Windows 10 SearchUI.exe

c++ / delphi package - dll injection and api hooking

Windows 10 SearchUI.exe

Postby dudul » Wed Sep 09, 2015 3:11 pm

Hi,
I have a problem on Windows 10 only.
Sometimes when I uninject, some of the injected files still stay captured by the Windows 10 SearchUI.exe process.

It works perfect on Windows/7/8/8.1.

Any suggestions?

Thank you in advance
dudul
 
Posts: 7
Joined: Wed Sep 09, 2015 3:00 pm

Re: Windows 10 SearchUI.exe

Postby madshi » Wed Sep 09, 2015 3:27 pm

Is it a Metro app? Maybe it's suspended? Does it also occur with the precompiled demos? E.g. try this one for double checking:

http://madshi.net/PrintMonitor.zip
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 SearchUI.exe

Postby iconic » Wed Sep 09, 2015 8:09 pm

It's a metro app and yes it is often suspended. New remote threads will not execute until the process is unsuspended, so in this case it's why a DLL would remain injected despite a call to UninjectLibrary

metro_susp.png
metro_susp.png (78.38 KiB) Viewed 3567 times


--Iconic
iconic
 
Posts: 789
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 10 SearchUI.exe

Postby madshi » Thu Sep 10, 2015 6:52 am

@iconic, have you found a way yet to manually resume Metro apps? I've tried but didn't find anything on a quick look...
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 SearchUI.exe

Postby iconic » Thu Sep 10, 2015 7:30 am

Yes, but it's ugly and an example can be seen here that uses the new UI and JavaScript located here https://code.msdn.microsoft.com/windowsapps/App-activating-and-ec15b168. Unfortunately, even low-level calls such as NtResumeProcess returns STATUS_SUCCESS but does not actually remove any running threads from a wait-state nor does targeting your remote thread specifically NtResumeThread(YourThread, @dwPrevCount). Seems you have to comply with their UI containers to really do anything with the app's state. Not a huge fan of modern UI apps but the entire purpose of suspending apps not in the foreground is to gain performance when they are not being used which makes sense, since they're not eating up CPU


--Iconic
Last edited by iconic on Thu Sep 10, 2015 7:32 am, edited 1 time in total.
iconic
 
Posts: 789
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 10 SearchUI.exe

Postby madshi » Thu Sep 10, 2015 7:32 am

Yeah, I tried NtResumeProcess myself already. You say an example can be seen "here", but where is "here"?

I agree that suspending Metro apps might make sense, but it's weird that there's no API to control that from the outside. I don't want to resume them completely, just want to make injection/uninjection succeed. Especially uninjection is kinda important, so e.g. a hook dll can be replaced with a new build.
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 SearchUI.exe

Postby iconic » Thu Sep 10, 2015 7:33 am

Just edited and posted the link

--Iconic
iconic
 
Posts: 789
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 10 SearchUI.exe

Postby madshi » Thu Sep 10, 2015 7:35 am

Hmmm... That link just seems to describe how to handle suspend/resume events from inside an app. It doesn't seem to explain how to suspend/resume any specific other app? Or am I missing something?
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 SearchUI.exe

Postby iconic » Thu Sep 10, 2015 7:50 am

Metro apps are intentionally isolated this way so MS doesn't give developers documented APIs for outside control from what I see, especially not on a per thread basis, which is all you'd need since you only want your remote thread to execute without being forcefully suspended without affecting other threads you did not create and don't want to manage. This might be possible with PowerShell or WMI but I haven't tested the waters yet. It's a pain as you mentioned if you want to swap out DLL builds and it's trapped inside a metro app that is suspended and sleeping indefinitely. If I play with it this week I'll email you, I need to address this myself as well

--Iconic
iconic
 
Posts: 789
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 10 SearchUI.exe

Postby madshi » Thu Sep 10, 2015 7:51 am

That'd be great - thanks! :)
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 SearchUI.exe

Postby jonny_valentine » Tue Apr 12, 2016 1:53 pm

Just to confirm this is an issue and so far the only way to update/replace hook dll's that are trapped inside the suspended process is to destroy the process; which is ok because windows just starts the process again. Still annoying though.
jonny_valentine
 
Posts: 108
Joined: Thu Dec 30, 2004 9:59 pm
Location: UK

Re: Windows 10 SearchUI.exe

Postby madshi » Tue Apr 12, 2016 3:28 pm

Still don't have a good solution... :(
madshi
Site Admin
 
Posts: 9265
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 SearchUI.exe

Postby iconic » Tue Apr 12, 2016 11:21 pm

If a user has text in notepad or calculations in calculator I don't find destroying the process a viable solution. From playing with Windows Store Apps it appears that you will have to coax the runtime broker process to unsuspend the thread of interest or the process as a whole. Think of these application container processes as sandboxes and the runtime broker as the command center, so to speak.

--Iconic
iconic
 
Posts: 789
Joined: Wed Jun 08, 2005 5:08 am


Return to madCodeHook

Who is online

Users browsing this forum: Google [Bot] and 3 guests