Hooking WMI (.NET Application)

[aldente]

Hello!

I have a .NET application which uses WMI to query the "Win32_Processor" class:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa394373(v=vs.85).aspx

I want to hook the function call and modify the string returned in "ProcessorId".

How would you do that, when working with a .NET application?

I would prefer a "high level" general solution (e.g. a Loader) which also works for future versions of the software, instead of modifying the application directly.

[Ember]

This is easy. You can do it very easily by using Microsoft Detours and injecting a DLL into the target process.

Code:

#define WIN32_LEAN_AND_MEAN
#define _WIN32_DCOM
#include <Windows.h>
#include <comdef.h>
#include <WbemIdl.h>
#include "detours.h"

typedef HRESULT (__stdcall *PGET) (DWORD junk, LPCWSTR, LONG, VARIANT*, CIMTYPE*, LONG*);
PGET OrigGet;
BOOL bHooked = FALSE;

HRESULT __stdcall NewGet(DWORD junk, LPCWSTR wszName, LONG lFlags, VARIANT *pVal, CIMTYPE *pvtType, LONG *plFlavor)
	if(!wcscmp(wszName, L"ProcessorId")) //CPUID
	{
		pVal->vt = VT_BSTR;
		V_BSTR(pVal) = L"PUT SPOOFED PROCESSOR ID HERE";
	}
	else return OrigGet(junk, wszName, lFlags, pVal, pvtType, plFlavor);
	return 1;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
	if (dwReason == DLL_PROCESS_ATTACH && !bHooked)
	{
		bHooked = TRUE;
		OrigGet = (PGET)DetourFunction((LPBYTE)DetourFindFunction("fastprox.dll", "?Get@CWbemObject@@UAGJPBGJPAUtagVARIANT@@PAJ2@Z"), (LPBYTE)NewGet);
	}
	return TRUE;
}

[aldente]

Thanks for your answer!

But:
I'm new to Detours, and I'm having trouble to get your DLL to work...

The current version of Detours deos not support "DetourFunction", I had to change the DLLMain function:

Code:

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
	if (dwReason == DLL_PROCESS_ATTACH && !bHooked)
	{
		bHooked = TRUE;
		OrigGet = (PGET)DetourFindFunction("fastprox.dll", "?Get@CWbemObject@@UAGJPBGJPAUtagVARIANT@@PAJ2@Z");

		DetourAttach(&(PVOID&)OrigGet, (LPBYTE)NewGet);
	}
	return TRUE;
}

Is that correct?


Also I wonder how to inject this DLL into the .NET process...
Could this be done using "DetourCreateProcessWithDllEx"?

[Ember]

Please see attached for my copy of detours.h and detours.lib

You can write a simple loader that could start up the app with CreateProcess(), using information from the lpProcessInformation param to get the process' handle.

Note: you may need to enable SeDebugPrivilege first before doing any of this. Code borrowed from online.

Code:

BOOL EnableDebugPrivilege() 
{ 
	HANDLE           hToken; 
	LUID             sedebugnameValue; 
	TOKEN_PRIVILEGES tp; 
 
	if ( !OpenProcessToken(  
		GetCurrentProcess(), 
		TOKEN_ADJUST_PRIVILEGES | // to adjust privileges 
		TOKEN_QUERY,              // to get old privileges setting 
		&hToken  
		) ) 
		// 
		// OpenProcessToken() failed 
		// 
		return FALSE; 
	// 
	// Given a privilege's name SeDebugPrivilege, we should locate its local LUID mapping. 
	// 
	if ( !LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) ) 
	{ 
		// 
		// LookupPrivilegeValue() failed 
		// 
		CloseHandle( hToken ); 
		return FALSE; 
	} 
 
	tp.PrivilegeCount = 1; 
	tp.Privileges[0].Luid = sedebugnameValue; 
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 
 
	if ( !AdjustTokenPrivileges( hToken, FALSE, &tp, sizeof(tp), NULL, NULL ) ) 
	{ 
		// 
		// AdjustTokenPrivileges() failed 
		// 
		CloseHandle( hToken ); 
		return FALSE; 
	} 
 
	CloseHandle( hToken ); 
	return TRUE; 
}

This function is borrowed from another site. Just pass it your handle and a full path to your DLL that you want to inject. I have not tested it, but it looks like it should work fine.

Code:

BOOL bInjectLibrary(HANDLE hProcess, char* szDllToInjectPath)
{
	LPVOID lpRemoteAddress = VirtualAllocEx(hProcess, NULL, strlen(szDllToInjectPath), MEM_COMMIT, PAGE_READWRITE);

	if(!lpRemoteAddress)
		return FALSE;

	if(!WriteProcessMemory(hProcess, lpRemoteAddress, (LPVOID)szDllToInjectPath, strlen(szDllToInjectPath), NULL))
		return FALSE;

	HANDLE hThread = NULL;

	if(!(hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryA"), lpRemoteAddress, NULL, NULL)))
		return FALSE;

	WaitForSingleObject(hThread, INFINITE);

	if(!VirtualFreeEx(hProcess, lpRemoteAddress, 0, MEM_RELEASE))
		return FALSE;

	CloseHandle(hThread);

	return TRUE;
}

Remember to close your handle to the process when done.

[aldente]

Ok, thanks for your version of the Detours library, with that one I could build the DLL.

However, injection/hooking does not work properly, yet.

This is basically what my loader looks like:

Code:

// Get debug privilege
EnableDebugPrivilege();

// Create process
result = CreateProcess(NULL, &ExePathAndCmdLineVec[0], NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, &WorkingDirVec[0], &si, &pi);
if(!result)
{
	return -1;
}

// Inject DLL
bInjectLibrary(pi.hThread, DllPath.c_str());

// Resume process execution
ResumeThread(pi.hThread);

Are you sure this kind of injection works for .NET applications?

I attached a sample executable... It is not the target, but it works just like the target. I couldn't manage to manipulate the "ProcessorId"-Entry using your DLL...

[Ember]

Code:

bInjectLibrary(pi.hThread, DllPath.c_str());

// Resume process execution
ResumeThread(pi.hThread);

This is wrong. It should be:

Code:

bInjectLibrary(pi.hProcess, DllPath.c_str());

// Resume process execution
ResumeThread(pi.hProcess);

//Close thread handle
CloseHandle(pi.hThread);

//Close process handle
CloseHandle(pi.hProcess);

I don't know if creating the process suspended might prevent DLL injection from working properly so you might want to take that (and the CloseHandle() and ResumeThread() call with the hThread param) out.