Process started processing before injection took place

c++ / delphi package - dll injection and api hooking
Post Reply
manutai
Posts: 85
Joined: Sun Aug 03, 2008 1:40 am

Process started processing before injection took place

Post by manutai »

Hi

I am doing system wide injection using drivers.
My dll hook few registry API's and mask some values.
The issue i faced on Windows10 is that before my dll got injected into process it already stared the process.
Which means before my dll can hook APIs and do the necessary stuff the process has already read he registry values and cached that.

Can you explain me the injection process from the driver?
And can we do something about this?

Edit : One Thing that i realized is that if i use APIMonitor by (Rohitab.com) it shows that there are two threads running in thread 1 its started processing and Driver injects my dll in second thread.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Process started processing before injection took place

Post by madshi »

In the moment when you start injection, a remote thread is created for every running process which injects your hook dll. For those processes which were already running at the time when you started injection, obviously your hook dll is injected after the processes already initialized.

However, the driver does not use remote threads at all. The driver works very differently. It patches every newly started process so that your hook DLL is injected before the EXE's "main" function is executed.
manutai
Posts: 85
Joined: Sun Aug 03, 2008 1:40 am

Re: Process started processing before injection took place

Post by manutai »

Thanks for replying.

Yes that should work perfectly but its weird case.

When for newly created processes it's behaving like i explained.

I investigating further. Its happening on Windows 10 VM Machines.(Not even on actual machines on laptops)
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Process started processing before injection took place

Post by madshi »

The driver definitely doesn't create threads.

So you have this problem only in VMs but not in real Windows 10 machines?
manutai
Posts: 85
Joined: Sun Aug 03, 2008 1:40 am

Re: Process started processing before injection took place

Post by manutai »

Yes,

Till now i am only facing this problem on VM's
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Process started processing before injection took place

Post by madshi »

That's weird. I've no idea why VMs would behave differently to normal machines in regards to DLL injection.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Process started processing before injection took place

Post by iconic »

Inside your hook DLL you can easily parse the program's AddressOfEntryPoint and write a debugbreak to the entrypoint, if this triggers then the process is not executing its entrypoint before your DLL has a chance to do anything. Now, it is possible that the process in question is executing code through earlier means such as thread local storage (TLS) callbacks or a statically linked DLL uses registry calls once it's initialized. Maybe this is what you're seeing?

P.S: @Madshi - Is this still relevant at all? I think he is seeing statically loaded modules calling registry APIs and nothing else
VMWARE_INJECTION_MODE - VMware: when disabling acceleration dll injection sometimes is delayed
--Iconic
manutai
Posts: 85
Joined: Sun Aug 03, 2008 1:40 am

Re: Process started processing before injection took place

Post by manutai »

Till now i have found that this is only happening if machine doesn't have any antivirus installed.
In that case windows defender is active. Some how it look like that Windows defender is causing this problem.

Or as iconic is saying .. Is it possible that the application i am injecting has statically linked dll's and while startup of application these dll's are processing something. Though looks very unlikely. As the issue is happening only on Windows10 with Windows defender.

PS: I am able to reproduce the same on laptops also. i.e not VM's

If you want to check at your end.. The application in question is AdobeReader 11.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Process started processing before injection took place

Post by madshi »

So this only happens with one application? Can you try writing a small test application which in its "main" function does this:

1) Read some value from registry.
2) Show the read value in a MessageBox.

Then check if your hook catches the registry read. If it doesn't, there's obviously a problem. This would also make a much better test case than a complex application like Adobe Reader.
Post Reply