madCodeHook XP/2K3 remote session bug

c++ / delphi package - dll injection and api hooking
Post Reply
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

madCodeHook XP/2K3 remote session bug

Post by iconic »

Hello Mathias,

Noticed that madCodeHook has a small bug in it when supporting XP and Windows 2k3 server, both x86 and x64 versions of these legacy operating systems. Basically, any OS prior to Vista is affected. If you inject a DLL into a process of another session and inside your injected DLL you make Win32 API calls such as CreateThread or CreateProcess they will fail. This is because you're using RtlCreateUserThread which creates a native thread and functions independently of the Win32 subsystem. By not establishing a proper link to the CSRSS Win32 subsystem and informing it, consequently it's not aware of your "new" thread resulting in many API calls failing inside an injected DLL. This is the case for some winsock wrappers such as wininet as well since threads are created in some asynchronous socket calls, resulting in failure. The good news is, on Vista+ it seems that a proper link IS established with RtlCreateUserThread, so it's just a legacy OS issue. I tested this with terminal services logic / XP fast user switching and InjectLibrary as well as CreateRemoteThreadEx and both are negatively impacted. I corrected this issue in my own injection library a while back so I can tell you from experience that you don't have to use LPC port communication to pacify CSRSS or have CSRSS itself call CreateRemoteThread for you, which can also work around this, but this is not needed as there a couple other ways, one of which I am using after a lot of CSRSS reversing with IDA and studying ReactOS source. Anyhow, figured I'd mention this to you but perhaps you already know this is an older side effect

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: madCodeHook XP/2K3 remote session bug

Post by madshi »

Hi Iconic,

I've heard about this problem, but so far I've not considered it to be dramatic because the thread which is used to inject the dll is only supported to load the dll and then exit. And in DllMain a hook dll is just supposed to install the API hooks. It's not supposed to do ugly things like accessing wininet. If the hook dll accesses wininet in a hook callback function, that usually happens in the context of a "proper" thread, so there it should work.

That said, fixing this issue is still worth considering. So if you have an easy solution for the problem, I'd be quite happy to hear about it.

BTW, thanks a lot for occasionally providing support on these forums. I appreciate the help!
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: madCodeHook XP/2K3 remote session bug

Post by iconic »

If the hook dll accesses wininet in a hook callback function, that usually happens in the context of a "proper" thread, so there it should work.
You're right about this scenario. But not all DLLs are strictly injected for hooking purposes, maybe a DLL just needs other access to the address space of the remote process, or simply needs to register some notification, subclass a window, log some event etc. Here's a different scenario, say a user chooses to create an ipc queue within his/her injected DLL inside DLLMain, strange I know, but I've actually had to do this myself in the past for various reasons. If CreateIpcQueue(Ex) is using a thread to process IPC requests it will fail @ kernel32!CreateThread, of course you could change any CreateThread calls inside this API to use RtlCreateUserThread and it would prevent the problem however any threads created by any additional libraries that may be dependencies of the injected DLL you still have the same issue with CreateThread failing, so it's just a mask and doesn't really address the issue completely.
BTW, thanks a lot for occasionally providing support on these forums. I appreciate the help!
No problem

I'll email you the details of how I circumvented this legacy issue before the weekend. Is madshi (at) gmail (dot) com alright or do I need another email address?

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: madCodeHook XP/2K3 remote session bug

Post by madshi »

That's my main email address. Thanks.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: madCodeHook XP/2K3 remote session bug

Post by iconic »

You've mail

--Iconic
Post Reply