A forum for reverse engineering, OS internals and malware analysis 

 #16568  by Mut4nt
 Sun Nov 11, 2012 5:13 pm
kmd wrote:its good doing something mutant, thanks..

but how to say... no offense... if it were posted 10-12 years ago then something like it would be worth.. somehow. But in 2012 year post about inline hook?
Well as we know on Windows NT there is no callback function ( From user mode ) to do this task
thats not true, see above posts..
In this function, we simply call the stub which contains the original 5 bytes from the hooked function
this lame man, what if there hook like this?

ff25 xxxx

then you execute half of instuction and jump over in trash. You need at least length disassembler.
Yes, of course, not a motor is only one POC, use this method only for show, But I think everyone expected an engine :D

I have another method which can monitoring all processes from user mode, so I will post it.
 #16792  by Mut4nt
 Fri Nov 23, 2012 10:15 pm
The another one is hook up the CsrCreateProcess from windows Subsystem ( The most of us we know it maintains a structure with information pe each process running on the user account )

On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.
 #16830  by Mut4nt
 Sat Nov 24, 2012 9:03 pm
EP_X0FF wrote:
Mut4nt wrote:On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.
Who?
Nervermind, sorry I'm talking about some function from windows subsystem.
 #16831  by EP_X0FF
 Sun Nov 25, 2012 2:45 am
You mean process creation? If yes then you are completely wrong. If you speak about Csr* client-server win32 subsystem, then you again wrong, Csr* win32 subsystem is pure usermode based on LPC/ALPC communications. So basically I'm interested only in which part you are wrong or in both altogether. In NT 5.x most of "Create Process" routines located in kernel32, in NT6.x huge amount of them moved into kernel mode as NtCreateUserProcess. The only things left in user mode for NT6.x are: basic loader features such as SxS, AppCompat, filename conversion, environment block creation, post-Crs notification via CsrClientCallServer and primary thread resume. Section from file, process object, initial thread object creation + contex initialization all moved to kernel mode. How it works in NT 5.x see here.
On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.
So, no it is not. Maybe instead of posting totally incorrect statement you first become familiar with the basic material? :)
 #16839  by kmd
 Mon Nov 26, 2012 4:50 am
Mut4nt wrote:The another one is hook up the CsrCreateProcess from windows Subsystem ( The most of us we know it maintains a structure with information pe each process running on the user account )

On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.
how about stop lame hooking? :mrgreen:
some more reliable solution?
 #16873  by Mut4nt
 Tue Nov 27, 2012 8:09 pm
kmd wrote:
Mut4nt wrote:The another one is hook up the CsrCreateProcess from windows Subsystem ( The most of us we know it maintains a structure with information pe each process running on the user account )

how about stop lame hooking? :mrgreen:
some more reliable solution?
sure, this one: Process thread creation notification :mrgreen:
 #28914  by evelyette
 Wed Jul 20, 2016 5:48 pm
I realize this is an old thread, but I've been experimenting with AppCertDlls technique on Windows 7 and Windows 10 and while the DLL library is injected into some processes, it isn't injected into others.

The library is injected into session 0 processes like the following:

- svchost.exe: only one of these service processes through.

The library is NOT injected into session 1 processes like the following:

- WinDbg
- ImmDbg
- Microsoft Edge

The code implementing this is in the CreateProcessInternalW function (a call to BasepIsProcessAllowed) at https://svn.reactos.org/svn/reactos/tru ... iew=markup.

I'm interested what the rule is in which processes the library gets injected and in which it doesn't. Why isn't it injected in the Microsoft Edge, it's a standard Windows program/process?

Thank you for all the help and comments.
 #28917  by EP_X0FF
 Thu Jul 21, 2016 5:34 am
AFAIR integrity level also taken into account. Probably your debugger running on High IL and Egde is AppContainer. Unfortunately this legacy method has too many restrictions and mostly unreliable.