Detours icon indicating copy to clipboard operation
Detours copied to clipboard
verified publisher icon microsoft

CreateProcessAsUserW cannot be hooked under windows 10 or windows 11, but windows server 2019 work well

Open elvis-sun opened this issue 1 year ago • 3 comments

My code as follows:

BOOL WINAPI HookedCreateProcessAsUserW(
HANDLE hToken,
LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
) {
LOG_INFO(L"===sunlei22===CreateProcessAsUserW is called with application: %ls, commandline: %s, currentdirectory: %s, desktop: 
%s\n", lpApplicationName, lpCommandLine, lpCurrentDirectory, lpStartupInfo->lpDesktop);

return OriginalCreateProcessAsUserW(
    hToken, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
    bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation
);}

bool ProcessAttach()
{
OriginalCreateProcessAsUserW = CreateProcessAsUserW;
OriginalCreateProcessW = CreateProcessW;

DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourSetIgnoreTooSmall(TRUE);

LONG ret = 1;
do
{
    ret = DetourAttach(&(PVOID&)OriginalCreateProcessAsUserW, HookedCreateProcessAsUserW);
    if (ret != 0)
    {
        LOG_ERROR(L"DetourAttach for CreateProcessAsUserW failed\n");
        break;
    }
    ret = DetourAttach(&(PVOID&)OriginalCreateProcessW, HookedCreateProcessW);
    if (ret != 0)
    {
        LOG_ERROR(L"DetourAttach for CreateProcessW failed\n");
        break;
    }
} while (false);

if (ret == 0)
{
    LOG_ERROR(L"DetourAttach Successfully\n");
}
else
{
    LOG_ERROR(L"DetourAttach failed\n");
}
PVOID* ppbFailedPointer = NULL;
LONG error = DetourTransactionCommitEx(&ppbFailedPointer);
if (error != 0)
{
    LOG_ERROR(L"DetourTransactionCommitEx failed, error %ld (%p/%p)\n", error, ppbFailedPointer, *ppbFailedPointer);
}
return ret;
}

CreateProcessW can be hooked, but CreateProcessAsUserW not work.

Has anyone encountered the same problem? Look forward to your reply.

elvis-sun avatar Nov 19 '24 11:11 elvis-sun

Check call stack, I guess you hook kernel32.dll!CreateProcessAsUserWStub (addressing by something like LoadLibrary("kernel32.dll")+GetProcAddress(..., "CreateProcessAsUserW")) but program ran into another stub like advapi32.dll!CreateProcessAsUserWStub, for example:

Program ran into advapi32.dll!CreateProcessAsUserWStub: Image

And detours hooked kernel32.dll!CreateProcessAsUserWStub: Image

If you are in this scenario, this is not bug. Addressing CreateProcessAsUserW from KernelBase.dll instead of kernel32.dll should be fine, because those stubs will be forwarded to KernelBase.dll!CreateProcessAsUserW: Image

I'm not MS offical member, I just maintain a fork KNSoft.SlimDetours and keep an eye on the upstream, so my answer is not offical too, but hope it helps.

Ratin Gao

RatinCN avatar Nov 22 '24 16:11 RatinCN

Check call stack, I guess you hook kernel32.dll!CreateProcessAsUserWStub (addressing by something like LoadLibrary("kernel32.dll")+GetProcAddress(..., "CreateProcessAsUserW")) but program ran into another stub like advapi32.dll!CreateProcessAsUserWStub, for example:

Program ran into advapi32.dll!CreateProcessAsUserWStub: Image

And detours hooked kernel32.dll!CreateProcessAsUserWStub: Image

If you are in this scenario, this is not bug. Addressing CreateProcessAsUserW from KernelBase.dll instead of kernel32.dll should be fine, because those stubs will be forwarded to KernelBase.dll!CreateProcessAsUserW: Image

I'm not MS offical member, I just maintain a fork KNSoft.SlimDetours and keep an eye on the upstream, so my answer is not offical too, but hope it helps.

Ratin Gao

As you mentioned above, the calling stack is CreateProcessAsUserWStub(advapi32.dll)->CreateProcessAsUserW(KernelBase.dll). I modify my code to get the api address from advapi32.dll/Kernel32.dll to KernalBase.dll.

I write a demo that call the api CreateProcessAsUserW, then I inject dll to the demo. In the situation, CreateProcessAsUserW can be hook normally. But I inject dll to explorer.exe or sihost.exe, the hook not work.

elvis-sun avatar Nov 26 '24 03:11 elvis-sun

C:\Windows\System32\KERNEL32.DLL -> CreateProcessAsUserW C:\Windows\System32\KERNELBASE.dll -> CreateProcessAsUserW C:\Windows\System32\advapi32.dll -> CreateProcessAsUserW

CreateProcessAsUserW could be in all 3 of them,you may need to hook all 3

wineggdrop avatar Jan 11 '25 10:01 wineggdrop