Page 2 of 2

Re: Monitoring Processes on Windows NT from Usermode (x86 &

PostPosted:Sun Nov 11, 2012 5:13 pm
by Mut4nt
kmd wrote:its good doing something mutant, thanks..

but how to say... no offense... if it were posted 10-12 years ago then something like it would be worth.. somehow. But in 2012 year post about inline hook?
Well as we know on Windows NT there is no callback function ( From user mode ) to do this task
thats not true, see above posts..
In this function, we simply call the stub which contains the original 5 bytes from the hooked function
this lame man, what if there hook like this?

ff25 xxxx

then you execute half of instuction and jump over in trash. You need at least length disassembler.
Yes, of course, not a motor is only one POC, use this method only for show, But I think everyone expected an engine :D

I have another method which can monitoring all processes from user mode, so I will post it.

Re: Monitoring Processes on Windows NT from Usermode (x86 &

PostPosted:Thu Nov 22, 2012 8:59 pm
by R00tKit
he he he
WMI fun system wide callback :
http://weblogs.asp.net/whaggard/archive ... 38006.aspx

Re: Monitoring Processes on Windows NT from Usermode (x86 &

PostPosted:Fri Nov 23, 2012 10:15 pm
by Mut4nt
The another one is hook up the CsrCreateProcess from windows Subsystem ( The most of us we know it maintains a structure with information pe each process running on the user account )

On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.

Re: Monitoring Processes on Windows NT from Usermode (x86 &

PostPosted:Sat Nov 24, 2012 2:48 am
by EP_X0FF
Mut4nt wrote:On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.
Who?

Re: Monitoring Processes on Windows NT from Usermode (x86 &

PostPosted:Sat Nov 24, 2012 9:03 pm
by Mut4nt
EP_X0FF wrote:
Mut4nt wrote:On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.
Who?
Nervermind, sorry I'm talking about some function from windows subsystem.

Re: Monitoring Processes on Windows NT from Usermode (x86 &

PostPosted:Sun Nov 25, 2012 2:45 am
by EP_X0FF
You mean process creation? If yes then you are completely wrong. If you speak about Csr* client-server win32 subsystem, then you again wrong, Csr* win32 subsystem is pure usermode based on LPC/ALPC communications. So basically I'm interested only in which part you are wrong or in both altogether. In NT 5.x most of "Create Process" routines located in kernel32, in NT6.x huge amount of them moved into kernel mode as NtCreateUserProcess. The only things left in user mode for NT6.x are: basic loader features such as SxS, AppCompat, filename conversion, environment block creation, post-Crs notification via CsrClientCallServer and primary thread resume. Section from file, process object, initial thread object creation + contex initialization all moved to kernel mode. How it works in NT 5.x see here.
On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.
So, no it is not. Maybe instead of posting totally incorrect statement you first become familiar with the basic material? :)

Re: Monitoring Processes on Windows NT from Usermode (x86 &

PostPosted:Mon Nov 26, 2012 4:50 am
by kmd
Mut4nt wrote:The another one is hook up the CsrCreateProcess from windows Subsystem ( The most of us we know it maintains a structure with information pe each process running on the user account )

On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.
how about stop lame hooking? :mrgreen:
some more reliable solution?

Re: Monitoring Processes on Windows NT from Usermode (x86 &

PostPosted:Tue Nov 27, 2012 8:09 pm
by Mut4nt
kmd wrote:
Mut4nt wrote:The another one is hook up the CsrCreateProcess from windows Subsystem ( The most of us we know it maintains a structure with information pe each process running on the user account )

how about stop lame hooking? :mrgreen:
some more reliable solution?
sure, this one: Process thread creation notification :mrgreen:

Re: Monitoring Processes on Windows NT from Usermode (x86 &

PostPosted:Wed Jul 20, 2016 5:48 pm
by evelyette
I realize this is an old thread, but I've been experimenting with AppCertDlls technique on Windows 7 and Windows 10 and while the DLL library is injected into some processes, it isn't injected into others.

The library is injected into session 0 processes like the following:

- svchost.exe: only one of these service processes through.

The library is NOT injected into session 1 processes like the following:

- WinDbg
- ImmDbg
- Microsoft Edge

The code implementing this is in the CreateProcessInternalW function (a call to BasepIsProcessAllowed) at https://svn.reactos.org/svn/reactos/tru ... iew=markup.

I'm interested what the rule is in which processes the library gets injected and in which it doesn't. Why isn't it injected in the Microsoft Edge, it's a standard Windows program/process?

Thank you for all the help and comments.

Re: Monitoring Processes on Windows NT from Usermode (x86 &

PostPosted:Thu Jul 21, 2016 5:34 am
by EP_X0FF
AFAIR integrity level also taken into account. Probably your debugger running on High IL and Egde is AppContainer. Unfortunately this legacy method has too many restrictions and mostly unreliable.