Injecting running managed target fails too hook 32 bit CreateProcess.

Nov 20, 2013 at 11:32 PM
Edited Nov 20, 2013 at 11:55 PM
Hi,

I think I've come across a bug. I'm attempting to hook a CreateProcess call for a 32 bit process from a managed target, but the hook doesn't ever get called. I can see that it's calling ShellExecute and then CreateProcess using APIMonitor. (A ShellExecute hook doesn't get called either.) Hooking NtUserCreateProcess does get called, but then I'll get an access violation if I try to access any of the passed in parameters. These hooks work fine in other situations, so seems like a WoW 64 issue. Passing through the parameters without touching them works fine.

It looks like there's a similar issue hooking a 32 bit CreateProcess from a 64 bit CreateProcess hook:

https://easyhook.codeplex.com/discussions/42827

But my situation is slightly different because the initial CreateProcess hook is Injected from a C# app and not another CreateProcess hook.

Hooking the 32 bit process directly from c# console app works. Interestingly, when that process attempts to load up the original managed target again on exit, the CreateProccess hook does get called and the Injection appears to happen this time but then the process freezes.

I would be somewhat happy to hook outside of CreateProcess using IPC but the problem is that I can't get the new PID due to the WoW 64 barrier.

I'm curious if the fix for the first known issue (creating another process, injecting, then loading and running the managed assembly manually) would help in this case as well.

Any advice would be greatly appreciated. If you require code samples I'll be happy to post some.
Feb 7, 2014 at 4:26 AM
Did you get anywhere with this one?
Feb 7, 2014 at 7:03 AM
I think this was before I realized that you can't hook managed processes suspended. I worked around this issue by not doing that.

I never did figure out a way to hook NtUserCreateProcess and access the passed in parameters without an access violation. So I've been hooking CreateProcess instead, which has been working fine. I just came across a situation though where CreateProcess isn't being used to launch something and I completely forgot about this issue and almost went down that path again. So thanks for the reminder! I'll just hook something else...

-Greg
Marked as answer by spazzarama on 2/10/2014 at 12:22 AM