CreateProcessEx with injection with different bitdepth

c++ / delphi package - dll injection and api hooking
Post Reply
Blasius
Posts: 5
Joined: Sat Aug 02, 2014 8:25 pm

CreateProcessEx with injection with different bitdepth

Post by Blasius »

Hi, I want to start a new process with an injection, using function CreateProcessExA/W with a parameter of the name of the dll to be injected.
However, how can I know what is a bitdepth of the new process ? I should supply a correct 32/64-bit dll for 32/64 bit process, but I don't know what is a bitdepth of the process.
What is the correct way to handle this issue ?
Thank you
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: CreateProcessEx with injection with different bitdepth

Post by iconic »

You need to know ahead of time what the bitness of the process and DLL you're injecting are. If you're using a fully qualified path to the process name to be created then you can use my code:

Code: Select all

procedure SetSecurityDescriptor(sa: PSecurityAttributes; sd: PSecurityDescriptor);
begin
   ZeroMemory(sa, sizeof(sa^));
   ZeroMemory(sd, sizeof(sd^));
   sa^.nLength := sizeof(sa^);
   sa^.lpSecurityDescriptor := sd;
   sa^.bInheritHandle := False;
   InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
   SetSecurityDescriptorDacl(sd, True, nil, False);
end;


function GetFileBitness(const FileName: PWChar): ULONG;
var
    hMap: THandle;
    hFile: THandle;
    DosHeader: PImageDosHeader;
    NtHeaders: PImageNtHeaders;
    ModulePtr: PVOID;
    sa: SECURITY_ATTRIBUTES;
    sd: SECURITY_DESCRIPTOR;
begin
    result := 0;

    SetSecurityDescriptor(@sa, @sd);
    hFile := CreateFileW(FileName,
                         GENERIC_READ,
                         FILE_SHARE_READ,
                         @sa,
                         OPEN_EXISTING,
                         0,
                         0);

    if (hFile = INVALID_HANDLE_VALUE) then
    Exit;

    hMap := CreateFileMappingW(hFile,
                               @sa,
                               PAGE_READONLY,
                               0,
                               0,
                               nil);

    CloseHandle(hFile);

    if hMap = 0 then
    Exit;

    ModulePtr := MapViewOfFile(hMap,
                               FILE_MAP_READ,
                               0,
                               0,
                               0);

    if (ModulePtr = nil) then
    begin
    CloseHandle(hMap);
    Exit;
    end;

    DosHeader := ModulePtr;

    if IsBadReadPtr(DosHeader, sizeof(USHORT)) or
    (DosHeader^.e_magic <> IMAGE_DOS_SIGNATURE) or
    (DosHeader^._lfanew = 0) then
    begin
    UnMapViewOfFile(ModulePtr);
    CloseHandle(hMap);
    Exit;
    end;

    NTHeaders := PImageNtHeaders(ULONG_PTR(ModulePtr) + ULONG_PTR(DosHeader^._lfanew));

    if (NTHeaders^.Signature <> IMAGE_NT_SIGNATURE) then
    begin
    UnMapViewOfFile(ModulePtr);
    CloseHandle(hMap);
    Exit;
    end;

    case NTHeaders^.OptionalHeader.Magic of
    IMAGE_NT_OPTIONAL_HDR64_MAGIC: result := 64;
    IMAGE_NT_OPTIONAL_HDR32_MAGIC: result := 32;
    end;

    UnMapViewOfFile(ModulePtr);
    CloseHandle(hMap);
end;
Example:

Code: Select all

var
   dwProgram: DWORD;
   dwDLL: DWORD;
begin
   dwProgram := GetFileBitness(lpProgram);
   dwDLL := GetFileBitness(lpDLL);
   if (dwDLL <> 0) and (dwProgram = dwDLL) then
   CreateProcessEx(..., ...);
end;
--Iconic
Blasius
Posts: 5
Joined: Sat Aug 02, 2014 8:25 pm

Re: CreateProcessEx with injection with different bitdepth

Post by Blasius »

Thank you very much for the reply.
After adapting your code to C++, I eventually found the API function GetBinaryType that determines the bitness of the image.

Another question : if I want to create hooked 64-bit process, should the parent process be 64-bit as well ?
I tried to invoke CreateProcessExW with appropriate 64-bit DLL on 64-bit process and it returned FALSE with the error : ERROR_PARTIAL_COPY : Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: CreateProcessEx with injection with different bitdepth

Post by iconic »

If you're calling CreateProcessEx from a 32-bit WOW64 app then you'll want to use MCH3 and use a 64-bit process due to potential memory addressing issues. This is what you're experiencing.

--Iconic
Blasius
Posts: 5
Joined: Sat Aug 02, 2014 8:25 pm

Re: CreateProcessEx with injection with different bitdepth

Post by Blasius »

Thank you again.
So, the solution for this case is to use a proxy 64-bit process ?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: CreateProcessEx with injection with different bitdepth

Post by iconic »

If you have a 64-bit program you can inject into both 64-bit and 32-bit programs fine on x64. If you are running a 32-bit WOW64 program on a 64-bit OS then yes, you're extremely limited when it comes to both hooking and injection. If you absolutely need a 32-bit WOW64 program to do this stuff on x64 a 64-bit proxy process is your best bet, yes. If you do use a proxy you could optionally use madCodeHook's SendIpcMessage

--Iconic
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: CreateProcessEx with injection with different bitdepth

Post by iconic »

Another thing I forgot to mention earlier, kernel32.dll!GetBinaryTypeA/W() only determines the bitness of .exe files (well, to be honest MSDN's documentation is wrong since it can also determine other executable files such as .sys etc) but this will definitely not work with DLLs since the PE header reflects image characteristics of a dynamic-link library. In your case if you're just checking the process to be spawned (which is always .exe) then you don't need to worry. My example code checks any file regardless of PE characteristics, though. Best of luck!

Source: http://msdn.microsoft.com/en-us/library ... 85%29.aspx
GetBinaryType function
Determines whether a file is an executable (.exe) file, and if so, which subsystem runs the executable file.
--Iconic
Blasius
Posts: 5
Joined: Sat Aug 02, 2014 8:25 pm

Re: CreateProcessEx with injection with different bitdepth

Post by Blasius »

Many thanks ! You are really helpful !
Post Reply