Description
1.hooking CreateProcessInternalW seems a good idea,but with some drawback such as this API shift from Kernel32.dll to Kernelbase.dll or even in both dll,you may not know what microsoft will change it again. you can try hooking NtResumeThread,all the Create process call will eventually call NtResumeThread.NtResumeThread is in lower level and it exports from ntdll.dll probably since windows xp/2003.
hook NTResumeThread With NtCreateThreadEx() for injection advantage:
A.inject too early issue. RtResumeThread is triggered after LdrInitializeThunk is complete.
B.NtCreateThreadEx can inject data other than hard disk dll file into remote process,saving the dll data into registry and that can solve the UWP file access limitation.Moreover,injecting data into remote thread can bypass the mitigation policy as well.
C. 64 Bit host can inject 32 Bit data into 32 bit target process or inject 64 bit data into 64 bit target with NtCreateThreadEx;but 32 bit host can only inject 32 bit data into 32 bit target process,still need a helper process for this situation
2.switching minhook to Microsoft's Detours library since detours s open source and still people maintaince it so far,minhook seems a bit old and lack of maintance.BTW,detours has built-in injection method(CreateProcesswithdll and etc),which most anti-virus would not treat it as
malicious and it's easy to implement as CreateProcessInternalwithdll.