EasyHook: Add support for setting the working directory.

oleavr · Aug 22, 2009 · 5ab80f9 · 5ab80f9
1 parent 6e243e4
commit 5ab80f9
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 7 deletions.
diff --git a/EasyHook/EasyHook/DllImport.cs b/EasyHook/EasyHook/DllImport.cs
@@ -178,6 +178,7 @@ public static extern Int32 RtlInstallService(
         public static extern Int32 RtlCreateSuspendedProcess(
            String InEXEPath,
            String InCommandLine,
+           String InWorkingDirectory,
             Int32 InProcessCreationFlags,
            out Int32 OutProcessId,
            out Int32 OutThreadId);
@@ -360,6 +361,7 @@ public static extern Int32 RtlInstallService(
         public static extern Int32 RtlCreateSuspendedProcess(
            String InEXEPath,
            String InCommandLine,
+           String InWorkingDirectory,
             Int32 InProcessCreationFlags,
            out Int32 OutProcessId,
            out Int32 OutThreadId);
@@ -662,13 +664,14 @@ public static void RhInjectLibrary(
         public static void RtlCreateSuspendedProcess(
            String InEXEPath,
            String InCommandLine,
+           String InWorkingDirectory,
             Int32 InProcessCreationFlags,
            out Int32 OutProcessId,
            out Int32 OutThreadId)
         {
-            if (Is64Bit) Force(NativeAPI_x64.RtlCreateSuspendedProcess(InEXEPath, InCommandLine, InProcessCreationFlags,
+            if (Is64Bit) Force(NativeAPI_x64.RtlCreateSuspendedProcess(InEXEPath, InCommandLine, InWorkingDirectory, InProcessCreationFlags,
                 out OutProcessId, out OutThreadId));
-            else Force(NativeAPI_x86.RtlCreateSuspendedProcess(InEXEPath, InCommandLine, InProcessCreationFlags,
+            else Force(NativeAPI_x86.RtlCreateSuspendedProcess(InEXEPath, InCommandLine, InWorkingDirectory, InProcessCreationFlags,
                 out OutProcessId, out OutThreadId));
         }
 

diff --git a/EasyHook/EasyHook/RemoteHook.cs b/EasyHook/EasyHook/RemoteHook.cs
@@ -783,6 +783,9 @@ public static Object ExecuteAsService<TClass>(
         /// <param name="InCommandLine">
         /// Optional command line parameters for process creation.
         /// </param>
+        /// <param name="InWorkingDirectory">
+        /// Optional working directory for process creation.
+        /// </param>
         /// <param name="InProcessCreationFlags">
         /// Internally CREATE_SUSPENDED is already passed to CreateProcess(). With this
         /// parameter you can add more flags like DETACHED_PROCESS, CREATE_NEW_CONSOLE or
@@ -809,6 +812,7 @@ public static Object ExecuteAsService<TClass>(
         public static void CreateAndInject(
             String InEXEPath,
             String InCommandLine,
+            String InWorkingDirectory,
             Int32 InProcessCreationFlags,
             String InLibraryPath_x86,
             String InLibraryPath_x64,
@@ -824,6 +828,7 @@ public static void CreateAndInject(
             NativeAPI.RtlCreateSuspendedProcess(
                 InEXEPath,
                 InCommandLine,
+                InWorkingDirectory,
                 InProcessCreationFlags,
                 out RemotePID,
                 out RemoteTID);

diff --git a/EasyHook/EasyHookDll/RemoteHook/thread.c b/EasyHook/EasyHookDll/RemoteHook/thread.c
@@ -408,6 +408,7 @@ EASYHOOK_BOOL_EXPORT RhIsX64System()
 EASYHOOK_NT_EXPORT RtlCreateSuspendedProcess(
 		WCHAR* InEXEPath,
         WCHAR* InCommandLine,
+        WCHAR* InWorkingDirectory,
 		ULONG InCustomFlags,
         ULONG* OutProcessId,
         ULONG* OutThreadId)
@@ -428,6 +429,10 @@ EASYHOOK_NT_EXPORT RtlCreateSuspendedProcess(
 
         Optional command line parameters passed to the newly created process.
 
+    - InWorkingDirectory
+
+        Optional working directory for the newly created process.
+
 	- InCustomFlags
 
 		Additional process creation flags.
@@ -443,8 +448,9 @@ EASYHOOK_NT_EXPORT RtlCreateSuspendedProcess(
     STARTUPINFO				StartInfo;
 	PROCESS_INFORMATION		ProcessInfo;
 	WCHAR					FullExePath[MAX_PATH + 1];
-	WCHAR					CurrentDir[MAX_PATH + 1];
+	WCHAR					CanonicalExePath[MAX_PATH + 1];
     WCHAR*					FilePart;
+    WCHAR*					WorkingDirectory;
     NTSTATUS            NtStatus;
 
     // must be executed before any THROW or RETURN!
@@ -461,14 +467,19 @@ EASYHOOK_NT_EXPORT RtlCreateSuspendedProcess(
     if(!RtlFileExists(InEXEPath))
         THROW(STATUS_INVALID_PARAMETER_1, L"The given process file does not exist.");
 
-    if(GetFullPathName(InEXEPath, MAX_PATH, CurrentDir, &FilePart) > MAX_PATH)
+    if(GetFullPathName(InEXEPath, MAX_PATH, CanonicalExePath, &FilePart) > MAX_PATH)
         THROW(STATUS_INVALID_PARAMETER_1, L"Full path information exceeds MAX_PATH characters.");
 
     // compute current directory...
-    RtlCopyMemory(FullExePath, CurrentDir, sizeof(FullExePath));
+    RtlCopyMemory(FullExePath, CanonicalExePath, sizeof(FullExePath));
 
     *FilePart = 0;
 
+    if (InWorkingDirectory)
+        WorkingDirectory = InWorkingDirectory;
+    else
+        WorkingDirectory = CanonicalExePath;
+
     // create suspended process
     StartInfo.cb = sizeof(StartInfo);
 	StartInfo.wShowWindow = TRUE;
@@ -480,7 +491,7 @@ EASYHOOK_NT_EXPORT RtlCreateSuspendedProcess(
             FALSE, 
 		    InCustomFlags | CREATE_SUSPENDED,
 		    NULL,
-		    CurrentDir,
+		    WorkingDirectory,
 		    &StartInfo,
 		    &ProcessInfo))
 	    THROW(STATUS_INVALID_PARAMETER, L"Unable to start process; please check the given parameters.");
@@ -510,6 +521,7 @@ EASYHOOK_NT_EXPORT RtlCreateSuspendedProcess(
 EASYHOOK_NT_EXPORT RhCreateAndInject(
 		WCHAR* InEXEPath,
         WCHAR* InCommandLine,
+        WCHAR* InWorkingDirectory,
 		ULONG InProcessCreationFlags,
 		ULONG InInjectionOptions,
 		WCHAR* InLibraryPath_x86,
@@ -539,6 +551,10 @@ EASYHOOK_NT_EXPORT RhCreateAndInject(
 
         Optional command line parameters passed to the newly created process.
 
+    - InWorkingDirectory
+
+        Optional working directory for the newly created process.
+
 	- InProcessCreationFlags
 
 		Custom process creation flags.
@@ -603,7 +619,7 @@ EASYHOOK_NT_EXPORT RhCreateAndInject(
         THROW(STATUS_INVALID_PARAMETER_8, L"The given process ID storage is invalid.");
 
     // all other parameters are validate by called APIs...
-	FORCE(RtlCreateSuspendedProcess(InEXEPath, InCommandLine, InProcessCreationFlags, &ProcessId, &ThreadId));
+	FORCE(RtlCreateSuspendedProcess(InEXEPath, InCommandLine, InWorkingDirectory, InProcessCreationFlags, &ProcessId, &ThreadId));
 
 
     // inject library

diff --git a/EasyHook/Public/easyhook.h b/EasyHook/Public/easyhook.h
@@ -376,6 +376,7 @@ DRIVER_SHARED_API(NTSTATUS, LhBarrierCallStackTrace(
 	EASYHOOK_NT_EXPORT RhCreateAndInject(
 				WCHAR* InEXEPath,
 				WCHAR* InCommandLine,
+				WCHAR* InWorkingDirectory,
 				ULONG InProcessCreationFlags,
 				ULONG InInjectionOptions,
 				WCHAR* InLibraryPath_x86,