explorer crashing on CreateProcess hook

2
votes

I'm injecting a DLL inside explorer.exe to hook CreateProcess, this way I can intercept when user open some executables (I choose this hook method because I'm trying to learn more about hooks, I know could be done using WMI, or other ways). The library I'm using to hook is: DDetours

The hook is working, and every app I execute popup the messagebox I set in the HookProc, but right after the messagebox, explorer.exe crashes. The code to inject DLL is working fine, and if I just inject an empty dll or a dll with just a messagebox everything works properly. So I believe the problem is somewhere in the hook setup. Here is the DLL code:

library DLL;

uses
  Windows, DDetours;

{$R *.res}

var
  CreateProcessHook: function(var lpApplicationName:String;
            lpCommandLine:String;
            lpProcessAttributes:IntPtr;
            lpThreadAttributes:IntPtr;
            bInheritHandles:Boolean;
            dwCreationFlags:Int32;
            lpEnvironment:IntPtr;
            lpCurrentDirectory:IntPtr;
            lpStartupInfo:STARTUPINFO;
            lpProcessInformation:PROCESS_INFORMATION): Boolean; stdcall = nil;

function InterceptCreateProcess(lpApplicationName:String;
            lpCommandLine:String;
            lpProcessAttributes:IntPtr;
            lpThreadAttributes:IntPtr;
            bInheritHandles:Boolean;
            dwCreationFlags:Int32;
            lpEnvironment:IntPtr;
            lpCurrentDirectory:IntPtr;
            lpStartupInfo:STARTUPINFO;
            lpProcessInformation:PROCESS_INFORMATION): Boolean; stdcall;
  begin
    MessageBoxA(0, 'Process created :)', 'Hooked', 0);
  end;

procedure DLLMain(dwReason: DWORD);
begin
  case dwReason of
  DLL_PROCESS_ATTACH:
  begin
    MessageBoxA(0,'Injected', 'Injected', MB_OK);
    @CreateProcessHook:= InterceptCreate(@CreateProcess, @InterceptCreateProcess);
  end;
  end;
end;

begin
 DLLProc := @DLLMain;
 DLLMain(DLL_PROCESS_ATTACH);
end.

As you can see, the InterceptCreateProcess just shows a message box, and this is working when I open some executable, but like said above, explorer crashes. I think that's something with the declaration of the CreateProcess function variables. Any tips? everything is 64bits

2
delphihook
Do you have experience with C#?Chibueze Opata

2 Answers

3
votes

Your signature for your CreateProcess detour is completely wrong. That function, a Win32 function, does not operate on Delphi strings. And the final two parameters are pointers to structs.

The first step is to fix these signatures. Use the signature from the Windows unit in the RTL.

It looks something like this:

function CreateProcessW(
  lpApplicationName: PWideChar;
  lpCommandLine: PWideChar;
  lpProcessAttributes: PSecurityAttributes;
  lpThreadAttributes: PSecurityAttributes;
  bInheritHandles: BOOL;
  dwCreationFlags: DWORD;
  lpEnvironment: Pointer;
  lpCurrentDirectory: PWideChar;
  const lpStartupInfo: STARTUPINFO;
  var lpProcessInformation: PROCESS_INFORMATION
): BOOL; stdcall;
2
votes

Your hook functions do not match the proper signature of CreateProcess(). Try this instead:

library DLL;

uses
  Windows, DDetours;

{$R *.res}

var
  CreateProcessHook: function(lpApplicationName: PChar;
            lpCommandLine: PChar;
            lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
            bInheritHandles: BOOL;
            dwCreationFlags: DWORD;
            lpEnvironment: Pointer;
            lpCurrentDirectory: PChar;
            const lpStartupInfo: STARTUPINFO;
            var lpProcessInformation: PROCESS_INFORMATION): BOOL; stdcall = nil;

function InterceptCreateProcess(lpApplicationName: PChar;
            lpCommandLine: PChar;
            lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
            bInheritHandles: BOOL;
            dwCreationFlags: DWORD;
            lpEnvironment: Pointer;
            lpCurrentDirectory: PChar;
            const lpStartupInfo: STARTUPINFO;
            var lpProcessInformation: PROCESS_INFORMATION): BOOL; stdcall;
begin
  Result := CreateProcessHook(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);    
  MessageBox(0, 'CreateProcess', 'Hooked', 0);
end;

procedure DLLMain(dwReason: DWORD);
begin
  case dwReason of
    DLL_PROCESS_ATTACH:
    begin
      @CreateProcessHook := InterceptCreate(@CreateProcess, @InterceptCreateProcess);
      MessageBox(0, 'Injected', 'Injected', MB_OK);
    end;
    DLL_PROCESS_DETACH:
    begin
      InterceptRemove(@CreateProcessHook);
    end;
  end;
end;

begin
 DLLProc := @DLLMain;
 DLLMain(DLL_PROCESS_ATTACH);
end.