Windows 10 SearchUI.exe

c++ / delphi package - dll injection and api hooking
dudul
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Windows 10 SearchUI.exe

Post by dudul »

Hi,
I have a problem on Windows 10 only.
Sometimes when I uninject, some of the injected files still stay captured by the Windows 10 SearchUI.exe process.

It works perfect on Windows/7/8/8.1.

Any suggestions?

Thank you in advance
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 SearchUI.exe

Post by madshi »

Is it a Metro app? Maybe it's suspended? Does it also occur with the precompiled demos? E.g. try this one for double checking:

http://madshi.net/PrintMonitor.zip
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 10 SearchUI.exe

Post by iconic »

It's a metro app and yes it is often suspended. New remote threads will not execute until the process is unsuspended, so in this case it's why a DLL would remain injected despite a call to UninjectLibrary
metro_susp.png
metro_susp.png (78.12 KiB) Viewed 24410 times
--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 SearchUI.exe

Post by madshi »

@iconic, have you found a way yet to manually resume Metro apps? I've tried but didn't find anything on a quick look...
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 10 SearchUI.exe

Post by iconic »

Yes, but it's ugly and an example can be seen here that uses the new UI and JavaScript located here https://code.msdn.microsoft.com/windows ... d-ec15b168. Unfortunately, even low-level calls such as NtResumeProcess returns STATUS_SUCCESS but does not actually remove any running threads from a wait-state nor does targeting your remote thread specifically NtResumeThread(YourThread, @dwPrevCount). Seems you have to comply with their UI containers to really do anything with the app's state. Not a huge fan of modern UI apps but the entire purpose of suspending apps not in the foreground is to gain performance when they are not being used which makes sense, since they're not eating up CPU


--Iconic
Last edited by iconic on Thu Sep 10, 2015 7:32 am, edited 1 time in total.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 SearchUI.exe

Post by madshi »

Yeah, I tried NtResumeProcess myself already. You say an example can be seen "here", but where is "here"?

I agree that suspending Metro apps might make sense, but it's weird that there's no API to control that from the outside. I don't want to resume them completely, just want to make injection/uninjection succeed. Especially uninjection is kinda important, so e.g. a hook dll can be replaced with a new build.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 10 SearchUI.exe

Post by iconic »

Just edited and posted the link

--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 SearchUI.exe

Post by madshi »

Hmmm... That link just seems to describe how to handle suspend/resume events from inside an app. It doesn't seem to explain how to suspend/resume any specific other app? Or am I missing something?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 10 SearchUI.exe

Post by iconic »

Metro apps are intentionally isolated this way so MS doesn't give developers documented APIs for outside control from what I see, especially not on a per thread basis, which is all you'd need since you only want your remote thread to execute without being forcefully suspended without affecting other threads you did not create and don't want to manage. This might be possible with PowerShell or WMI but I haven't tested the waters yet. It's a pain as you mentioned if you want to swap out DLL builds and it's trapped inside a metro app that is suspended and sleeping indefinitely. If I play with it this week I'll email you, I need to address this myself as well

--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 SearchUI.exe

Post by madshi »

That'd be great - thanks! :)
jonny_valentine
Posts: 109
Joined: Thu Dec 30, 2004 9:59 pm
Location: UK

Re: Windows 10 SearchUI.exe

Post by jonny_valentine »

Just to confirm this is an issue and so far the only way to update/replace hook dll's that are trapped inside the suspended process is to destroy the process; which is ok because windows just starts the process again. Still annoying though.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 SearchUI.exe

Post by madshi »

Still don't have a good solution... :(
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 10 SearchUI.exe

Post by iconic »

If a user has text in notepad or calculations in calculator I don't find destroying the process a viable solution. From playing with Windows Store Apps it appears that you will have to coax the runtime broker process to unsuspend the thread of interest or the process as a whole. Think of these application container processes as sandboxes and the runtime broker as the command center, so to speak.

--Iconic
ExPx
Posts: 34
Joined: Fri Oct 21, 2016 3:20 pm

Re: Windows 10 SearchUI.exe

Post by ExPx »

Hi all. Lets wake up the topic. I have this issue. Anyone solved this ?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 10 SearchUI.exe

Post by madshi »

Unfortunately no, as far as I'm aware. Microsoft simply doesn't seem to offer any APIs for this, not even in driver land... :(
Post Reply