'SystemProcesses' parameter of Inject Library function

c++ / delphi package - dll injection and api hooking

'SystemProcesses' parameter of Inject Library function

Postby manutai » Thu Jan 19, 2017 9:13 am

Hi MadShi,

We were exploring the meaning of 'systemProcesses' parameter of Inject Library function in DLL injection section.
Currently, we are passing this as TRUE.

But we don't want to inject any dll in system processes,
If we pass it as FALSE, which all processes it will exclude.

We did a quick dry run, but it was still getting injected in conhost.exe.
We want to know what is the meaning of systemProcesses?

Does it mean processes running from System Account? Or processes which are part of core OS?

Awaiting your reply.
manutai
 
Posts: 79
Joined: Sun Aug 03, 2008 1:40 am

Re: 'SystemProcesses' parameter of Inject Library function

Postby madshi » Mon Jan 30, 2017 11:51 am

Basically it's the user account the process runs under. madCodeHook looks at the process user SID to decide whether to inject or not. You can see the user name listed in the task manager.

Usually the system processes and services are excluded when you set "SystemProcesses = false", but when using stuff like "runas", things can become slightly more complicated.
madshi
Site Admin
 
Posts: 9387
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: Yahoo [Bot] and 6 guests