Hook process creation in Csrss

Question

I'm trying to hook process creation and receive an 'notification' into my hook procedure when the user open any new process. To hook only one function, I'm trying to do this in CsrCreateProcess at csrss.exe. But everytime when I inject a DLL inside this process I get a BSOD (blue screen). My injection code is:

function Inject(DLL: PAnsiChar; ProcessID: Cardinal):Boolean;
var
  lProcess: THandle;
  lMem:     Pointer;
  lLibrary: Pointer;
  Bytes:    NativeUInt;
  lThread:  DWORD;
  RemoteThread: DWORD;
begin
  Result := FALSE;
  if FileExists(DLL) then  { If Path of DLL is valid }
  begin
    lProcess:= OpenProcess(PROCESS_ALL_ACCESS,False,ProcessID); { Open process to DLL Inyect }
    if lProcess <>  0 then  { If Process is opened }
    begin
      lMem:= VirtualAllocEx(lProcess,nil,Length(DLL),MEM_COMMIT,PAGE_READWRITE); { Reserve virtual space for load DLL }
      if (Assigned(lMem)) then
      begin
        lLibrary:= GetProcAddress(GetModuleHandle('kernel32'),'LoadLibraryA');  { Parameter used for load library DLL in remote process }
        WriteProcessMemory(lProcess,lMem,Pointer(DLL),Length(DLL),Bytes); { Write DLL in remote space created with VirtualAllocEx }
        RemoteThread:= CreateRemoteThread(lProcess,nil,0,lLibrary,lMem,0,lThread); { Create Remote Thread for run DLL }
        if (RemoteThread <> 0) then
        begin
          WaitForSingleObject(RemoteThread, INFINITE); // Wait for the LoadLibraryA thread to finish
          CloseHandle(RemoteThread); { Close handle of Thread }
          Result := TRUE;
        end;
      end;
      CloseHandle(lProcess); { Close handle of process opened }
    end;
  end
end;

And my DLL code is:

procedure DLLMain(dwReason: DWORD);
begin
  case dwReason of
  DLL_PROCESS_ATTACH:
  begin
    MessageBoxA(0,'Injected', 'Injected', MB_OK);
    //@TrampolineCreateProcess := InterceptCreate(@CsrCreateProcess, @HookCsrCreateProcess);
  end;
  end;
end;

begin
 DLLProc := @DLLMain;
 DLLMain(DLL_PROCESS_ATTACH);
end.

Is a bad idea to try hook this function in csrss? I'm starting to think in inject inside explorer.exe and hook NtCreateSection, this should solve my problem right? Other quick question: is possible to inject a x64 DLL inside a x64 process, with a x86 executable?

It's almost certainly a bad idea to mess with csrss.exe. Why don't you just [use WMI](http://stackoverflow.com/q/3556048/33732)? — Rob Kennedy, Jul 07 '14 at 01:22
Because the main point on this project is to learn about hooking. And because WMI need while/sleep (which is not what I want to use). Anyway thanks for the tip... — user3810691, Jul 07 '14 at 01:44
*Is possible to inject a x64 DLL inside a x64 process, with a x86 executable?* Not using `CreateRemoteThread`. Is your injector process 32 bit? — David Heffernan, Jul 07 '14 at 08:12
@DavidHeffernan _"If you want to learn about hooking, pick an easier target."_ What would you recommend? — Nicholas Ring, Jul 07 '14 at 08:50
@NicholasRing Almost anything other than a high integrity critical system process. I'd write my own simple app and inject into that. Then when it goes wrong I don't blue screen! — David Heffernan, Jul 07 '14 at 08:56
OK. Thank's for answers... @DavidHeffernan my injector is 32-bits, I can compile 64-bits and it works. But I want to use only 32bits for both executables, changing only the DLL. Is that possible? — user3810691, Jul 07 '14 at 12:31
I don't understand that question. There are lots of components involved here. Be precise about the bitness of all parts (injector process, injected DLL and target process). — David Heffernan, Jul 07 '14 at 12:34
Injector - 32bits DLL - 64bits Target Process - 64bits When I try to inject this way, just don't work. — user3810691, Jul 07 '14 at 13:22

David Heffernan · Accepted Answer · 2014-07-09T02:13:21.243

0

In the comments you state that you are trying to inject a 64 bit DLL into a 64 bit target process from a 32 bit injector. That cannot be done using the CreateRemoteThread method. You need to create a 64 bit injector.

On top of that csrss is a system integrity critical component. I would not be at all surprised if injecting into it was not allowed even if you resolved the bitness issues. I would definitely advise against continuing your attempts to inject into csrss.

edited Jul 09 '14 at 02:13

answered Jul 07 '14 at 13:30

David Heffernan

601,492
42
1,072
1,490

Yes. But when you say 'cannot be done using CreateRemoteThread method'... Is out there any other way to do this? – user3810691 Jul 07 '14 at 13:38
I saw QueueUserAPC method, but not sure if works for this case. And looks like the DLL doesn't get executed, since you don't use createremotethread. – user3810691 Jul 07 '14 at 13:39
1

You just need to make a 64 bit injector. You can use a 64 bit injector to inject a 32 bit DLL into a 32 bit target FWIW. – David Heffernan Jul 07 '14 at 13:41
Yes. But to run on 32bit systems will not work. I'm searching for a global solution, you understand me? – user3810691 Jul 07 '14 at 13:46
32 bit injector on 32 bit systems, 64 bit injector on 64 bit systems – David Heffernan Jul 07 '14 at 14:04

score 0 · Answer 2 · answered May 30 '15 at 14:20

0

To access the csrss process, you need to enable SeDebugPrivilege. This can be done by calling the RtlAdjustPrivilege.

answered May 30 '15 at 14:20

zwclose7

19
1

Hook process creation in Csrss

2 Answers2