madshi.net

Hi

I am doing system wide injection using drivers.
My dll hook few registry API's and mask some values.
The issue i faced on Windows10 is that before my dll got injected into process it already stared the process.
Which means before my dll can hook APIs and do the necessary stuff the process has already read he registry values and cached that.

Can you explain me the injection process from the driver?
And can we do something about this?

Edit : One Thing that i realized is that if i use APIMonitor by (Rohitab.com) it shows that there are two threads running in thread 1 its started processing and Driver injects my dll in second thread.

In the moment when you start injection, a remote thread is created for every running process which injects your hook dll. For those processes which were already running at the time when you started injection, obviously your hook dll is injected after the processes already initialized.

However, the driver does not use remote threads at all. The driver works very differently. It patches every newly started process so that your hook DLL is injected before the EXE's "main" function is executed.

Thanks for replying.

Yes that should work perfectly but its weird case.

When for newly created processes it's behaving like i explained.

I investigating further. Its happening on Windows 10 VM Machines.(Not even on actual machines on laptops)

The driver definitely doesn't create threads.

So you have this problem only in VMs but not in real Windows 10 machines?

Yes,

Till now i am only facing this problem on VM's

That's weird. I've no idea why VMs would behave differently to normal machines in regards to DLL injection.

Inside your hook DLL you can easily parse the program's AddressOfEntryPoint and write a debugbreak to the entrypoint, if this triggers then the process is not executing its entrypoint before your DLL has a chance to do anything. Now, it is possible that the process in question is executing code through earlier means such as thread local storage (TLS) callbacks or a statically linked DLL uses registry calls once it's initialized. Maybe this is what you're seeing?

P.S: @Madshi - Is this still relevant at all? I think he is seeing statically loaded modules calling registry APIs and nothing else

VMWARE_INJECTION_MODE - VMware: when disabling acceleration dll injection sometimes is delayed

--Iconic

Till now i have found that this is only happening if machine doesn't have any antivirus installed.
In that case windows defender is active. Some how it look like that Windows defender is causing this problem.

Or as iconic is saying .. Is it possible that the application i am injecting has statically linked dll's and while startup of application these dll's are processing something. Though looks very unlikely. As the issue is happening only on Windows10 with Windows defender.

PS: I am able to reproduce the same on laptops also. i.e not VM's

If you want to check at your end.. The application in question is AdobeReader 11.

So this only happens with one application? Can you try writing a small test application which in its "main" function does this:

1) Read some value from registry.
2) Show the read value in a MessageBox.

Then check if your hook catches the registry read. If it doesn't, there's obviously a problem. This would also make a much better test case than a complex application like Adobe Reader.