CreateProcessEx Problem
CreateProcessEx Problem
Hi
I realized that CreateProcessEx will not work if you use just commandline to create a process.
The same scenario works when you create a process in suspended mode using createprocess and then inject library using injectlibrary. However this method fails on some windows 8.1 computers.
Can you let me know how CreateProcessEx works internally? Does it use createprocess suspended then injectapi or ...? as createprocessex works well beside this bug.
char strCommandLine[]="\"program.exe\" /sw"
CreateProcessExA( NULL, // No module name (use command line).
strCommandLine , // Command line.
NULL, // Process handle not inheritable.
NULL, // Thread handle not inheritable.
FALSE, // Set handle inheritance to FALSE.
NORMAL_PRIORITY_CLASS // No creation flags.
NULL, // Use parent's environment block.
NULL, // Use parent's starting directory.
&si, // Pointer to STARTUPINFO structure.
&pi,
strDllPath)
I realized that CreateProcessEx will not work if you use just commandline to create a process.
The same scenario works when you create a process in suspended mode using createprocess and then inject library using injectlibrary. However this method fails on some windows 8.1 computers.
Can you let me know how CreateProcessEx works internally? Does it use createprocess suspended then injectapi or ...? as createprocessex works well beside this bug.
char strCommandLine[]="\"program.exe\" /sw"
CreateProcessExA( NULL, // No module name (use command line).
strCommandLine , // Command line.
NULL, // Process handle not inheritable.
NULL, // Thread handle not inheritable.
FALSE, // Set handle inheritance to FALSE.
NORMAL_PRIORITY_CLASS // No creation flags.
NULL, // Use parent's environment block.
NULL, // Use parent's starting directory.
&si, // Pointer to STARTUPINFO structure.
&pi,
strDllPath)
Re: CreateProcessEx Problem
CreateProcessEx should work just fine with just the commandline. What makes you think it does not? What happens if you do that? Does your computer explode? Some more details would be helpful.
CreateProcessEx is very simple. It basically calls CreateProcess(CREATE_SUSPENDED), then calls InjectLibrary, then resumes the main thread of the newly started process (but only if the CreateProcessEx flags don't include CREATE_SUSPENDED, of course).
CreateProcessEx is very simple. It basically calls CreateProcess(CREATE_SUSPENDED), then calls InjectLibrary, then resumes the main thread of the newly started process (but only if the CreateProcessEx flags don't include CREATE_SUSPENDED, of course).
Re: CreateProcessEx Problem
I've never had an issue with CreateProcessEx, try "calc.exe" as a test commandline, works fine here. Also, omidgl... where is your initialization code for the StartupInfo? I don't see a call to GetStartupInfoA or setting the structure information size (cb = sizeof(StartupInfo)) yourself. This alone would cause it to fail
--Iconic
--Iconic
Re: CreateProcessEx Problem
First of all, I'm using it in 64 bit environment.
This code doesn't work. it returns error 87 (invalid parameter)
The interesting part is that the first sample works fine with older versions of madcodehook but not v3.1.6
This code doesn't work. it returns error 87 (invalid parameter)
Code: Select all
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
if( !CreateProcessExA( NULL, // No module name (use command line).
"\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde \"c:\test.xlsx\"" , // Command line.
NULL, // Process handle not inheritable.
NULL, // Thread handle not inheritable.
FALSE, // Set handle inheritance to FALSE.
0, // No creation flags.
NULL, // Use parent's environment block.
NULL, // Use parent's starting directory.
&si, // Pointer to STARTUPINFO structure.
&pi,"c:\\Testx64.dll") // Pointer to PROCESS_INFORMATION structure.
)
{
return GetLastError();
}
but this code works fine:
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
if( !CreateProcessA( NULL, // No module name (use command line).
"\"C:\\Program Files\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde \"c:\test.xlsx\"" , // Command line.
NULL, // Process handle not inheritable.
NULL, // Thread handle not inheritable.
FALSE, // Set handle inheritance to FALSE.
CREATE_SUSPENDED, // No creation flags.
NULL, // Use parent's environment block.
NULL, // Use parent's starting directory.
&si, // Pointer to STARTUPINFO structure.
&pi) // Pointer to PROCESS_INFORMATION structure.
)
{
return GetLastError();
}
InjectLibraryA("c:\\Testx64.dll", pi.hProcess, 7000);
ResumeThread(pi.hThread);
Re: CreateProcessEx Problem
Does this problem only occur with Office? And only when using DDE? Or does it occur without the DDE parameters, too? What happens if you try with "calc.exe", as suggested by iconic?
Re: CreateProcessEx Problem
I faced this with office with or without /dde flag.
On notepad.exe everything is working fine.
Just a note: In my injector process, it'll get terminated right after injection.
CloseHandle( pi.hProcess );
CloseHandle( pi.hThread );
ExitProcess(0);
Is it safe to terminate after calling CreateProcessEx or InjectLibrary ?
On notepad.exe everything is working fine.
Just a note: In my injector process, it'll get terminated right after injection.
CloseHandle( pi.hProcess );
CloseHandle( pi.hThread );
ExitProcess(0);
Is it safe to terminate after calling CreateProcessEx or InjectLibrary ?
Re: CreateProcessEx Problem
Hmmmm... That's really strange. Three more questions:
(1) Did you call InitializeMadCHook() before using CreateProcessEx()?
(2) Is your own process compiled as 32bit or 64bit? If it's 32bit, try compiling it as 64bit, does that fix things?
(3) Is the new Office process a normal Windows GUI process? Or is it some sort of DotNet process?
(1) Did you call InitializeMadCHook() before using CreateProcessEx()?
(2) Is your own process compiled as 32bit or 64bit? If it's 32bit, try compiling it as 64bit, does that fix things?
(3) Is the new Office process a normal Windows GUI process? Or is it some sort of DotNet process?
Re: CreateProcessEx Problem
I've not used InitializeMadCHook before using CreateProcessEx.
Can this be the cause of these sort of problems ?
Can this be the cause of these sort of problems ?
Re: CreateProcessEx Problem
I'm not fully sure, but it's definitely incorrect use of madCodeHook. Please check if adding InitializeMadCHook() takes care of the problem, thanks.
Re: CreateProcessEx Problem
Thank you, It's now working fine, I think the the problem was related to InitializeMadCHook.
Re: CreateProcessEx Problem
Good to hear the problem is solved.