Hook CreateProcess with CreateAndInject

Apr 23, 2015 at 7:09 AM
I have something wrong with this stuff.
I want to inject to new process that was created by explorer.exe so I decided to hook CreateProcessW API of explorer.exe and use RemoteHooking.CreateAndInject but I received error "Unable to start process, please check given parameters". How can I fix this ?
static bool CreateProcess_Hooked(string lpApplicationName,
           string lpCommandLine,
           IntPtr lpProcessAttributes,
           IntPtr lpThreadAttributes,
           bool bInheritHandles,
           uint dwCreationFlags,
           IntPtr lpEnvironment,
           string lpCurrentDirectory,
           [In] ref STARTUPINFO lpStartupInfo,
           out PROCESS_INFORMATION lpProcessInformation)
        {
            PROCESS_INFORMATION proInformation = new PROCESS_INFORMATION();
            bool ReturnValue = false;
            int processId = 0;
            try
            {
                Main This = (Main)HookRuntimeInfo.Callback;
                dwCreationFlags = 0x00000004;
                ReturnValue = CreateProcess(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles,dwCreationFlags, lpEnvironment, lpCurrentDirectory, ref lpStartupInfo, out proInformation);
                //OutputDebugString(This.myChannelName);
                //RemoteHooking.CreateAndInject(lpApplicationName, lpCommandLine, (int)dwCreationFlags,
                //    System.IO.Path.Combine(System.IO.Path.GetDirectoryName(typeof(FileMonInterface).Assembly.Location), "InjectDLL.dll"), // 32-bit version (the same because AnyCPU)
                //    System.IO.Path.Combine(System.IO.Path.GetDirectoryName(typeof(FileMonInterface).Assembly.Location), "InjectDLL.dll"), //"ProcMonInject.dll", // 64-bit version (the same because AnyCPU)
                //    out processId,
                //    This.myChannelName);

                RemoteHooking.Inject(proInformation.dwProcessId,
                    System.IO.Path.Combine(System.IO.Path.GetDirectoryName(typeof(FileMonInterface).Assembly.Location), "InjectDLL.dll"), // 32-bit version (the same because AnyCPU)
                    System.IO.Path.Combine(System.IO.Path.GetDirectoryName(typeof(FileMonInterface).Assembly.Location), "InjectDLL.dll"), //"ProcMonInject.dll", // 64-bit version (the same because AnyCPU)
                    This.myChannelName);
                 
                lock (This.Queue)
                {
                    DateTime now = DateTime.Now;
                    This.Queue.Push("[" + RemoteHooking.GetCurrentProcessId() + "-CreateProcess:" +
                        RemoteHooking.GetCurrentThreadId() + "]:" + "-" + lpApplicationName + "-" + proInformation.dwProcessId + "\n");                   

                }


            }
            catch (Exception ex)
            {
                OutputDebugString("Create Process - " + ex.Message + " ");
            }
            lpProcessInformation = new PROCESS_INFORMATION();
            lpProcessInformation.dwProcessId = proInformation.dwProcessId;
            lpProcessInformation.dwThreadId = proInformation.dwThreadId;
            lpProcessInformation.hProcess = proInformation.hProcess;
            lpProcessInformation.hThread = proInformation.hThread;            
            return ReturnValue;

        }
I tried another solution: I call the original method CreateProcessW and then use RemoteHooking.Inject but I received other error: "Value cannot be null. Parameter names: assemblyString".