Hello once again,I have been working on some project for a while now and I needed to hook a creation of processes,I have that code(hook/detour)
BOOL WINAPI CreateProcH::CreateProcessInternalW ( HANDLE hToken,
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation,
PHANDLE hNewToken
)
clogf("start %x ref: %x",realCreateProcessInternalW,&realCreateProcessInternalW);
BOOL res = FALSE;
res = realCreateProcessInternalW(hToken,lpApplicationName,lpCommandLine,lpProcessAttributes,lpThreadAttributes,bInheritHandles,dwCreationFlags,lpEnvironment,lpCurrentDirectory,lpStartupInfo,lpProcessInformation,hNewToken);
if(res == FALSE)
return res;
Sleep(100);
vector<wchar_t*> ::iterator it;
for(it = pubvPaths.begin(); it < pubvPaths.end(); it++)
{
if(!CDetour::InjectDll(lpProcessInformation->hProcess,*it))
clogf("InjectDll(lpProcessInformation->hProcess,*it) FAILED!");
clogf("Strlen %d Injecting dll: %ls",lstrlenW(*it),*it);
}
clogf("hThread: %d hProcess: %d dwThreadId: %d dwProcessId: %d",lpProcessInformation->hThread,lpProcessInformation->hProcess,lpProcessInformation->dwThreadId,lpProcessInformation->dwProcessId);
return res;
};
LOG:
[Fri Nov 30 20:22:20 2012] CreateProcH::CreateProcessInternalW reported: start 7d843e8 ref: 741285ac
[Fri Nov 30 20:22:20 2012] CreateProcH::CreateProcessInternalW reported: Strlen 103 Injecting dll: C:/Users/JEAN/SplitPLayGUI-build-desktop-Qt_4_8_1_for_Desktop_-_MSVC2010__Qt_SDK__Debug/CreateProcH.dll
[Fri Nov 30 20:22:20 2012] CreateProcH::CreateProcessInternalW reported: hThread: 5360 hProcess: 5376 dwThreadId: 8376 dwProcessId: 1388
but the process fails to create or crashes not sure what is wrong,
So I just commented out
if(!CDetour::InjectDll(lpProcessInformation->hProcess,*it))
clogf("InjectDll(lpProcessInformation->hProcess,*it) FAILED!");
and everything logged the same way but the process actually created and ran, here is CDetour::InjectDll
bool CDetour::InjectDll(HANDLE hProcess ,wchar_t * pwstrDll)
{
LPVOID RemoteString, LoadLibAddy;
if(!hProcess)
return false;
LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryW");
if(!LoadLibAddy)
{
clogf("GetProcAddress(GetModuleHandle(L\"kernel32.dll\"), \"LoadLibraryW\") FAILED WITH %d!",GetLastError());
return false;
}
RemoteString = (LPVOID)VirtualAllocEx(hProcess, NULL, (lstrlenW(pwstrDll)*2)+2, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
if(!RemoteString)
{
clogf("VirtualAllocEx(hProcess, NULL, lstrlenW(pwstrDll)+2, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); FAILED WITH %d!",GetLastError());
return false;
}
if(WriteProcessMemory(hProcess, (LPVOID)RemoteString, pwstrDll,(lstrlenW(pwstrDll)*2)+2, NULL) == 0)
{
clogf("WriteProcessMemory(hProcess, (LPVOID)RemoteString, pwstrDll,lstrlenW(pwstrDll)+2, NULL) FAILED WITH %d!",GetLastError());
return false;
}
if(CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL) == NULL)
{
clogf("CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL) FAILED WITH %d!",GetLastError());
return false;
}
return true;
}
I hope someone else could figure it out ,thanks in advance
|