CreateProcessW hook is not working properly

Question

I am creating an application where I use EasyHook to hook into the explorer.exe process and listen for the CreateProcessW method call from kernel32.dll. The program intercepts CreateProcessW only if the user runs the file by double-clicking on it (without administrator privileges) while when I try to run the application as administrator the process is created while my program does not intercept CreateProcessW. I tried hooking CreateProcessAsUser and CreateProcessWithLogonW but that didn't help. I even tried hooking ShellExecuteEx but that didn't help either. My question is why my program does not capture this method. Does running the file as administrator call a different method than CreateProcessW?

My program runs with the "highestAvailable" permissions contained in the app.manifest

What I have tried:

// Install hooks

// CreateProcess https://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx
var createProcessHook = EasyHook.LocalHook.Create(
    EasyHook.LocalHook.GetProcAddress("kernel32.dll", "CreateProcessW"),
    new DCreateProcess(CreateProcess_HookedAsync),
    this);

// CreateProcessAsUserA https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessasusera
var createProcessAsUserHook = EasyHook.LocalHook.Create(EasyHook.LocalHook.GetProcAddress("advapi32.dll", "CreateProcessAsUserA"), 
    new DCreateProcessAsUser(CreateProcessAsUser_Hooked), 
    this);

// CreateProcessWithLogonW https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithlogonw
var createProcessWithLogonW = EasyHook.LocalHook.Create(EasyHook.LocalHook.GetProcAddress("advapi32.dll", "CreateProcessWithLogonW"), 
    new DCreateProcessWithLogonW(CreateProcessWithLogonW_Hooked), 
    this);

// ShellExecuteEx https://msdn.microsoft.com/en-us/library/windows/desktop/aa365747(v=vs.85).aspx
var createShellProcessHook = EasyHook.LocalHook.Create(EasyHook.LocalHook.GetProcAddress("shell32.dll", "ShellExecuteEx"), 
    new DShellExecuteEx(ShellExecuteEx_Hooked), 
    this);

createProcessHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
createProcessAsUserHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
createProcessWithLogonW.ThreadACL.SetExclusiveACL(new Int32[] { 0 });
createShellProcessHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });

@ThomasWeller: It's a design philosophy, not a bug, and not necessarily wrong. In Windows (as many other multi-user OSes), access to securables and privilege separation are user-based, not process-based. A process can debug, hook, or whatever another process running as the same user. Admin rights are needed to debug or hook processes running in other user accounts, including system service accounts. (To be pedantic, Admin rights are required to grant debug privileges, which is a form of delegation of the admin power of debugging and hooking other users' processes to non-admin debuggers) — Ben Voigt, Feb 09 '23 at 19:52
What do you mean by "the explorer.exe process"? I have several of them. — Thomas Weller, Feb 09 '23 at 19:57
@ThomasWeller: "explorer.exe" is File Explorer - an application that is a file manager, used in Microsoft Windows operating systems starting from the version of Windows 95. And it is not possible to have two or more explorer.exe processes running at the same time. — Nobody, Feb 09 '23 at 23:12
@Nobody: I certainly know what explorer.exe is. Your claim does not hold: https://i.stack.imgur.com/qhaLc.png As I said, I have several of them. I can even tell you how to enable it: https://i.stack.imgur.com/ZdZod.png — Thomas Weller, Feb 09 '23 at 23:31

CreateProcessW hook is not working properly

0 Answers0