Dll injection not working in suspended process - dll-injection

I'm using CreateRemoteThread api to inject a dll into a process. This works when the process is running state. But If I launch a process in suspended state using CreateProcess api and try to inject a dll into it, then dll injection is not working. But If I use createprocess without suspended flag, then I can able to inject the dll.
Can anyone tell me the solution of this problem?

I meet the similar case. Not know the exact root cause, I suggest you to try to use QueueUserAPC api to do the injection.

It can not work because creating a process with suspended flag,it loads only ntdll.dll.
kernal32.dll is not loaded yet, so you can not use createprocess to call LoadLibrary(in the kernal32.dll) in the remote suspended process.
but you can use LdrLoadDll(in the ntdll.dll) instead.
you can also use QueueUserAPC with LdrLoadDll ,too. it will works well~

Related

WCF, DLLIMPORT strange issues

I have a very strange issue that i cannot figure out.
First i have a WCF service 4.0 done in VS2010.
the service have couple methods that return string array, datatable and such.
some of them use function from C++ dll throught [dllimport]
i made a test console to test everything. when i run the WCF from visual studio and use the generated path it works wonderfully.
now here is where it become strange. if i open my local IIS create a new application and point to my VS source code the WCF i can see it perfectly.
now using the http path from IIS local instead i refresh the methods all seems correct. But when i run my test app i can call any unction without any problem EXCEPT anyone using DLLIMPORT functions. they ALL crash and cannot trace even by tracing CES exceptions.
Doing line by line logging show that the exception is really on the call of those functions
the DLL in question is the same and the path is hardcoded for my computer since still in test phase and the folder is c:\DLL\mylib.DLL so nothing to do with shadow copy IIS/visual studio do when you actually run. also DLL reference by name withotu path even if it's in sys32 doesnt work.
Any clue ?
also. 32bit, changing app pool level right access on folder, full admin on machine already too. all tried but unsuccessful.
Edit: adding to all that since i haven't made this clear, it's not my first WCF real setup. i've already made alot of services before and deployed them myself (probably somewhere around 50-60 services). I am asking because i have never seen this issue before and i tried all tricks i knew and could find on the internet and resource people i know.
We have decided to incorporate the whole service in the WPF project locally since it work as long as IIS is not hosting. but this is really not a good thing as this data and work should NOT be done on client side but instead on server side. Right now it's fine since the software that need to use this is not released to public yet so it isn't critical.
Next option will be net TCP/IP windows service hosted on the web server if i don't find anything else.
We decided to go trough the trouble of having to hard code the logic in the main software and get away from web services for this issue. we will have to deal with updating, installing unregister and re register unmanaged DLL by hand somehow but at least it works.
we have added over 5 web services since that happen and no problem with them but again none of them use DLL imports.

windows service works on XP but fails with error 1053 on w2k3 64 bit

Forgive me if this is a stupid question, I'm fairly new to writing services. I've written a service that runs a timer and the timer code runs some checks to ensure our systems are up and running. It's written in VB.Net, framework 1.1. I then install the service using "sc create". The service works beautifully on the XP Pro machine that I'm developing on. However, when I install the service on a Windows 2003 server 64 bit, the service fails with error 1053 immediately. I put some debugging in to write to a text file as the first line of code in the OnStart function but even that doesn't run, so there must be a problem in the program starting up. Finally in desperation I created a brand new Windows Service in a new VB project in Visual Studio 2003 and compiled an empty service that merely declares and sets the value of a string variable in the OnStart function as follows:
Dim strTmp As String
strTmp = "hello"
Even that failed on the W2K3 server, but works fine on the XP dev machine.
The server has .Net Framework 1.1 installed and working, we use it in our CMS (written in ASP.Net 1.1).
The service runs as the local system account. I tried enabling interaction with the desktop but that didn't help. I ran Process Monitor and there are no access denied events. I emptied the Application Event Log, still doesn't work. No other events to help me out in the logs. Definitely using the Release build of the application. Permissions on the exe file are full control for System and for Admins.
Any ideas anyone? It must be something simple, but I'm damned if I can figure it out!
Thanks in advance.
#DavidHi, many thanks for the suggestions. I donĀ“t think the first point is my problem, partly because the MS article is about stopping or pausing the service, mine fails on starting; but also because the service does not timeout, there is no 30 second wait, it fails immediately. Secondly, when you say add an exception handler to the service startup, do you mean the OnStart sub? I tried adding a debug file write in there, but I'll try adding an event log instead. Regarding the systems checks, it can't be that because the brand new empty test service I created shows the same behaviour and that does not do anything at all. You last point could be the key. My dev environment IS 32bit. I'll do some research on the corflags thing, or perhaps I can build a 64bit dev environment. Many thanks again, you've given me some new things to think about at least!
Ok, have found a workaround. I was putting my exe file in System32. When I put it in a different folder, created by myself, the service ran, albeit briefly. I then had to move the ini file and the log files that it reads/writes to that folder too, rather than System32, and all seems to work nicely. God knows why it doesn't like running from System32 but at least it works now! Thanks for the help guys.
This looks very similar to this question which might help you out:
Starting a windows service fails with error 1053
A couple of other things to look out for:
Make sure you don't have either of the following statements in your deployed service:
System.Diagnostics.Debugger.Launch
System.Diagnostics.Debugger.Break
You may need to run the service with an account other than Local System (depending upon the permissions required by your service).
The 1053 error is a timeout related to the service control manager waiting for the service to respond to your start request. There is a knowledgebase article that refers to managed service stop request issues specifically relating to Framework 1.1-based services, so it is not precisely describing your problem, but it may have relevance in your situation. The link is provided for your reference.
http://support.microsoft.com/kb/839174
The other suggestion I would make to further diagnose the issue is to determine whether the Start is failing due to a "hidden" exception occurring in your service's startup code; the start call would not see the exception and could make you think it was merely timing out.
I would suggest you add an exception handler to your service startup that does nothing more than log a message to the event log with the particulars of the exception if one is caught. That would at least give you an idea that something is going wrong specifically within the service, and give you more information than you have right now.
One last thought: Does the service check the systems you describe over a network connection? If so, LocalSystem won't have sufficient privileges to perform network access.
Good luck!
EDIT One other possibility:
Is your development environment/execuable 32-bit? You mention your server is 64-bit, so you may need to use the "corflags" tool that forces 32bit operation on your executable
corflags /32bit+ YourServiceExectubable.exe
The source for this information was the following SO post:
32-bit Windows services in 64-bit environment
**Unfortunately, it appears corflags is applicable only for 2.0 assemblies, and was designed for specifically this type of problem. **

Is it possible to spawn a child process from Windows 8 Metro Style App?

We'd like to use couple of legacy utilities in our Metro style application. It'd be waste of time trying to recompile and wrap them into WinRT components as they have very simple interfaces.
Is it possible to spawn a child process (which will stay within sandbox) from Metro Style app? Metro style IE seems be able to do it, however as we all know it's "special".
You should be able to package your process as an out-of-proc COM object and use CoCreateInstanceFromApp to launch it.
There are likely to be some challenges related to getting the proxy/stubs for your COM interfaces to work - the low level C++/IDL authoring experience isn't well documented currently so building the proxy/stubs will be difficult, but it absolutely is possible to do.
There is no API in metro like SellExecute or createprocess so you cannot launch other programs as is.
You can however use protocol Handlers. A metro app can register a protocol handler, or use existing handlers. Think of http:// or mail:// that launches the default app registered for that handler. You can use custom handler if they are not yet registered ...
CoCreateInstanceFromApp() only allows you to create in process COM classes that are packaged with your app. You need to write an out of process WinRT EXE server. Please see this sample:
http://code.msdn.microsoft.com/windowsapps/Hybrid-app-Exe-server-79bc4bca

how to load injection lib in mac applications at application start?

I have a dynamic library, I intent to inject in running application & newly launched applications.
I can inject it in running applications with the help of a process running with root user permissions.
Now I am trying that library should get loaded as soon as application is launched. I know one such library capable of doing this called, application enhancer. I am looking for similar behavior.
Does anyone has an Idea how can this be achieved?
Look at SIMBL agent code. It adds a observer to application launch notification and then injects. You can follow the same approach.

using custom principal in Workflow

I have an application that hosts several WCF services. I have created a custom ServiceAuthorizationManager that is working perfectly. I inspect a few elements on the OperationContext.IncomingMessageHeaders to get a username and password. This was to overcome some limitations in our environment that wouldnt allow us to use what was built into the platform. the manager creates a custom IPrincpal, with a few necessary custom objects in it, and places it on the currently running thread, for use later in the WCF business logic. this is Working great.
Problem is that I have a WCF service that is a workflow, and I need to use the same mechanism there. The Manager is being called correctly, however when executing the Thread's currentPrincpal isn't my custom principal, it's a genericprincipal. Investigation shows that the workflow runtime is creating a thread, and not using the thread that the WCF call came in on.
Has anyone run into this issue, and are there any good solutions to it?
If the runtime is in the same appdomain as the manager then you should be able to call
AppDomain.CurrentDomain.SetThreadPrincipal
See here for more information