MadCodeHook and Microsoft Vista

dcsoft · Post by **dcsoft** » Wed Sep 14, 2005 11:47 pm

I'm here at the Microsoft PDC in Los Angeles and just attended a session on the Least User Access security model in Vista. Even if you login as Admin, your programs will run with "Standard" priviledges (non-Admin) by default. So most all of any user's programs will be running in standard (aka Limited) priviledge level.

They also are implementing a policy that they don't allow a process to inject a DLL into a process with a higher priviledge level. So if you use madCodeHook in a process running at Standard level (the default), then you won't be able to inject your DLL into a process running at Admin levels. I'm guessing this will disable system-wide hooks. For me, most of the processes I'm interested in injecting are Standard level, so my Standard level injector process will still work. But it perhaps won't work for some of your usage.

If you want me to ask the Vista Security team any questions, they will be available tomorrow, so reply here and let me know.

Thanks,
David
http://www.dcsoft.com

Post by **madshi** » Thu Sep 15, 2005 6:53 am

You could ask them whether CreateRemoteThread still works for all processes, if being called from inside a service process (running under the local system account). I guess it will. And it that case there's no problem for madCodeHook, because already right now the recommended approach to support non-admin user accounts is to use a service which then does the InjectLibrary stuff.

Thanks!

dcsoft · Post by **dcsoft** » Thu Sep 15, 2005 3:54 pm

Yes, they said services are executing at Admin priviledge, so the fallback is to create a service.

However, my app calls InjectLibrary() and works properly in a limited user account, without creating a service. So creating a service is not now required for me, and it does seem it would be in Vista.

Thanks,
David

Post by **madshi** » Thu Sep 15, 2005 4:02 pm

dcsoft wrote:However, my app calls InjectLibrary() and works properly in a limited user account, without creating a service.

I don't know why that works for you, it certainly doesn't work for me!

dcsoft · Post by **dcsoft** » Thu Sep 15, 2005 4:14 pm

I use only InjectLibrary(<specific process>), not your special flags, which Admin priviledge is NOT needed.

Now with Vista, I need to create a service if <specific process> is running with Admin priviledge, because my injector app will most likely be running with Limited (standard) priviledge.

Thanks,
David

Post by **madshi** » Thu Sep 15, 2005 5:02 pm

Ah, yes. Injecting into one specific process is a different thing. But can a limited user account really inject into an admin process right now? I'd say no. But I'm not sure. I know for a fact that a limited user account can not inject into a service - except if it has a valid handle to that service.