Process started processing before injection took place

c++ / delphi package - dll injection and api hooking

Process started processing before injection took place

Postby manutai » Thu Sep 03, 2015 5:41 am

Hi

I am doing system wide injection using drivers.
My dll hook few registry API's and mask some values.
The issue i faced on Windows10 is that before my dll got injected into process it already stared the process.
Which means before my dll can hook APIs and do the necessary stuff the process has already read he registry values and cached that.

Can you explain me the injection process from the driver?
And can we do something about this?

Edit : One Thing that i realized is that if i use APIMonitor by (Rohitab.com) it shows that there are two threads running in thread 1 its started processing and Driver injects my dll in second thread.
manutai
 
Posts: 81
Joined: Sun Aug 03, 2008 1:40 am

Re: Process started processing before injection took place

Postby madshi » Thu Sep 03, 2015 6:36 am

In the moment when you start injection, a remote thread is created for every running process which injects your hook dll. For those processes which were already running at the time when you started injection, obviously your hook dll is injected after the processes already initialized.

However, the driver does not use remote threads at all. The driver works very differently. It patches every newly started process so that your hook DLL is injected before the EXE's "main" function is executed.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Process started processing before injection took place

Postby manutai » Thu Sep 03, 2015 6:43 am

Thanks for replying.

Yes that should work perfectly but its weird case.

When for newly created processes it's behaving like i explained.

I investigating further. Its happening on Windows 10 VM Machines.(Not even on actual machines on laptops)
manutai
 
Posts: 81
Joined: Sun Aug 03, 2008 1:40 am

Re: Process started processing before injection took place

Postby madshi » Thu Sep 03, 2015 6:59 am

The driver definitely doesn't create threads.

So you have this problem only in VMs but not in real Windows 10 machines?
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Process started processing before injection took place

Postby manutai » Thu Sep 03, 2015 7:05 am

Yes,

Till now i am only facing this problem on VM's
manutai
 
Posts: 81
Joined: Sun Aug 03, 2008 1:40 am

Re: Process started processing before injection took place

Postby madshi » Thu Sep 03, 2015 7:09 am

That's weird. I've no idea why VMs would behave differently to normal machines in regards to DLL injection.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Process started processing before injection took place

Postby iconic » Thu Sep 03, 2015 6:57 pm

Inside your hook DLL you can easily parse the program's AddressOfEntryPoint and write a debugbreak to the entrypoint, if this triggers then the process is not executing its entrypoint before your DLL has a chance to do anything. Now, it is possible that the process in question is executing code through earlier means such as thread local storage (TLS) callbacks or a statically linked DLL uses registry calls once it's initialized. Maybe this is what you're seeing?

P.S: @Madshi - Is this still relevant at all? I think he is seeing statically loaded modules calling registry APIs and nothing else
VMWARE_INJECTION_MODE - VMware: when disabling acceleration dll injection sometimes is delayed


--Iconic
iconic
 
Posts: 838
Joined: Wed Jun 08, 2005 5:08 am

Re: Process started processing before injection took place

Postby manutai » Fri Sep 04, 2015 9:23 am

Till now i have found that this is only happening if machine doesn't have any antivirus installed.
In that case windows defender is active. Some how it look like that Windows defender is causing this problem.

Or as iconic is saying .. Is it possible that the application i am injecting has statically linked dll's and while startup of application these dll's are processing something. Though looks very unlikely. As the issue is happening only on Windows10 with Windows defender.

PS: I am able to reproduce the same on laptops also. i.e not VM's

If you want to check at your end.. The application in question is AdobeReader 11.
manutai
 
Posts: 81
Joined: Sun Aug 03, 2008 1:40 am

Re: Process started processing before injection took place

Postby madshi » Fri Sep 04, 2015 9:30 am

So this only happens with one application? Can you try writing a small test application which in its "main" function does this:

1) Read some value from registry.
2) Show the read value in a MessageBox.

Then check if your hook catches the registry read. If it doesn't, there's obviously a problem. This would also make a much better test case than a complex application like Adobe Reader.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: Google [Bot] and 4 guests