Hooking WMI (.NET Application)

Ember · #1 08-01-2012, 11:29

This is easy. You can do it very easily by using Microsoft Detours and injecting a DLL into the target process.

Code:

#define WIN32_LEAN_AND_MEAN
#define _WIN32_DCOM
#include <Windows.h>
#include <comdef.h>
#include <WbemIdl.h>
#include "detours.h"

typedef HRESULT (__stdcall *PGET) (DWORD junk, LPCWSTR, LONG, VARIANT*, CIMTYPE*, LONG*);
PGET OrigGet;
BOOL bHooked = FALSE;

HRESULT __stdcall NewGet(DWORD junk, LPCWSTR wszName, LONG lFlags, VARIANT *pVal, CIMTYPE *pvtType, LONG *plFlavor)
	if(!wcscmp(wszName, L"ProcessorId")) //CPUID
	{
		pVal->vt = VT_BSTR;
		V_BSTR(pVal) = L"PUT SPOOFED PROCESSOR ID HERE";
	}
	else return OrigGet(junk, wszName, lFlags, pVal, pvtType, plFlavor);
	return 1;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
	if (dwReason == DLL_PROCESS_ATTACH && !bHooked)
	{
		bHooked = TRUE;
		OrigGet = (PGET)DetourFunction((LPBYTE)DetourFindFunction("fastprox.dll", "?Get@CWbemObject@@UAGJPBGJPAUtagVARIANT@@PAJ2@Z"), (LPBYTE)NewGet);
	}
	return TRUE;
}

aldente · #2 08-03-2012, 05:48

Thanks for your answer!

But:
I'm new to Detours, and I'm having trouble to get your DLL to work...

The current version of Detours deos not support "DetourFunction", I had to change the DLLMain function:

Code:

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
	if (dwReason == DLL_PROCESS_ATTACH && !bHooked)
	{
		bHooked = TRUE;
		OrigGet = (PGET)DetourFindFunction("fastprox.dll", "?Get@CWbemObject@@UAGJPBGJPAUtagVARIANT@@PAJ2@Z");

		DetourAttach(&(PVOID&)OrigGet, (LPBYTE)NewGet);
	}
	return TRUE;
}

Is that correct?

Also I wonder how to inject this DLL into the .NET process...
Could this be done using "DetourCreateProcessWithDllEx"?

Ember · #3 08-03-2012, 06:28

Please see attached for my copy of detours.h and detours.lib

You can write a simple loader that could start up the app with CreateProcess(), using information from the lpProcessInformation param to get the process' handle.

Note: you may need to enable SeDebugPrivilege first before doing any of this. Code borrowed from online.

Code:

BOOL EnableDebugPrivilege() 
{ 
	HANDLE           hToken; 
	LUID             sedebugnameValue; 
	TOKEN_PRIVILEGES tp; 
 
	if ( !OpenProcessToken(  
		GetCurrentProcess(), 
		TOKEN_ADJUST_PRIVILEGES | // to adjust privileges 
		TOKEN_QUERY,              // to get old privileges setting 
		&hToken  
		) ) 
		// 
		// OpenProcessToken() failed 
		// 
		return FALSE; 
	// 
	// Given a privilege's name SeDebugPrivilege, we should locate its local LUID mapping. 
	// 
	if ( !LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) ) 
	{ 
		// 
		// LookupPrivilegeValue() failed 
		// 
		CloseHandle( hToken ); 
		return FALSE; 
	} 
 
	tp.PrivilegeCount = 1; 
	tp.Privileges[0].Luid = sedebugnameValue; 
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 
 
	if ( !AdjustTokenPrivileges( hToken, FALSE, &tp, sizeof(tp), NULL, NULL ) ) 
	{ 
		// 
		// AdjustTokenPrivileges() failed 
		// 
		CloseHandle( hToken ); 
		return FALSE; 
	} 
 
	CloseHandle( hToken ); 
	return TRUE; 
}

This function is borrowed from another site. Just pass it your handle and a full path to your DLL that you want to inject. I have not tested it, but it looks like it should work fine.

Code:

BOOL bInjectLibrary(HANDLE hProcess, char* szDllToInjectPath)
{
	LPVOID lpRemoteAddress = VirtualAllocEx(hProcess, NULL, strlen(szDllToInjectPath), MEM_COMMIT, PAGE_READWRITE);

	if(!lpRemoteAddress)
		return FALSE;

	if(!WriteProcessMemory(hProcess, lpRemoteAddress, (LPVOID)szDllToInjectPath, strlen(szDllToInjectPath), NULL))
		return FALSE;

	HANDLE hThread = NULL;

	if(!(hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryA"), lpRemoteAddress, NULL, NULL)))
		return FALSE;

	WaitForSingleObject(hThread, INFINITE);

	if(!VirtualFreeEx(hProcess, lpRemoteAddress, 0, MEM_RELEASE))
		return FALSE;

	CloseHandle(hThread);

	return TRUE;
}

Remember to close your handle to the process when done.

aldente · #4 08-04-2012, 22:31

Ok, thanks for your version of the Detours library, with that one I could build the DLL.

However, injection/hooking does not work properly, yet.

This is basically what my loader looks like:

Code:

// Get debug privilege
EnableDebugPrivilege();

// Create process
result = CreateProcess(NULL, &ExePathAndCmdLineVec[0], NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, &WorkingDirVec[0], &si, &pi);
if(!result)
{
	return -1;
}

// Inject DLL
bInjectLibrary(pi.hThread, DllPath.c_str());

// Resume process execution
ResumeThread(pi.hThread);

Are you sure this kind of injection works for .NET applications?

I attached a sample executable... It is not the target, but it works just like the target. I couldn't manage to manipulate the "ProcessorId"-Entry using your DLL...

Ember · #5 08-05-2012, 01:43

Code:

bInjectLibrary(pi.hThread, DllPath.c_str());

// Resume process execution
ResumeThread(pi.hThread);

This is wrong. It should be:

Code:

bInjectLibrary(pi.hProcess, DllPath.c_str());

// Resume process execution
ResumeThread(pi.hProcess);

//Close thread handle
CloseHandle(pi.hThread);

//Close process handle
CloseHandle(pi.hProcess);

I don't know if creating the process suspended might prevent DLL injection from working properly so you might want to take that (and the CloseHandle() and ResumeThread() call with the hThread param) out.

aldente · #6 08-05-2012, 06:13

ResumeThread() has to be called with pi.hThread, that was right. The process will stay suspended, if you call it with pi.hProcess.
But apart from that, I tried your suggestions.

I also tried to start the process non-suspended, which doesn't work either...

This injection stuff is a debugging nightmare, you can't debug it in the development environment, and debugging in IDA doesn't work neither because of all this .NET stuff... :-(

Don't you have somer loader, which is known working for .NET applications?

Ember · #7 08-05-2012, 09:19

Quote:

Originally Posted by aldente

ResumeThread() has to be called with pi.hThread...

Sorry yes that was a typo. Are you on a x64 system? If the .NET metadata in your target executable is not marked as 32bit required then it will spawn as a 64bit process. This will result in failure. You will need to compile the DLL as a 64bit DLL to inject.

I have successfully got the DLL working in your test app, spoofing processor ID with my hook + this loader: http://code.google.com/p/injector/

Command line: newloaderv4.1.exe --lib "E:\Downloads\WmiSpoof.dll" --launch Test.exe

http://i.imgur.com/2rqsj.png

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
.NET dll hooking	Avi_RE	General Discussion	10	09-28-2023 07:09
API Hooking	thomasantony	General Discussion	5	04-22-2005 11:44
API-hooking	MaRKuS-DJM	General Discussion	11	03-25-2005 13:27
C++ Help (Hooking a function)	Peter[Pan]	General Discussion	8	08-31-2004 20:37

The Following 2 Users Gave Reputation+1 to Ember For This Useful Post:
aldente (08-02-2012), niculaita (08-01-2012)

The Following User Gave Reputation+1 to Ember For This Useful Post:
aldente (08-04-2012)