Hook Dwm

I am trying to use CreateRemoteThread to hook dwm process.
My demo can be used in any process I created, but just not work for dwm process.
It is successful to call CreateRemoteThread for Dwm process.

Why it is not load my inject library and call the Dllmain?

This is a kernel driver development list. If your question is about
the desktop window manager (which it seems like it is) you may have
better luck on a website such as StackOverflow.

In any case, there do seem to be individuals who will answer questions
such as the one you have asked. Can you provide more information? Do
you have sample code we can compile, and can you describe the failure
you experience?

I am mildly interested in what you are doing and why it doesn’t work,
but keep in mind people may not read your thread.

Cheers,
R0b0t1

On Wed, Jan 17, 2018 at 9:04 PM, xxxxx@foxmail.com
wrote:
> I am trying to use CreateRemoteThread to hook dwm process.
> My demo can be used in any process I created, but just not work for dwm process.
> It is successful to call CreateRemoteThread for Dwm process.
>
> Why it is not load my inject library and call the Dllmain?
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

xxxxx@foxmail.com wrote:

I am trying to use CreateRemoteThread to hook dwm process.
My demo can be used in any process I created, but just not work for dwm process.
It is successful to call CreateRemoteThread for Dwm process.

Why it is not load my inject library and call the Dllmain?

The process is owned by a system user, and had security to prevent other
processes from opening the process.  You may have to elevate yourself to
the system user if you want to poke around DWM.  Process Explorer also
has trouble looking inside it.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

You really don’t want to be doing this, injecting code into a system process like wdm.exe (Windows Desktop Manager) is a really bad idea - I hope you’re not planning on doing anything like this in commercial software.

dwm.exe has a few mitigation policies enabled you should be aware of: Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR), Strict handle checks, and Control Flow Guard (CFG). You should do some research on each one to make sure you won’t be causing an issue with any injected code (e.g. no hard-coding offsets).

If CreateRemoteThread doesn’t work for the injection then try using NtCreateThreadEx - alternatively you could just call RtlCreateUserThread which will be sufficient and will call NtCreateThreadEx for you.

What error code are you being presented with, and what version of Windows (and architecture) are you running?

Make sure you’re running elevated and check the error code returned by CreateRemoteThread to get more details; if CreateRemoteThread is claiming to be successful and your DLL is still not being injected then use a debugger for diagnostics (you should know how to use a debugger at the least if you’re injecting code into other processes).

@weilin_jiang said:
I am trying to use CreateRemoteThread to hook dwm process.
My demo can be used in any process I created, but just not work for dwm process.
It is successful to call CreateRemoteThread for Dwm process.

Why it is not load my inject library and call the Dllmain?

Did you figure out how to do it? I also need to hook dwm for screen capture and would appreciate your input.

>

Did you figure out how to do it? I also need to hook dwm for screen
capture and would appreciate your input.

if your goal is capturing the screen, did you try off-the-shelf technology
“Desktop Duplication API” ?
https://docs.microsoft.com/en-gb/windows/desktop/direct3ddxgi/desktop-dup-api

@JiaBang_Lin said:
if your goal is capturing the screen, did you try off-the-shelf technology
“Desktop Duplication API” ?
https://docs.microsoft.com/en-gb/windows/desktop/direct3ddxgi/desktop-dup-api

I need to capture desktop on Windows 7

I need to capture desktop on Windows 7

Please note that, when it comes to window messages, the IPC security boundary lies with a desktop object ( which happens to be a kernel object that is managed by win32k.sys), rather than with a user account. You may have multiple desktops that belong the same user account. The most interesting thing here is that sending window messages from desktop X to desktop Y is not allowed, despite the fact that they belong to the same user account. In other words, a process X may open a handle to the process Y for all access, including modifications to its address space and control of its threads, but still be unable to send a window message to any of its windows. I know it sounds ridiculous, but that’s the way it is.

Therefore, creating a remote thread alone is insufficient here. If you want to capture window messages on another desktop, the remote thread in question has to create a window that belong to the desktop of interest so that it can register a window hook with this desktop…

Anton Bassov

@anton_bassov Thanks for the detailed and very interesting reply. I’m interested in desktop screen capture, how does window messaging help me with that? The only three methods I’ve found are BitBlt, Mirror Driver and DWM hooking - I’ve found an example online but its quite convoluted.