My program works flawlessly on Windows Vista Ultimate and Windows 7, however it fails on Windows XP.
First, my application creates a process of a system file, it calls GetThreadContext(remote_thread) and sets an LPVOID value to the value context->Eip, and then checks the values in the structure MEMORY_BASIC_INFORMATION set from VirtualQueryEx.
Here are the values VirtualQueryEx returned when called:
Windows XP
- 0 - allocation base
- 0 - allocation protect
- 2088828928 - base address
- 1 - protect
- 983040 - region size
- 65536 - state
- 0 - type
Windows 7
- 2003959808 - allocation base
- 128 - allocation protect
- 2004025344 - base address
- 32 - protect
- 876544 - region size
- 4096 - state
- 16777216 - type
Windows Vista
- 2006122496 - allocation base
- 128 - allocation protect
- 2006536192 - Base address
- 32 - protect
- 389120 - region size
- 4096 - state
- 16777216 - type
Why is it that when I run my application on Windows XP it has no allocation base and no allocation protect, as well as completely different values to Windows 7 and Windows Vista.
I plan to use VirtualProtectEx on the address (context->Eip), so If those are the values on XP then VirtualProtectEx will inevitably fail, as I would be accessing unaccessible memory.
Here is how I create my process :
if ( CreateProcessW(m_pwszContainerPath, NULL, NULL, NULL, FALSE, DETACHED_PROCESS | CREATE_SUSPENDED, NULL, NULL, &m_stStartInfo, &m_stProcessHandles) == TRUE )
{
// Get context of thread
m_stContext.ContextFlags = CONTEXT_FULL;
if ( GetThreadContext(m_stProcessHandles.hThread, &m_stContext) == FALSE )
goto _CLEANUP;
// Grab, Eip
m_pvLdrInitEip = (LPVOID)m_stContext.Eip;
}
The fact of the matter is: This works flawlessly on both Windows 7 and Windows Vista.
Is there something I am missing here? Thank you for any help.
EDIT - Here goes a picture :
Here is a picture of two instances of olly running the executable, one in the XP virtual machine, one outside. From what I notice, the XP picture (bottom one) has it's EIP set to ModuleEntryPoint while the Windows 7 Instance has it set to ntdll..
I investigated further, and found that the EIP was, in fact in kernel32.dll image (on Windows XP), rather than ntdll.dll as it should be..
Creating a process with
CREATE_SUSPENDED
means the main process won't finish it's initialization before you run your code. the way the loader is implemented causes the different effects between XP and Vista/7, and since theCREATE_SUSPENDED
documentation doesn't grantee any process initialization you can't really count on that method. theCREATE_SUSPENDED
flag only states the process is created with the main thread suspended.It's not exactly clear what the OP desires to accomplish, but a few methods to achive similar goals come to mind:
Write a debugger instead of remotely manipulating another process. a simple tutorial and code examples can be found Here. the debugger gets an event for every spawned thread, you could probably use that.
Modify the PE to execute your code before any other by either creating a new section for your code and placing a TLS entry in the PE to execute code inside the process's memory space. you're code will then run before the process's EntryPoint but after it was initialized.
Modify the PE and replace the
EntryPoint
in the PE header with your own code, just make sure you execute the original entry point yourself. some initalization will be missing but all the PE code sections will be loaded.Inject a DLL into the process's memory address by either creating it suspended and loading a DLL from a different thread, or any other method. This article lists a few and you can Google for more. i'm not sure that'll work in all cases if you want to get the process initialized because of similar issues, but I do think that calling LoadLibrary will get you the desired efect. That is also a clean way to get code into another process and manipulate it while being more stealth than using a debugger.
You can also try scanning the entire memory for the code chunks you want to manipulate while the process is suspended, that might also work on XP.
You could try creating the process unsuspended and let it run for a short period of time before suspending the threads. after timing and a few tests you'll get a resonable feelling about how much time it takes to initialize. That's a bit risky but might work.
creating a debugger will be the easiest and most robust/generic method but will have the disadvtange of being easily detected (although you could use anti-anti-debugging tricks). loading a DLL will be the best way if you want to remain undetectable by the manipulated process (if it has any anti-debugging tricks) if you want more suggestions or recomendations for your specific needs please edit and describe in detail what exactly you want to accomplish as it is not clear from your question. a little more details about the program (is it native, or .net for example) would also be helpful.
EDIT: another speculation suggested by friend was that the kernel did not finish the process initialization by the time the syscall returns and you call
VirtualQueryEx
. he said callingWaitForSingleObject
on the process's handle will return once the process is fully initialized and you could access all the information and resume the execution afterwards.CreateProcess(CREATE_SUSPENDED)
only do partial initialization. You may try toVirtualAllocEx()
the EIP region and explicitly COMMIT it, and thenVirtualProtectEx
, of course this is a quick hack, you can have a test, I'm not sure whether this can fix the problem. BTW, what's your real purpose to do so? If you intend to hook at early stage of process execution, patch the entry point of PE header is better, since when instruction control flow reach the entry point, the process must have completed its initialization, however this also has its downside, e.g. TLS callback is invoked before the entry point get executed.