CreateProcessEx with injection with different bitdepth
CreateProcessEx with injection with different bitdepth
Hi, I want to start a new process with an injection, using function CreateProcessExA/W with a parameter of the name of the dll to be injected.
However, how can I know what is a bitdepth of the new process ? I should supply a correct 32/64-bit dll for 32/64 bit process, but I don't know what is a bitdepth of the process.
What is the correct way to handle this issue ?
Thank you
However, how can I know what is a bitdepth of the new process ? I should supply a correct 32/64-bit dll for 32/64 bit process, but I don't know what is a bitdepth of the process.
What is the correct way to handle this issue ?
Thank you
Re: CreateProcessEx with injection with different bitdepth
You need to know ahead of time what the bitness of the process and DLL you're injecting are. If you're using a fully qualified path to the process name to be created then you can use my code:
Example:
--Iconic
Code: Select all
procedure SetSecurityDescriptor(sa: PSecurityAttributes; sd: PSecurityDescriptor);
begin
ZeroMemory(sa, sizeof(sa^));
ZeroMemory(sd, sizeof(sd^));
sa^.nLength := sizeof(sa^);
sa^.lpSecurityDescriptor := sd;
sa^.bInheritHandle := False;
InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(sd, True, nil, False);
end;
function GetFileBitness(const FileName: PWChar): ULONG;
var
hMap: THandle;
hFile: THandle;
DosHeader: PImageDosHeader;
NtHeaders: PImageNtHeaders;
ModulePtr: PVOID;
sa: SECURITY_ATTRIBUTES;
sd: SECURITY_DESCRIPTOR;
begin
result := 0;
SetSecurityDescriptor(@sa, @sd);
hFile := CreateFileW(FileName,
GENERIC_READ,
FILE_SHARE_READ,
@sa,
OPEN_EXISTING,
0,
0);
if (hFile = INVALID_HANDLE_VALUE) then
Exit;
hMap := CreateFileMappingW(hFile,
@sa,
PAGE_READONLY,
0,
0,
nil);
CloseHandle(hFile);
if hMap = 0 then
Exit;
ModulePtr := MapViewOfFile(hMap,
FILE_MAP_READ,
0,
0,
0);
if (ModulePtr = nil) then
begin
CloseHandle(hMap);
Exit;
end;
DosHeader := ModulePtr;
if IsBadReadPtr(DosHeader, sizeof(USHORT)) or
(DosHeader^.e_magic <> IMAGE_DOS_SIGNATURE) or
(DosHeader^._lfanew = 0) then
begin
UnMapViewOfFile(ModulePtr);
CloseHandle(hMap);
Exit;
end;
NTHeaders := PImageNtHeaders(ULONG_PTR(ModulePtr) + ULONG_PTR(DosHeader^._lfanew));
if (NTHeaders^.Signature <> IMAGE_NT_SIGNATURE) then
begin
UnMapViewOfFile(ModulePtr);
CloseHandle(hMap);
Exit;
end;
case NTHeaders^.OptionalHeader.Magic of
IMAGE_NT_OPTIONAL_HDR64_MAGIC: result := 64;
IMAGE_NT_OPTIONAL_HDR32_MAGIC: result := 32;
end;
UnMapViewOfFile(ModulePtr);
CloseHandle(hMap);
end;
Code: Select all
var
dwProgram: DWORD;
dwDLL: DWORD;
begin
dwProgram := GetFileBitness(lpProgram);
dwDLL := GetFileBitness(lpDLL);
if (dwDLL <> 0) and (dwProgram = dwDLL) then
CreateProcessEx(..., ...);
end;
Re: CreateProcessEx with injection with different bitdepth
Thank you very much for the reply.
After adapting your code to C++, I eventually found the API function GetBinaryType that determines the bitness of the image.
Another question : if I want to create hooked 64-bit process, should the parent process be 64-bit as well ?
I tried to invoke CreateProcessExW with appropriate 64-bit DLL on 64-bit process and it returned FALSE with the error : ERROR_PARTIAL_COPY : Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
After adapting your code to C++, I eventually found the API function GetBinaryType that determines the bitness of the image.
Another question : if I want to create hooked 64-bit process, should the parent process be 64-bit as well ?
I tried to invoke CreateProcessExW with appropriate 64-bit DLL on 64-bit process and it returned FALSE with the error : ERROR_PARTIAL_COPY : Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
Re: CreateProcessEx with injection with different bitdepth
If you're calling CreateProcessEx from a 32-bit WOW64 app then you'll want to use MCH3 and use a 64-bit process due to potential memory addressing issues. This is what you're experiencing.
--Iconic
--Iconic
Re: CreateProcessEx with injection with different bitdepth
Thank you again.
So, the solution for this case is to use a proxy 64-bit process ?
So, the solution for this case is to use a proxy 64-bit process ?
Re: CreateProcessEx with injection with different bitdepth
If you have a 64-bit program you can inject into both 64-bit and 32-bit programs fine on x64. If you are running a 32-bit WOW64 program on a 64-bit OS then yes, you're extremely limited when it comes to both hooking and injection. If you absolutely need a 32-bit WOW64 program to do this stuff on x64 a 64-bit proxy process is your best bet, yes. If you do use a proxy you could optionally use madCodeHook's SendIpcMessage
--Iconic
--Iconic
Re: CreateProcessEx with injection with different bitdepth
Another thing I forgot to mention earlier, kernel32.dll!GetBinaryTypeA/W() only determines the bitness of .exe files (well, to be honest MSDN's documentation is wrong since it can also determine other executable files such as .sys etc) but this will definitely not work with DLLs since the PE header reflects image characteristics of a dynamic-link library. In your case if you're just checking the process to be spawned (which is always .exe) then you don't need to worry. My example code checks any file regardless of PE characteristics, though. Best of luck!
Source: http://msdn.microsoft.com/en-us/library ... 85%29.aspx
Source: http://msdn.microsoft.com/en-us/library ... 85%29.aspx
--IconicGetBinaryType function
Determines whether a file is an executable (.exe) file, and if so, which subsystem runs the executable file.
Re: CreateProcessEx with injection with different bitdepth
Many thanks ! You are really helpful !