Log in

View Full Version : Help on SetWindowsHookEx

dacid
August 12th, 2008, 15:45
A few days ago i realized that under Windows Vista my little program that works without problem under Win9x/2000/XP/... fails on this:

invoke SetWindowsHookExA,WH_JOURNALRECORD,ADDR JournalHook,hInst,NULL

eax = 0
GetLastError = 5 (Access Denied)

I run the program with Administrator privileges but fails anyways.

After a little search i found various documents on MSDN about "User Interface Privilege Isolation (UIPI)" & User Account Control (UAC) :

Quote:

A lower privilege process cannot:

-Perform a window handle validation of higher process privilege.
-SendMessage or PostMessage to higher privilege application windows. These Application Programming Interfaces (APIs) return success but silently drop the window message.
-Use thread hooks to attach to a higher privilege process.
-Use Journal hooks to monitor a higher privilege process.
-Perform DLL injection to a higher privilege process


Later i red something about "manifest files", so i tried this program:

http://www.securityxploded.com/vistauacmaker.php

But the same "Access Denied" result...

Any ideas?
dacid
August 13th, 2008, 06:56
I read something more on MSDN:

Quote:

"To gain access to the protected system UI, applications must be built with a manifest file that includes a special attribute in the manifest file"


Done with VistaUACMaker.

Quote:

"To be trusted to communicate with applications running at a higher privilege level, applications must be signed."


More info on signing applications? I dont think that all the software making hooks are signed...

....
After more search it seems that "WH_KEYBOARD_LL" & "WH_MOUSE_LL" are the only two parameters that works without problems in vista:

Quote:

However, the WH_KEYBOARD_LL hook is not injected into another process. Instead, the context switches back to the process that installed the hook and it is called in its original context. Then the context switches back to the application that generated the event.


Anyone?
Silver
August 13th, 2008, 08:58
This won't help you now, but I ran into the same problem a year ago. I managed to solve it by creating either the process or the thread that set the hook with a higher privilege level, but I can't remember exactly what I did. I'll dig into my source and see what I can find because I know I didn't need to bother with manifests...
evaluator
August 13th, 2008, 15:12
did you tried that virus_trick with SE_Debug_privilege?
dacid
August 14th, 2008, 15:26
no, i didnt try... really im looking for a "standard/compatible" technique but thanks anyway.

seems that if you totally disable UAC it works. But its not an option to recomend your users to disable important security features
Silver
August 15th, 2008, 08:57
Did you look into thread/process privilege levels? I didn't need to disable UAC or the IE7 safe mode thing after I'd figured it out. I do remember the MSDN docs being very unclear...