search

microsoft / Detours

Detours is a software package for monitoring and instrumenting API calls on Windows. It is distributed in source code form.
MIT License
5.01k stars 979 forks source link

Usage With AppCertDLLs key #210

Closed barisunsalhn closed 8 months ago

barisunsalhn commented 2 years ago

I want to inject my dll into every process whenever it is started by user. I found AppCertDLLs does exactly this. I tried this dll and it worked (system did not want to start at first, but in later boots I managed to login, but this time explorer freezed whenever I tried to copy, delete or move file. -I guess it is related to messagebox, since it tries to use gui, windows ( version 21H1 )was problematic- ). Here is my dll code:


#include <windows.h>
#include <Ole2.h>
#include "detours.h"
#include <iostream>
#pragma comment (lib, "detours.lib")
#define BUFSIZE  1024

static HRESULT(WINAPI* dragAndDropPointer)(LPDATAOBJECT pDataObj,
    LPDROPSOURCE pDropSource,
    DWORD        dwOKEffects,
    LPDWORD      pdwEffect) = DoDragDrop;
extern "C" __declspec(dllexport)
HRESULT WINAPI dragAndDropHook(LPDATAOBJECT pDataObj,
    LPDROPSOURCE pDropSource,
    DWORD        dwOKEffects,
    LPDWORD      pdwEffect)
{
    TCHAR chBuf[1024];
    WCHAR rec[1024];
    DWORD read = 0;
    FORMATETC formatetc = {};
    STGMEDIUM stgMedium;
    DWORD size;
    BOOL allowClipboardData = TRUE;
    DWORD numberOfBytesWrite = 0;

    formatetc = { CF_UNICODETEXT,0,DVASPECT_CONTENT,-1,TYMED_HGLOBAL };
    HRESULT hres = pDataObj->GetData(&formatetc, &stgMedium);
    if (hres == S_OK) {

        WCHAR* text = (WCHAR *)GlobalLock(stgMedium.hGlobal);
        HANDLE hPipe;
        LPTSTR lpvMessage = text;
        TCHAR chBuf[BUFSIZE];
        BOOL fSuccess;
        DWORD cbRead, cbWritten, dwMode;
        LPTSTR lpszPipename = TEXT("\\\\.\\pipe\\dll_injection");

        while (1)
        {
            hPipe = CreateFile(
                lpszPipename,   // pipe name   
                GENERIC_READ |  // read and write access   
                GENERIC_WRITE,
                0,              // no sharing   
                NULL,           // default security attributes  
                OPEN_EXISTING,  // opens existing pipe   
                0,              // default attributes   
                NULL);          // no template file   

                                // Break if the pipe handle is valid.   

            if (hPipe != INVALID_HANDLE_VALUE)
                break;

            // Exit if an error other than ERROR_PIPE_BUSY occurs.   

            if (GetLastError() != ERROR_PIPE_BUSY)
            {
                printf("Could not open pipe");
                return 0;
            }

            // All pipe instances are busy, so wait for 20 seconds.   

            if (!WaitNamedPipe(lpszPipename, 20000))
            {
                printf("Could not open pipe");
                return 0;
            }
        }

        // The pipe connected; change to message-read mode.   

        dwMode = PIPE_READMODE_MESSAGE;
        fSuccess = SetNamedPipeHandleState(
            hPipe,    // pipe handle   
            &dwMode,  // new pipe mode   
            NULL,     // don't set maximum bytes   
            NULL);    // don't set maximum time   
        if (!fSuccess)
        {
            printf("SetNamedPipeHandleState failed");
            return 0;
        }

        // Send a message to the pipe server.   

        fSuccess = WriteFile(
            hPipe,                  // pipe handle   
            lpvMessage,             // message   
            (lstrlen(lpvMessage) + 1) * sizeof(TCHAR), // message length   
            &cbWritten,             // bytes written   
            NULL);                  // not overlapped   
        if (!fSuccess)
        {
            printf("WriteFile failed");
            return 0;
        }

        do
        {
            // Read from the pipe.   

            fSuccess = ReadFile(
                hPipe,    // pipe handle   
                chBuf,    // buffer to receive reply   
                BUFSIZE * sizeof(TCHAR),  // size of buffer   
                &cbRead,  // number of bytes read   
                NULL);    // not overlapped   

            if (!fSuccess && GetLastError() != ERROR_MORE_DATA)
                break;

        } while (!fSuccess);  // repeat loop if ERROR_MORE_DATA   

        CloseHandle(hPipe);

               //determined after ReadFile , for now it is always 1.
        if (allowClipboardData) {
            dragAndDropPointer(pDataObj, pDropSource, dwOKEffects, pdwEffect);
        }
        else {
            dragAndDropPointer(pDataObj, pDropSource, dwOKEffects, DROPEFFECT_NONE);
        }

        return S_OK;
    }

    dragAndDropPointer(pDataObj, pDropSource, dwOKEffects, pdwEffect);
    return S_OK;
}

extern "C" __declspec(dllexport)
BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD dwReason,
    LPVOID lpReserved) {
    if (dwReason == DLL_PROCESS_ATTACH) {
        DetourRestoreAfterWith();

        DetourTransactionBegin();
        DetourUpdateThread(GetCurrentThread());

        DetourAttach(&(PVOID&)dragAndDropPointer, dragAndDropHook);
        DetourTransactionCommit();
    }
    else if (dwReason == DLL_PROCESS_DETACH) {
        DetourTransactionBegin();
        DetourUpdateThread(GetCurrentThread());
        DetourDetach(&(PVOID&)dragAndDropPointer, dragAndDropHook);
        DetourTransactionCommit();
    }
    else if (dwReason == DLL_THREAD_ATTACH) {
        return TRUE;
    }
    else if (dwReason == DLL_THREAD_DETACH) {
        return TRUE;
    }

    return TRUE;
}

Any help?

barisunsalhn commented 8 months ago

Sadd, nobody helps.