Hooking WMI (.NET Application)

[Ember]

Please see attached for my copy of detours.h and detours.lib

You can write a simple loader that could start up the app with CreateProcess(), using information from the lpProcessInformation param to get the process' handle.

Note: you may need to enable SeDebugPrivilege first before doing any of this. Code borrowed from online.

Code:

BOOL EnableDebugPrivilege() 
{ 
	HANDLE           hToken; 
	LUID             sedebugnameValue; 
	TOKEN_PRIVILEGES tp; 
 
	if ( !OpenProcessToken(  
		GetCurrentProcess(), 
		TOKEN_ADJUST_PRIVILEGES | // to adjust privileges 
		TOKEN_QUERY,              // to get old privileges setting 
		&hToken  
		) ) 
		// 
		// OpenProcessToken() failed 
		// 
		return FALSE; 
	// 
	// Given a privilege's name SeDebugPrivilege, we should locate its local LUID mapping. 
	// 
	if ( !LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) ) 
	{ 
		// 
		// LookupPrivilegeValue() failed 
		// 
		CloseHandle( hToken ); 
		return FALSE; 
	} 
 
	tp.PrivilegeCount = 1; 
	tp.Privileges[0].Luid = sedebugnameValue; 
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 
 
	if ( !AdjustTokenPrivileges( hToken, FALSE, &tp, sizeof(tp), NULL, NULL ) ) 
	{ 
		// 
		// AdjustTokenPrivileges() failed 
		// 
		CloseHandle( hToken ); 
		return FALSE; 
	} 
 
	CloseHandle( hToken ); 
	return TRUE; 
}

This function is borrowed from another site. Just pass it your handle and a full path to your DLL that you want to inject. I have not tested it, but it looks like it should work fine.

Code:

BOOL bInjectLibrary(HANDLE hProcess, char* szDllToInjectPath)
{
	LPVOID lpRemoteAddress = VirtualAllocEx(hProcess, NULL, strlen(szDllToInjectPath), MEM_COMMIT, PAGE_READWRITE);

	if(!lpRemoteAddress)
		return FALSE;

	if(!WriteProcessMemory(hProcess, lpRemoteAddress, (LPVOID)szDllToInjectPath, strlen(szDllToInjectPath), NULL))
		return FALSE;

	HANDLE hThread = NULL;

	if(!(hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryA"), lpRemoteAddress, NULL, NULL)))
		return FALSE;

	WaitForSingleObject(hThread, INFINITE);

	if(!VirtualFreeEx(hProcess, lpRemoteAddress, 0, MEM_RELEASE))
		return FALSE;

	CloseHandle(hThread);

	return TRUE;
}

Remember to close your handle to the process when done.

[aldente]

Ok, thanks for your version of the Detours library, with that one I could build the DLL.

However, injection/hooking does not work properly, yet.

This is basically what my loader looks like:

Code:

// Get debug privilege
EnableDebugPrivilege();

// Create process
result = CreateProcess(NULL, &ExePathAndCmdLineVec[0], NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, &WorkingDirVec[0], &si, &pi);
if(!result)
{
	return -1;
}

// Inject DLL
bInjectLibrary(pi.hThread, DllPath.c_str());

// Resume process execution
ResumeThread(pi.hThread);

Are you sure this kind of injection works for .NET applications?

I attached a sample executable... It is not the target, but it works just like the target. I couldn't manage to manipulate the "ProcessorId"-Entry using your DLL...

[Ember]

Code:

bInjectLibrary(pi.hThread, DllPath.c_str());

// Resume process execution
ResumeThread(pi.hThread);

This is wrong. It should be:

Code:

bInjectLibrary(pi.hProcess, DllPath.c_str());

// Resume process execution
ResumeThread(pi.hProcess);

//Close thread handle
CloseHandle(pi.hThread);

//Close process handle
CloseHandle(pi.hProcess);

I don't know if creating the process suspended might prevent DLL injection from working properly so you might want to take that (and the CloseHandle() and ResumeThread() call with the hThread param) out.

[aldente]

ResumeThread() has to be called with pi.hThread, that was right. The process will stay suspended, if you call it with pi.hProcess.
But apart from that, I tried your suggestions.

I also tried to start the process non-suspended, which doesn't work either...

This injection stuff is a debugging nightmare, you can't debug it in the development environment, and debugging in IDA doesn't work neither because of all this .NET stuff... :-(

Don't you have somer loader, which is known working for .NET applications?

[Ember]

Quote:

Originally Posted by aldente

ResumeThread() has to be called with pi.hThread...

Sorry yes that was a typo. Are you on a x64 system? If the .NET metadata in your target executable is not marked as 32bit required then it will spawn as a 64bit process. This will result in failure. You will need to compile the DLL as a 64bit DLL to inject.

I have successfully got the DLL working in your test app, spoofing processor ID with my hook + this loader: http://code.google.com/p/injector/

Command line: newloaderv4.1.exe --lib "E:\Downloads\WmiSpoof.dll" --launch Test.exe

http://i.imgur.com/2rqsj.png

[aldente]

Yes, I am on a x64 system...

I just tried the loader you mentioned in a virtual machine (x86), but without any success either...

Code:

newloaderv4.1.exe --lib WmiSpoof_x86_StaticRuntime.dll --launch Test.exe

The loader starts Test.exe, but the loader console window stays open (nothing is shown after "Email: [email protected]").
When I close Test.exe, the loader outputs:

Code:

Error: [@InjectLibraryW] Unknown Error (LoadLibraryW).
Error: [@SuspendResumeProcess] NtResumeProcess. [NtStatus: 0xC000010A] [LastErro
r: 6]
Error: [@InjectLibraryW] Could not resume process.
Error: [@commandline_parser] Injection failed.

How did you build your DLL?
I built it Non-Unicode with static runtime ('release' mode) with MSVC 2010.
I tried other options as well, neither worked (dynamic runtime, Unicode).

Does my attached DLL work for you?

(Thanks for your patience, by the way!)

[Ember]

Yes, it works when I run the injector from administrative cmd line and modify the exe to have 32bit required in the .NET metadata header.