Windows Server 2012 R2 issues

[nurfed1]

HI,

Nice work as always!

I think I might've found one of the potential issues on Windows Server 2012 R2, which causes the [-] DefineDosDevice failed with error code 6 - The handle is invalid. error.

On this 2012 server \KnownDlls\SspiCli.dll already existed and changing the DLL_TO_HIJACK_WIN81 dll to EventAggregation.dll fixed the issue.

Is there any specific reason why you are using SspiCli.dll on 2012 and EventAggregation.dll on Windows 10, as they both seem to get loaded by services.exe?

[itm4n]

Hello!

Thank you for your feedback. :)

I don't see how these two things are related.

1. DefineDosDevice is invoked to create the symlink in the object manager.
2. A new services.exe process is spawned and one of its DLLs is hijacked.

What you say is that changing the name of the DLL to hijack fixes the issue, whereas this event occurs only after DefineDosDevice is invoked. 🤔

Note: When I developed the tool, EventAggregation.dll was not loaded by services.exe on my test machine running Windows Server 2012 R2, hence why I selected another one (SspiCli.dll).

[nurfed1]

Sorry, I only meant to say that the reason why it sometimes fails on 2012R2 is because in some cases \KnownDlls\SspiCli.dll already exists.

As the call to DefineDosDevice tries to create the device. e.g:

if (!DefineDosDevice(DDD_NO_BROADCAST_SYSTEM | DDD_RAW_TARGET_PATH, L"GLOBALROOT\\KnownDlls\\SspiCli.dll", L"\\KernelObjects\\SspiCli.dll"))

The question about services.exe wasn't really related to the issue I wanted to raise, I only wondered why you picked SspiCli.dll instead of EventAggregation.dll on 2012R2.

Hopefully this helps some people that are having issues. :)

[itm4n]

Oh, right! 😅
This explanation makes so much sense and is so simple at the same time.
I wonder why I didn't even think about it.
I will probably do some tests and use the same DLL name for both versions if EventAggregation.dll works on 2012R2 as well.