Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CreateProcessAsUserW cannot be hooked under windows 10 or windows 11, but windows server 2019 work well #328

Open
elvis-sun opened this issue Nov 19, 2024 · 3 comments
Open

CreateProcessAsUserW cannot be hooked under windows 10 or windows 11, but windows server 2019 work well #328

elvis-sun opened this issue Nov 19, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@elvis-sun
Copy link

elvis-sun commented Nov 19, 2024
edited
Loading

My code as follows:

BOOL WINAPI HookedCreateProcessAsUserW(
HANDLE hToken,
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
) {
LOG_INFO(L"===sunlei22===CreateProcessAsUserW is called with application: %ls, commandline: %s, currentdirectory: %s, desktop: 
%s\n", lpApplicationName, lpCommandLine, lpCurrentDirectory, lpStartupInfo->lpDesktop);

return OriginalCreateProcessAsUserW(
    hToken, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
    bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation
);}

bool ProcessAttach()
{
OriginalCreateProcessAsUserW = CreateProcessAsUserW;
OriginalCreateProcessW = CreateProcessW;

DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourSetIgnoreTooSmall(TRUE);

LONG ret = 1;
do
{
    ret = DetourAttach(&(PVOID&)OriginalCreateProcessAsUserW, HookedCreateProcessAsUserW);
    if (ret != 0)
    {
        LOG_ERROR(L"DetourAttach for CreateProcessAsUserW failed\n");
        break;
    }
    ret = DetourAttach(&(PVOID&)OriginalCreateProcessW, HookedCreateProcessW);
    if (ret != 0)
    {
        LOG_ERROR(L"DetourAttach for CreateProcessW failed\n");
        break;
    }
} while (false);

if (ret == 0)
{
    LOG_ERROR(L"DetourAttach Successfully\n");
}
else
{
    LOG_ERROR(L"DetourAttach failed\n");
}
PVOID* ppbFailedPointer = NULL;
LONG error = DetourTransactionCommitEx(&ppbFailedPointer);
if (error != 0)
{
    LOG_ERROR(L"DetourTransactionCommitEx failed, error %ld (%p/%p)\n", error, ppbFailedPointer, *ppbFailedPointer);
}
return ret;
}

CreateProcessW can be hooked, but CreateProcessAsUserW not work.

Has anyone encountered the same problem?
Look forward to your reply.
@elvis-sun elvis-sun added the bug Something isn't working label Nov 19, 2024
@RatinCN
Copy link

RatinCN commented Nov 22, 2024
edited
Loading

Check call stack, I guess you hook kernel32.dll!CreateProcessAsUserWStub (addressing by something like LoadLibrary("kernel32.dll")+GetProcAddress(..., "CreateProcessAsUserW")) but program ran into another stub like advapi32.dll!CreateProcessAsUserWStub, for example:

Program ran into advapi32.dll!CreateProcessAsUserWStub:
Image

And detours hooked kernel32.dll!CreateProcessAsUserWStub:
Image

If you are in this scenario, this is not bug. Addressing CreateProcessAsUserW from KernelBase.dll instead of kernel32.dll should be fine, because those stubs will be forwarded to KernelBase.dll!CreateProcessAsUserW:
Image

I'm not MS offical member, I just maintain a fork KNSoft.SlimDetours and keep an eye on the upstream, so my answer is not offical too, but hope it helps.

Ratin Gao

@elvis-sun
Copy link
Author

Check call stack, I guess you hook kernel32.dll!CreateProcessAsUserWStub (addressing by something like LoadLibrary("kernel32.dll")+GetProcAddress(..., "CreateProcessAsUserW")) but program ran into another stub like advapi32.dll!CreateProcessAsUserWStub, for example:

Program ran into advapi32.dll!CreateProcessAsUserWStub: Image

And detours hooked kernel32.dll!CreateProcessAsUserWStub: Image

If you are in this scenario, this is not bug. Addressing CreateProcessAsUserW from KernelBase.dll instead of kernel32.dll should be fine, because those stubs will be forwarded to KernelBase.dll!CreateProcessAsUserW: Image

I'm not MS offical member, I just maintain a fork KNSoft.SlimDetours and keep an eye on the upstream, so my answer is not offical too, but hope it helps.

Ratin Gao

As you mentioned above, the calling stack is CreateProcessAsUserWStub(advapi32.dll)->CreateProcessAsUserW(KernelBase.dll).
I modify my code to get the api address from advapi32.dll/Kernel32.dll to KernalBase.dll.

I write a demo that call the api CreateProcessAsUserW, then I inject dll to the demo. In the situation, CreateProcessAsUserW can be hook normally.
But I inject dll to explorer.exe or sihost.exe, the hook not work.

@elvis-sun elvis-sun reopened this Dec 3, 2024
@wineggdrop
Copy link

C:\Windows\System32\KERNEL32.DLL -> CreateProcessAsUserW
C:\Windows\System32\KERNELBASE.dll -> CreateProcessAsUserW
C:\Windows\System32\advapi32.dll -> CreateProcessAsUserW

CreateProcessAsUserW could be in all 3 of them,you may need to hook all 3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@elvis-sun @wineggdrop @RatinCN