPI( "Advapi32.dll", "CreateProcessWithLogonW", createProcessWithLogonWcb, (PVOID*)&pfCreateProcessWithLogonWcb );
}
else if( osi.dwMajorVersion == 6 && osi.dwMinorVersion == 0 )
{
OutputDebugStringA( "Windows Vista, Windows Server 2008, CreateProcess Hook" );
HookAPI( "kernel32.dll", "CreateProcessInternalW", createProcessInternalWcb, (PVOID*)&pfCreateProcessInternalWcb );
HookAPI( "Advapi32.dll", "CreateProcessWithLogonW", createProcessWithLogonWcb, (PVOID*)&pfCreateProcessWithLogonWcb );
HookAPI( "ntdll.dll", "ZwResumeThread", zwResumeThreadHookProc, (PVOID*)&pfZwResumeThread );
}
else if( osi.dwMajorVersion == 6 && osi.dwMinorVersion == 1 )
{
OutputDebugStringA( " Windows 7, Windows Server 2008 R2, CreateProcess Hook" );
HookAPI( "kernel32.dll", "CreateProcessInternalW", createProcessInternalWcb, (PVOID*)&pfCreateProcessInternalWcb );
HookAPI( "Advapi32.dll", "CreateProcessWithLogonW", createProcessWithLogonWcb, (PVOID*)&pfCreateProcessWithLogonWcb );
HookAPI( "ntdll.dll", "ZwResumeThread", zwResumeThreadHookProc, (PVOID*)&pfZwResumeThread );
}
else if( osi.dwMajorVersion == 6 && osi.dwMinorVersion == 2 )
{
OutputDebugStringA( " Windows 8, Windows Server 2012, CreateProcess Hook" );
CollectHooks();
HookAPI( "KernelBase.dll", "CreateProcessInternalW", createProcessInternalWcb, (PVOID*)&pfCreateProcessInternalWcb );
HookAPI( "Advapi32.dll", "CreateProcessWithLogonW", createProcessWithLogonWcb, (PVOID*)&pfCreateProcessWithLogonWcb );
// HookAPI( "ntdll.dll", "ZwResumeThread", zwResumeThreadHookProc, (PVOID*)&pfZwResumeThread );
HookAPI( "ntdll.dll", "NtCreateUserProcess", ntCreateUserProcess, (PVOID*)&pfNtCreateUserProcess );
// HookAPI( "ntdll.dll", "RtlCreateUserProcessParameters", rtlCreateProcessParameters, (PVOID*)&pfRtlCreateProcessParameters );
FlushHooks();
}
OutputDebugStringA( "[Finish-DllMain] iMonLope Hook, DLL_PROCESS_ATTACH" );
break;
}
case DLL_PROCESS_DETACH:
{
// FinalizeMadCHook 를 호출하면 자동으로 Unhook 된다
OutputDebugStringA( "[Start-DllMain] iMonLope Hook, DLL_PROCESS_DETACH" );
if( hSfcLib != NULL )
FreeLibrary( hSfcLib );
hSfcLib = NULL;
FinalizeMadCHook();
OutputDebugStringA( "[Finish-DllMain] iMonLope Hook, DLL_PROCESS_DETACH" );
break;
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}