CSRSS injection

c++ / delphi package - dll injection and api hooking
Post Reply
wassily
Posts: 12
Joined: Sun Dec 16, 2012 6:37 pm

CSRSS injection

Post by wassily »

I have seen the topic with the Vista csrss.exe injection issue but I can't inject my hook into csrss.exe at all, not in XP, not in Windows 7. I've created TestHook.exe calling LoadInjectionDriver / InjectLibraryW:

Code: Select all

int _tmain(int argc, _TCHAR* argv[])
{
	InitializeMadCHook();
	if (LoadInjectionDriver(L"TestHk", L"TestHk.sys", L"TestHk64.sys"))
	{
		BOOL injectResult = InjectLibraryW(L"TestHk", L"TestHk.dll", ALL_SESSIONS, TRUE, L"csrss.exe", NULL, NULL, 10000);
		wprintf(L"InjectLibraryW: %s; error: %d\n", injectResult ? L"OK" : L"FAILED", GetLastError());
		if (injectResult)
		{
			wprintf(L"Press any key to uninject\n");
			_getwch();
			BOOL uninjectResult = UninjectLibraryW(L"TestHk", L"TestHk.dll", ALL_SESSIONS, TRUE, L"csrss.exe", NULL, NULL, 10000);
			wprintf(L"UninjectLibraryW: %s; error: %d\n", uninjectResult ? L"OK" : L"FAILED", GetLastError());
		}
		StopInjectionDriver(L"TestHk");
	}
	else
		wprintf(L"LoadInjectionDriver error");
	return 0;
}
and a Visual Studio template TestHk.dll extended with a simple OutputDebugString(L"TestHk LOADED\n") call in DllMain / DLL_PROCESS_ATTACH (so TestHk.dll only has kernel32.dll imports).
If I remove the InjectLibraryW pIncludeMask parameter (L"csrss.exe" -> NULL) I can see the message being printed from winlogon,svhost and other system processes but not csrss.exe. I plan to hook csrss.exe->csrsrv.dll!CsrCreateProcess.
What am I doing wrong?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: CSRSS injection

Post by iconic »

Hello,

I did this many years ago (6???) and posted my code on this forum. A few things to note, CSRSS is now a protected process on Windows (8?)8.1. That means you'll definitely not be able to even open this process with adequate injection rights and load a hook DLL from userspace, even kernel mode injection of a DLL on disk will fail since protected processes use code integrity checks for loaded modules. Pre-Windows 8/8.1 it was easily feasible by enabling the SeDebugName privilege and injecting into CSRSS. As I mentioned years ago in my original post, each session (including terminal services) have their own instance of CSRSS so each instance would need to be injected and CsrCreateProcess hooked. It's easier to just use a driver to get notifications of newly created processes plus there is the benefit of added security (kind of funny considering you need admin rights to inject into CSRSS as well as the actual loading of a driver, one is just easier to tamper with) and with a kernel driver nobody can just remove it without hacking into kernel space. My intention for the post was to create a backup system-wide injection method (all from usermode) with minimal work for the coder, one which didn't require a driver and all of these newfound "signing" problems we're now seeing with the SHA-1 phaseout

Original link is here viewtopic.php?t=5205

P.S: Vista didn't truly introduce the concept of process session isolation, XP also had it (Fast User Switching based on Terminal Services logic) - it's the same concept and requires a separate instance of CSRSS to be spawned and oversee the new session's thread and process objects. Opt for a more secure and simple solution, use a kernel callback for process creations. It's a lot less work, unless you've no system-level development experience

--Iconic
wassily
Posts: 12
Joined: Sun Dec 16, 2012 6:37 pm

Re: CSRSS injection

Post by wassily »

Hello,
thank you for your explanations, guess I'm just gonna give up with the csrss hook and learn more about the PsSetCreateProcessNotifyRoutine way
Post Reply