CSRSS injection
Posted: Wed Dec 16, 2015 8:33 pm
I have seen the topic with the Vista csrss.exe injection issue but I can't inject my hook into csrss.exe at all, not in XP, not in Windows 7. I've created TestHook.exe calling LoadInjectionDriver / InjectLibraryW:
and a Visual Studio template TestHk.dll extended with a simple OutputDebugString(L"TestHk LOADED\n") call in DllMain / DLL_PROCESS_ATTACH (so TestHk.dll only has kernel32.dll imports).
If I remove the InjectLibraryW pIncludeMask parameter (L"csrss.exe" -> NULL) I can see the message being printed from winlogon,svhost and other system processes but not csrss.exe. I plan to hook csrss.exe->csrsrv.dll!CsrCreateProcess.
What am I doing wrong?
Code: Select all
int _tmain(int argc, _TCHAR* argv[])
{
InitializeMadCHook();
if (LoadInjectionDriver(L"TestHk", L"TestHk.sys", L"TestHk64.sys"))
{
BOOL injectResult = InjectLibraryW(L"TestHk", L"TestHk.dll", ALL_SESSIONS, TRUE, L"csrss.exe", NULL, NULL, 10000);
wprintf(L"InjectLibraryW: %s; error: %d\n", injectResult ? L"OK" : L"FAILED", GetLastError());
if (injectResult)
{
wprintf(L"Press any key to uninject\n");
_getwch();
BOOL uninjectResult = UninjectLibraryW(L"TestHk", L"TestHk.dll", ALL_SESSIONS, TRUE, L"csrss.exe", NULL, NULL, 10000);
wprintf(L"UninjectLibraryW: %s; error: %d\n", uninjectResult ? L"OK" : L"FAILED", GetLastError());
}
StopInjectionDriver(L"TestHk");
}
else
wprintf(L"LoadInjectionDriver error");
return 0;
}
If I remove the InjectLibraryW pIncludeMask parameter (L"csrss.exe" -> NULL) I can see the message being printed from winlogon,svhost and other system processes but not csrss.exe. I plan to hook csrss.exe->csrsrv.dll!CsrCreateProcess.
What am I doing wrong?