[Mut4nt]

its good doing something mutant, thanks..

but how to say... no offense... if it were posted 10-12 years ago then something like it would be worth.. somehow. But in 2012 year post about inline hook?

Well as we know on Windows NT there is no callback function ( From user mode ) to do this task

thats not true, see above posts..

In this function, we simply call the stub which contains the original 5 bytes from the hooked function

this lame man, what if there hook like this?

ff25 xxxx

then you execute half of instuction and jump over in trash. You need at least length disassembler.

Yes, of course, not a motor is only one POC, use this method only for show, But I think everyone expected an engine :D

I have another method which can monitoring all processes from user mode, so I will post it.

[R00tKit]

he he he
WMI fun system wide callback :
http://weblogs.asp.net/whaggard/archive ... 38006.aspx

[Mut4nt]

The another one is hook up the CsrCreateProcess from windows Subsystem ( The most of us we know it maintains a structure with information pe each process running on the user account )

On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.

[EP_X0FF]

On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.

Who?

[Mut4nt]

On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.

Who?

Nervermind, sorry I'm talking about some function from windows subsystem.

[EP_X0FF]

You mean process creation? If yes then you are completely wrong. If you speak about Csr* client-server win32 subsystem, then you again wrong, Csr* win32 subsystem is pure usermode based on LPC/ALPC communications. So basically I'm interested only in which part you are wrong or in both altogether. In NT 5.x most of "Create Process" routines located in kernel32, in NT6.x huge amount of them moved into kernel mode as NtCreateUserProcess. The only things left in user mode for NT6.x are: basic loader features such as SxS, AppCompat, filename conversion, environment block creation, post-Crs notification via CsrClientCallServer and primary thread resume. Section from file, process object, initial thread object creation + contex initialization all moved to kernel mode. How it works in NT 5.x see here.

On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.

So, no it is not. Maybe instead of posting totally incorrect statement you first become familiar with the basic material? :)

[kmd]

The another one is hook up the CsrCreateProcess from windows Subsystem ( The most of us we know it maintains a structure with information pe each process running on the user account )

On Windows 8, it's created the most in usermode ( on XP from kernel mode ) by the way.

how about stop lame hooking? :mrgreen:
some more reliable solution?

[Mut4nt]

The another one is hook up the CsrCreateProcess from windows Subsystem ( The most of us we know it maintains a structure with information pe each process running on the user account )

how about stop lame hooking? :mrgreen:
some more reliable solution?

sure, this one: Process thread creation notification :mrgreen:

[evelyette]

I realize this is an old thread, but I've been experimenting with AppCertDlls technique on Windows 7 and Windows 10 and while the DLL library is injected into some processes, it isn't injected into others.

The library is injected into session 0 processes like the following:

- svchost.exe: only one of these service processes through.

The library is NOT injected into session 1 processes like the following:

- WinDbg
- ImmDbg
- Microsoft Edge

The code implementing this is in the CreateProcessInternalW function (a call to BasepIsProcessAllowed) at https://svn.reactos.org/svn/reactos/tru ... iew=markup.

I'm interested what the rule is in which processes the library gets injected and in which it doesn't. Why isn't it injected in the Microsoft Edge, it's a standard Windows program/process?

Thank you for all the help and comments.

[EP_X0FF]

AFAIR integrity level also taken into account. Probably your debugger running on High IL and Egde is AppContainer. Unfortunately this legacy method has too many restrictions and mostly unreliable.