CreateProcessXXX hooking in Windows 7

[mitzi]

I tried to hook all process creation API

Code: Select all

HookAPI('kernel32.dll', 'CreateProcessW', @CreateProcessWCallback, @CreateProcessWNext);
HookAPI('kernel32.dll', 'CreateProcessA', @CreateProcessACallback, @CreateProcessANext);
HookAPI('kernel32.dll', 'WinExec',        @WinExecCallback,        @WinExecNext       );

HookAPI('advapi32.dll', 'CreateProcessAsUserW', @CreateProcessAsUserWCallback, @CreateProcessAsUserWNext);
HookAPI('advapi32.dll', 'CreateProcessAsUserA', @CreateProcessAsUserACallback, @CreateProcessAsUserANext);
HookAPI('advapi32.dll', 'CreateProcessWithLogonW', @CreateProcessWithLogonWCallback, @CreateProcessWithLogonWNext);
HookAPI('advapi32.dll', 'CreateProcessWithLogonA', @CreateProcessWithLogonACallback, @CreateProcessWithLogonANext);
HookAPI('advapi32.dll', 'CreateProcessWithTokenW', @CreateProcessWithTokenWCallback, @CreateProcessWithTokenWNext);

HookAPI('ntdll.dll','RtlCreateUserProcess',@RtlCreateUserProcessCallback,@RtlCreateUserProcessNext);
HookAPI('ntdll.dll','RtlCreateProcessParameters',@RtlCreateProcessParametersCallback,@RtlCreateProcessParametersNext);
HookAPI('ntdll.dll','NtCreateProcess',@NtCreateProcessCallback,@NtCreateProcessNext);
HookAPI('ntdll.dll','NtCreateProcessEx',@NtCreateProcessExCallback,@NtCreateProcessExNext);

everything is ok, no problems with UAC but i got strange results. sometines only CreateProcessAsUserW or CreateProcessW is used for running of any system app in background (so hooks are working) but when i run any app from menu or by double-click, i get no response from any CreateProcessXXX hook so it seems any API is not used.
Does anybody know how Seven creates new processes?

[madshi]

Does the precompiled "HookProcessCreation" also fail to detect double clicks in Windows 7?

[mitzi]

yes it does. no "IsAllowed" dialog is displayed.

[madshi]

Too bad. Will have to look into this.

You could try also hooking ShellExecuteA/W and ShellExecuteExA/W. In the older OSs they end up in CreateProcessA/W. Maybe in Windows 7 they don't, anymore. That should be the first thing to try...

[mikec]

hmm 0- just because no dialog is displayed, doesn’t necessarily mean that the demo isn’t working. There is a whole host of issues displaying dialogs from services etc.

1) have you tried your code on Vista? Is this problem specific to Windows 7?

2) What are you actually doing with your hooks? You haven’t shown any code. From what you have shown, I'd guess that you are getting some sort of circular-issue. CreateProcessXX eventually calls NtCreateProcessXX so if your hooking the win32 api's, doing some validation, allowing them to progress, then you will end up doing your verification again because the native version will eventually be called.

HTH

Mike C

[djsale]

Hi guys,

i'm facing the same problem. Hooking on Vista works fine, but on Windows 7 it fails

code snippet:

Code: Select all

 HookAPI('kernel32.dll', 'CreateProcessA', @CreateProcessACallback, @CreateProcessANext);
  HookAPI('kernel32.dll', 'CreateProcessW', @CreateProcessWCallback, @CreateProcessWNext);
 

function CreateProcessACallback(appName, cmdLine: pchar;
                                processAttr, threadAttr: PSecurityAttributes;
                                inheritHandles: bool; creationFlags: dword;
                                environment: pointer; currentDir: pchar;
                                const startupInfo: TStartupInfo;
                                var processInfo: TProcessInformation) : bool; stdcall;
begin
  if not IsAllowed(appName, cmdLine) then begin
    // the user doesn't like this CreateProcess call, so we block it
    Result :=False;
    SetLastError(ERROR_ACCESS_DENIED);
  end else begin
    Result :=CreateProcessANext(appName, cmdLine, processAttr, threadAttr,
                                inheritHandles, creationFlags,
                                environment, currentDir,
                                startupInfo, processInfo);
    // CreateProcess hooks are used very often, so to be sure we renew the hook
    RenewHook(@CreateProcessANext);
  end;
end; // CreateProcessACallback




//------------------------------------------------------------------------------------------
function CreateProcessWCallback(appName, cmdLine: pwidechar;
                                processAttr, threadAttr: PSecurityAttributes;
                                inheritHandles: bool; creationFlags: dword;
                                environment: pointer; currentDir: pwidechar;
                                const startupInfo: TStartupInfo;
                                var processInfo: TProcessInformation) : bool; stdcall;
begin
  if not IsAllowed(appName, cmdLine) then begin
    Result :=False;
    SetLastError(ERROR_ACCESS_DENIED);
  end else begin
    Result :=CreateProcessWNext(appName, cmdLine, processAttr, threadAttr,
                                inheritHandles, creationFlags,
                                environment, currentDir,
                                startupInfo, processInfo);
    RenewHook(@CreateProcessWNext);
  end; 
end; // CreateProcessWCallback

Any help is highly appreciated!

[mikec]

Hay guys.

On the surface, there seems to be some stability problem with Windows 7. At the moment I am a week away from being at a point where i can 100% confirm this but based on the two posts above, and testing appsniff on Windows 7, there seems to be an issue. I wasn’t expecting this because I'd be lead to believe that the core system and driver model was the same on Vista and Windows 7.

So, until I can look at this further:

1) djsale - can you explain what issue you are having. You have said that the hook fails but what actually happens. Is it simply a case that process creation is not intercepted or does the HookApi() fail or does the system crash? You have not provided enough information to let us make any guesses about what is happening.

If it is a stability issue, my first suggestion would be to strip out ALL your code and simply relay the hooked call on to the real api. It may also be the case that you type definitions are incorrect - you would need to post these also.

If it is a matter that process launch is not caught - it my be the case that Windows 7 is not using these Win32 API's for process launch and you may need to hook lower down at the native API point.

2) Mitz - you need to let us know the results of your tests i.e. does this happen on Vista as well as Windows 7? Are you getting some sort of circular problem becuase you are hooking both Win32 and Native API's

Mike C

[djsale]

mikec,

it's not a stability issue. If I run the app it seems that CreateProcessA/W is not caught by the hook. I'm at the beginning of testing routines on Windows 7 and this was the first thing I mentioned...Other hooks (e.g. hooking terminate and even winsock hookings are working fine).

I have to do some more debugging tests to find out if hook is caught etc...

[mikec]

how do you know it is failing?

What iss the HookAPI returning? Does this indicate that the api's are not getting hooked.

Are you assuming that the hook is failing becuase it is not catching some process launch? As I said before, Vista & Windows 7 may well use different Win32 API's i.e. CreateProcessAsUser or may well go straight to the native api's - simply not catching some process launch is not an indication that a hook is failing

Mike C

[djsale]

Mike,

i've done some debugging and the hook code (and also the process launch) is now caught correctly Seems the error is somewhere else in my code. I'll have to do a little bit more research. Thanks for your great help so far!

[djsale]

I also noticed the same behaviour as the original poster: The CreateProcessW hook is always fired if an app is maximized from the new taskbar (regardless if its already running or not). Everything else is running fine now.

[mitzi]

I now tested it under Windows 7 RC1 and everything seems to be ok. So maybe it was some issue in BETA, and Yes in Vista all works fine.

[mikec]

Hay mitzi...

I've just been looking back over your posts. I'm migrating a stable system, based on NtCreateProcess/Ex, over to Vista / Windows 7. I'm having really unpredictable results i.e. neither API is called.

I was wondering of you had had any success with hooking Nt/RtlCreateUserProcess? I have an initial implementation of it but it seems to make the OS very unstable and i suspect that my prototype is incorrect. Would you be prepared to share your prototype with me?

Also, I notice that you have hooked pretty much all the Win32 CreateXXX API's? Did you find that this was necessary on Vista / Windows 7. Was it not possible to achieve a complete solution by just hooking the native API's?

Many thanks in advance,

Mike C

[Nico Bendlin]

I have an initial implementation of it but it seems to make the OS very unstable and i suspect that my prototype is incorrect. Would you be prepared to share your prototype with me?

The prototype in the Windows Research Kernel (WRK) should be sufficient.

[mikec]

Hay Nico,

Thanks for the pointer - I wasn’t aware of WRK. Lucky i have some academic affiliations but unfortunately MSDN is down for the next 48 hours

Anyway, I finally pieced together the last part of the puzzle late last night. I'd been looking a C++ prototype on one of the DDK related sights as well as ReactOS and undocumented.ntinternals.net. Nothing seemed stable and the OS kept crashing. It was only when I looked at a mem dump (published on some random hacking site) that I noticed that NtCreateUserProcess has 11 parameters not the 10 that are shown in undocumented.ntinternals.net. Dug a bit further and found a post on sysinternals forum that said the first parameter of NtCreateProcess(Ex) / NtCreateUserProcess were all a pointer to a handle. Made the necessary change and the hook now seems stable.

The problem that I have now is that I don’t seem to be able to *touch* any of the parameters without de-stabilising the OS. Prior to calling the Next / Relay version, none of the parameter seem to have any values - I was hopeful that ImagePath parameter would shed some light on the target process but it seem to be empty.

Can anyone shed on light on this - again, my Delphi / Pascal is pretty basic, I'm coming at this from C++.

Many thanks in advance

Mike C