CreateProcessEx Problem

c++ / delphi package - dll injection and api hooking
Post Reply
omidgl
Posts: 14
Joined: Mon Sep 26, 2005 1:20 pm

CreateProcessEx Problem

Post by omidgl »

Hi

I realized that CreateProcessEx will not work if you use just commandline to create a process.
The same scenario works when you create a process in suspended mode using createprocess and then inject library using injectlibrary. However this method fails on some windows 8.1 computers.

Can you let me know how CreateProcessEx works internally? Does it use createprocess suspended then injectapi or ...? as createprocessex works well beside this bug.

char strCommandLine[]="\"program.exe\" /sw"

CreateProcessExA( NULL, // No module name (use command line).
strCommandLine , // Command line.
NULL, // Process handle not inheritable.
NULL, // Thread handle not inheritable.
FALSE, // Set handle inheritance to FALSE.
NORMAL_PRIORITY_CLASS // No creation flags.
NULL, // Use parent's environment block.
NULL, // Use parent's starting directory.
&si, // Pointer to STARTUPINFO structure.
&pi,
strDllPath)
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateProcessEx Problem

Post by madshi »

CreateProcessEx should work just fine with just the commandline. What makes you think it does not? What happens if you do that? Does your computer explode? Some more details would be helpful.

CreateProcessEx is very simple. It basically calls CreateProcess(CREATE_SUSPENDED), then calls InjectLibrary, then resumes the main thread of the newly started process (but only if the CreateProcessEx flags don't include CREATE_SUSPENDED, of course).
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: CreateProcessEx Problem

Post by iconic »

I've never had an issue with CreateProcessEx, try "calc.exe" as a test commandline, works fine here. Also, omidgl... where is your initialization code for the StartupInfo? I don't see a call to GetStartupInfoA or setting the structure information size (cb = sizeof(StartupInfo)) yourself. This alone would cause it to fail

--Iconic
omidgl
Posts: 14
Joined: Mon Sep 26, 2005 1:20 pm

Re: CreateProcessEx Problem

Post by omidgl »

First of all, I'm using it in 64 bit environment.

This code doesn't work. it returns error 87 (invalid parameter)

Code: Select all

	STARTUPINFOA si;
	PROCESS_INFORMATION pi;

	ZeroMemory( &si, sizeof(si) );
	si.cb = sizeof(si);
	ZeroMemory( &pi, sizeof(pi) );

	if( !CreateProcessExA( NULL, // No module name (use command line). 
		"\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde \"c:\test.xlsx\""	, // Command line. 
		NULL,             // Process handle not inheritable. 
		NULL,             // Thread handle not inheritable. 
		FALSE,            // Set handle inheritance to FALSE. 
		0,                // No creation flags. 
		NULL,             // Use parent's environment block. 
		NULL,             // Use parent's starting directory. 
		&si,              // Pointer to STARTUPINFO structure.
		&pi,"c:\\Testx64.dll") // Pointer to PROCESS_INFORMATION structure.
		) 
	{
		return GetLastError();
	}


but this code works fine:

	STARTUPINFOA si;
	PROCESS_INFORMATION pi;

	ZeroMemory( &si, sizeof(si) );
	si.cb = sizeof(si);
	ZeroMemory( &pi, sizeof(pi) );

	if( !CreateProcessA( NULL, // No module name (use command line). 
		"\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde \"c:\test.xlsx\""	, // Command line. 
		NULL,             // Process handle not inheritable. 
		NULL,             // Thread handle not inheritable. 
		FALSE,            // Set handle inheritance to FALSE. 
CREATE_SUSPENDED,                // No creation flags. 
		NULL,             // Use parent's environment block. 
		NULL,             // Use parent's starting directory. 
		&si,              // Pointer to STARTUPINFO structure.
		&pi) // Pointer to PROCESS_INFORMATION structure.
		) 
	{
		return GetLastError();
	}
InjectLibraryA("c:\\Testx64.dll", pi.hProcess, 7000);
ResumeThread(pi.hThread);
The interesting part is that the first sample works fine with older versions of madcodehook but not v3.1.6
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateProcessEx Problem

Post by madshi »

Does this problem only occur with Office? And only when using DDE? Or does it occur without the DDE parameters, too? What happens if you try with "calc.exe", as suggested by iconic?
omidgl
Posts: 14
Joined: Mon Sep 26, 2005 1:20 pm

Re: CreateProcessEx Problem

Post by omidgl »

I faced this with office with or without /dde flag.
On notepad.exe everything is working fine.

Just a note: In my injector process, it'll get terminated right after injection.
CloseHandle( pi.hProcess );
CloseHandle( pi.hThread );
ExitProcess(0);

Is it safe to terminate after calling CreateProcessEx or InjectLibrary ?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateProcessEx Problem

Post by madshi »

Hmmmm... That's really strange. Three more questions:

(1) Did you call InitializeMadCHook() before using CreateProcessEx()?
(2) Is your own process compiled as 32bit or 64bit? If it's 32bit, try compiling it as 64bit, does that fix things?
(3) Is the new Office process a normal Windows GUI process? Or is it some sort of DotNet process?
omidgl
Posts: 14
Joined: Mon Sep 26, 2005 1:20 pm

Re: CreateProcessEx Problem

Post by omidgl »

I've not used InitializeMadCHook before using CreateProcessEx.
Can this be the cause of these sort of problems ?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateProcessEx Problem

Post by madshi »

I'm not fully sure, but it's definitely incorrect use of madCodeHook. Please check if adding InitializeMadCHook() takes care of the problem, thanks.
omidgl
Posts: 14
Joined: Mon Sep 26, 2005 1:20 pm

Re: CreateProcessEx Problem

Post by omidgl »

Thank you, It's now working fine, I think the the problem was related to InitializeMadCHook.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: CreateProcessEx Problem

Post by madshi »

Good to hear the problem is solved.
Post Reply