none
How to get the address of original CreateProcessInternalW which is required for the hooking? RRS feed

  • Question

  • I am a college student and I am very new to this API-hooking. Forgive me if I write something stupid.

    I need to hook the function "CreateProcessInternalW". For that I need the address of original function to call it from the hooked function. I want to do something like this:

    BOOL WINAPI CreateProcessInternalW_Hook(HANDLE hToken,
        LPCWSTR lpApplicationName,
        LPWSTR lpCommandLine,
        LPSECURITY_ATTRIBUTES lpProcessAttributes,
        LPSECURITY_ATTRIBUTES lpThreadAttributes,
        BOOL bInheritHandles,
        DWORD dwCreationFlags,
        LPVOID lpEnvironment,
        LPCWSTR lpCurrentDirectory,
        LPSTARTUPINFOW lpStartupInfo,
        LPPROCESS_INFORMATION lpProcessInformation,
        PHANDLE hNewToken)
    {

        //get address of original api in pCreateProcessInternalW.

        // calling original function
        BOOL RetVal = pCreateProcessInternalW ( hToken,
            lpApplicationName,
            lpCommandLine,
            lpProcessAttributes,
            lpThreadAttributes,
            bInheritHandles,
            dwCreationFlags,
            lpEnvironment,
            lpCurrentDirectory,
            lpStartupInfo,
            lpProcessInformation,
            hNewToken);

        // rest of the computing.

    }

    Now how to find that original address? I tried googling it and found few implementations but the code for finding original address is kind of lost in their various source/header files. I don't need to inject the DLL manually and I am using ms-detours library to implement the API-Hooking. The other implementations are doing something else and if I include those codes I am afraid my code might not work.

    Another question: CreateProcessInternalW loads the image of the file to execute. So if the file that is getting executed is suppose 'abc.exe', then would the arguments lpCurrentDirectory and lpApplicationName give me the exact file location?

    Please help. Thank you.

    Saturday, January 10, 2015 7:34 AM

Answers

  • I think that you have to use LoadLibrary(“KERNEL32”) and GetProcAddress(“CreateProcessInternalW”). Since you are using Detours, then assign the obtained address to pCreateProcessInternalW before performing DetourAttach.

    Monday, January 12, 2015 6:49 AM

All replies

  • CreateProcess function

    "Unicode and ANSI names = CreateProcessW (Unicode) and CreateProcessA (ANSI)"


    La vida loca

    Saturday, January 10, 2015 7:43 AM
  • @Monkeyboy thanks for the reply but I already knew about CreateProcess. I am interested in CreateProcessInternalW.
    Saturday, January 10, 2015 9:04 AM
  • I think that you have to use LoadLibrary(“KERNEL32”) and GetProcAddress(“CreateProcessInternalW”). Since you are using Detours, then assign the obtained address to pCreateProcessInternalW before performing DetourAttach.

    Monday, January 12, 2015 6:49 AM