Code: Select all
int _tmain(int argc, _TCHAR* argv[])
{
InitializeMadCHook();
if (LoadInjectionDriver(L"TestHk", L"TestHk.sys", L"TestHk64.sys"))
{
BOOL injectResult = InjectLibraryW(L"TestHk", L"TestHk.dll", ALL_SESSIONS, TRUE, L"csrss.exe", NULL, NULL, 10000);
wprintf(L"InjectLibraryW: %s; error: %d\n", injectResult ? L"OK" : L"FAILED", GetLastError());
if (injectResult)
{
wprintf(L"Press any key to uninject\n");
_getwch();
BOOL uninjectResult = UninjectLibraryW(L"TestHk", L"TestHk.dll", ALL_SESSIONS, TRUE, L"csrss.exe", NULL, NULL, 10000);
wprintf(L"UninjectLibraryW: %s; error: %d\n", uninjectResult ? L"OK" : L"FAILED", GetLastError());
}
StopInjectionDriver(L"TestHk");
}
else
wprintf(L"LoadInjectionDriver error");
return 0;
}
If I remove the InjectLibraryW pIncludeMask parameter (L"csrss.exe" -> NULL) I can see the message being printed from winlogon,svhost and other system processes but not csrss.exe. I plan to hook csrss.exe->csrsrv.dll!CsrCreateProcess.
What am I doing wrong?