Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DetourCreateProcessWithDll(),DetourCreateProcessWithDlls(),DetourCreateProcessWithDllEx() bug or something else. #333

Open
wineggdrop opened this issue Jan 11, 2025 · 2 comments
Labels

Comments

@wineggdrop
Copy link

wineggdrop commented Jan 11, 2025

Test Environment: Windows 10 Enterprise LTSC 2015,Windows 10 Enterprise LTSC 20121 and Windows Server 2019
detour Vertion : Latest
UAC: Enable
Logon : Administrators group user(Not RID 500 account)
Test : Using DetourCreateProcessWithDll() ,DetourCreateProcessWithDlls() or DetourCreateProcessWithDllEx() to create a console loader program(just like the sample of withdll.exe) to run notepad.exe and inject my test dll into notepad.exe.

  1. Right click on cmd.exe and select 'Run As Administrator",Click "Yes" on consent windows.
    Result(Success): loader's output suggests DetourCreateProcessWithDll success and test dll is loaded into notepad.exe(check by process hacker and tasklist)

  2. Run task manager either by select 'Run As Administrator" or by right click on taskbar and run task manager)
    Run cmd.exe under task manager by "Run New Task" and check "Create this task with administrative privileges"
    Result(Failure): loader's output suggest DetourCreateProcessWithDll success but test dll won't load into notepad.exe(check by process hacker and tasklist)

3.Run task manager either by select 'Run As Administrator" or by right click on taskbar and run task manager)
Run cmd.exe under task manager And un-check "Create this task with administrative privileges"
Result(Success): loader's output suggest DetourCreateProcessWithDll success and test dll is loaded into notepad.exe(check by process hacker and tasklist)

I have no idea why Test 2 fails. cmd.exe privileges in Test 2 is idential as Test 1(compares with whoami.exe and process hacker),even Test 3 in non elevated privilege,it succeed

@bytecode77
Copy link

That's because normally, Explorer creates the cmd.exe process:

Image

However, when you right-click 'Run as Administrator', then the UAC connects to a Windows Service which opens the consent dialog (consent.exe). Then consent.exe spawns the new process. So, the process you injected with originally is long gone.

Detours doesn't further inject itself into child processes. But if your initial process already is elevated, then there is no need to have the consent "middle man".

Image

@wineggdrop
Copy link
Author

wineggdrop commented Feb 3, 2025

https://github.com/user-attachments/assets/1d4afb18-e3f0-46a8-bd2e-618666d09afa
I don't understand why case 3 test fails(the dll fail to load into notepad.exe) if the logon user is not the default administrator(all 3 test succeed loading the dll if logon as default admistrator)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants