Search code examples
cmdhookeasyhook

Windows Cmd Hook not working

i am trying to hook the CreateProcess under cmd.exe. i manage to inject the dll the the cmd process but after the injection the dll process detach message receive and i fail to hook the createprocess function call. i am using easyhook. my code:

#include <windows.h>
#include <Shlwapi.h>
#include <tchar.h>
#include <stdio.h>
#include <strsafe.h>
#include <easyhook.h>

BOOL WINAPI myCreateProcess(
_In_opt_    LPCTSTR               lpApplicationName,
_Inout_opt_ LPTSTR                lpCommandLine,
_In_opt_    LPSECURITY_ATTRIBUTES lpProcessAttributes,
_In_opt_    LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_        BOOL                  bInheritHandles,
_In_        DWORD                 dwCreationFlags,
_In_opt_    LPVOID                lpEnvironment,
_In_opt_    LPCTSTR               lpCurrentDirectory,
_In_        LPSTARTUPINFO         lpStartupInfo,
_Out_       LPPROCESS_INFORMATION lpProcessInformation
){
OutputDebugString(L"\n !!!!!! In CreateProcess HOOK\n !!!!!!!!");
return CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCommandLine, lpStartupInfo, lpProcessInformation);
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD  ul_reason_for_call,
LPVOID lpReserved
)
{
BOOL bErrorFlag = FALSE;
DWORD dwBytesToWrite = (DWORD)strlen(DataBuffer);
DWORD dwBytesWritten = 0;
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{


    HOOK_TRACE_INFO hHook = { NULL }; // keep track of our hook

    // Install the hook

    NTSTATUS result = LhInstallHook(
        GetProcAddress(GetModuleHandle(TEXT("kernel32")), "CreateProcessW"),
        myCreateProcess,
        NULL,
        &hHook);
    if (FAILED(result))
    {
        OutputDebugString(L"!!!!!!!!!!!FAIL!!!!!!!!");
        return 1;
    }

    ULONG ACLEntries[1] = { 0 };
    LhSetInclusiveACL(ACLEntries, 1, &hHook);
    OutputDebugString(L"!!!!!!!!!!!!Injection Succeed!!!!!!!!!!!!");
    break;
}
case DLL_THREAD_ATTACH:{
    OutputDebugString(L"!!!!!!!!!!!!dll thread attach!!!!!!!!!!!!");
    break;
}
case DLL_THREAD_DETACH:
{
        OutputDebugString(L"!!!!!!!!!!!!dll thread Detach!!!!!!!!!!!!");
    break;
}

case DLL_PROCESS_DETACH:
{
            OutputDebugString(L"!!!!!!!!!!!!dll process Detach!!!!!!!!!!!!");
    break;
}
}
}

i receive the "Injection Succeed" message and right after the "dll process Detach" message . any ideas?

Solution

  • try changing :

        LhSetInclusiveACL(ACLEntries, 1, &hHook);

    to :

        LhSetExclusiveACL(ACLEntries, 1, &hHook);