I'm here at the Microsoft PDC in Los Angeles and just attended a session on the Least User Access security model in Vista. Even if you login as Admin, your programs will run with "Standard" priviledges (non-Admin) by default. So most all of any user's programs will be running in standard (aka Limited) priviledge level.
They also are implementing a policy that they don't allow a process to inject a DLL into a process with a higher priviledge level. So if you use madCodeHook in a process running at Standard level (the default), then you won't be able to inject your DLL into a process running at Admin levels. I'm guessing this will disable system-wide hooks. For me, most of the processes I'm interested in injecting are Standard level, so my Standard level injector process will still work. But it perhaps won't work for some of your usage.
If you want me to ask the Vista Security team any questions, they will be available tomorrow, so reply here and let me know.
Thanks,
David
http://www.dcsoft.com
MadCodeHook and Microsoft Vista
You could ask them whether CreateRemoteThread still works for all processes, if being called from inside a service process (running under the local system account). I guess it will. And it that case there's no problem for madCodeHook, because already right now the recommended approach to support non-admin user accounts is to use a service which then does the InjectLibrary stuff.
Thanks!
Thanks!
-
- Posts: 380
- Joined: Sat Dec 11, 2004 2:11 am
- Location: San Francisco Bay Area, CA USA
- Contact:
Yes, they said services are executing at Admin priviledge, so the fallback is to create a service.
However, my app calls InjectLibrary() and works properly in a limited user account, without creating a service. So creating a service is not now required for me, and it does seem it would be in Vista.
Thanks,
David
However, my app calls InjectLibrary() and works properly in a limited user account, without creating a service. So creating a service is not now required for me, and it does seem it would be in Vista.
Thanks,
David
-
- Posts: 380
- Joined: Sat Dec 11, 2004 2:11 am
- Location: San Francisco Bay Area, CA USA
- Contact:
I use only InjectLibrary(<specific process>), not your special flags, which Admin priviledge is NOT needed.
Now with Vista, I need to create a service if <specific process> is running with Admin priviledge, because my injector app will most likely be running with Limited (standard) priviledge.
Thanks,
David
Now with Vista, I need to create a service if <specific process> is running with Admin priviledge, because my injector app will most likely be running with Limited (standard) priviledge.
Thanks,
David
Ah, yes. Injecting into one specific process is a different thing. But can a limited user account really inject into an admin process right now? I'd say no. But I'm not sure. I know for a fact that a limited user account can not inject into a service - except if it has a valid handle to that service.