From 3d4ee2a9465cd2aa2bb6982f262a3cf8d3120939 Mon Sep 17 00:00:00 2001
From: baldurk <baldurk@baldurk.org>
Date: Mon, 20 Nov 2017 16:16:38 +0000
Subject: [PATCH] Add hooking for CreateProcessAsUser and
 CreateProcessWithLogonW

---
 renderdoc/os/win32/sys_win32_hooks.cpp | 511 +++++++++++++++----------
 1 file changed, 307 insertions(+), 204 deletions(-)

diff --git a/renderdoc/os/win32/sys_win32_hooks.cpp b/renderdoc/os/win32/sys_win32_hooks.cpp
index a2d04b5fe..e314ee459 100644
--- a/renderdoc/os/win32/sys_win32_hooks.cpp
+++ b/renderdoc/os/win32/sys_win32_hooks.cpp
@@ -34,19 +34,41 @@
 typedef int(WSAAPI *PFN_WSASTARTUP)(__in WORD wVersionRequested, __out LPWSADATA lpWSAData);
 typedef int(WSAAPI *PFN_WSACLEANUP)();
 
-typedef BOOL(WINAPI *PFN_CREATE_PROCESS_A)(
-    __in_opt LPCSTR lpApplicationName, __inout_opt LPSTR lpCommandLine,
-    __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
-    __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes, __in BOOL bInheritHandles,
-    __in DWORD dwCreationFlags, __in_opt LPVOID lpEnvironment, __in_opt LPCSTR lpCurrentDirectory,
-    __in LPSTARTUPINFOA lpStartupInfo, __out LPPROCESS_INFORMATION lpProcessInformation);
+typedef BOOL(WINAPI *PFN_CREATE_PROCESS_A)(LPCSTR lpApplicationName, LPSTR lpCommandLine,
+                                           LPSECURITY_ATTRIBUTES lpProcessAttributes,
+                                           LPSECURITY_ATTRIBUTES lpThreadAttributes,
+                                           BOOL bInheritHandles, DWORD dwCreationFlags,
+                                           LPVOID lpEnvironment, LPCSTR lpCurrentDirectory,
+                                           LPSTARTUPINFOA lpStartupInfo,
+                                           LPPROCESS_INFORMATION lpProcessInformation);
 
-typedef BOOL(WINAPI *PFN_CREATE_PROCESS_W)(
-    __in_opt LPCWSTR lpApplicationName, __inout_opt LPWSTR lpCommandLine,
-    __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
-    __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes, __in BOOL bInheritHandles,
-    __in DWORD dwCreationFlags, __in_opt LPVOID lpEnvironment, __in_opt LPCWSTR lpCurrentDirectory,
-    __in LPSTARTUPINFOW lpStartupInfo, __out LPPROCESS_INFORMATION lpProcessInformation);
+typedef BOOL(WINAPI *PFN_CREATE_PROCESS_W)(LPCWSTR lpApplicationName, LPWSTR lpCommandLine,
+                                           LPSECURITY_ATTRIBUTES lpProcessAttributes,
+                                           LPSECURITY_ATTRIBUTES lpThreadAttributes,
+                                           BOOL bInheritHandles, DWORD dwCreationFlags,
+                                           LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory,
+                                           LPSTARTUPINFOW lpStartupInfo,
+                                           LPPROCESS_INFORMATION lpProcessInformation);
+
+typedef BOOL(WINAPI *PFN_CREATE_PROCESS_AS_USER_A)(
+    HANDLE hToken, LPCSTR lpApplicationName, LPSTR lpCommandLine,
+    LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes,
+    BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory,
+    LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation);
+
+typedef BOOL(WINAPI *PFN_CREATE_PROCESS_AS_USER_W)(
+    HANDLE hToken, LPCWSTR lpApplicationName, LPWSTR lpCommandLine,
+    LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes,
+    BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory,
+    LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation);
+
+typedef BOOL(WINAPI *PFN_CREATE_PROCESS_WITH_LOGON_W)(LPCWSTR lpUsername, LPCWSTR lpDomain,
+                                                      LPCWSTR lpPassword, DWORD dwLogonFlags,
+                                                      LPCWSTR lpApplicationName, LPWSTR lpCommandLine,
+                                                      DWORD dwCreationFlags, LPVOID lpEnvironment,
+                                                      LPCWSTR lpCurrentDirectory,
+                                                      LPSTARTUPINFOW lpStartupInfo,
+                                                      LPPROCESS_INFORMATION lpProcessInformation);
 
 class SysHook : LibraryHook
 {
@@ -67,6 +89,14 @@ public:
     success &= CreateProcessA.Initialize("CreateProcessA", "kernel32.dll", CreateProcessA_hook);
     success &= CreateProcessW.Initialize("CreateProcessW", "kernel32.dll", CreateProcessW_hook);
 
+    success &= CreateProcessAsUserA.Initialize("CreateProcessAsUserA", "advapi32.dll",
+                                               CreateProcessAsUserA_hook);
+    success &= CreateProcessAsUserW.Initialize("CreateProcessAsUserW", "advapi32.dll",
+                                               CreateProcessAsUserW_hook);
+
+    success &= CreateProcessWithLogonW.Initialize("CreateProcessWithLogonW", "advapi32.dll",
+                                                  CreateProcessWithLogonW_hook);
+
     // handle API set exports if they exist. These don't really exist so we don't have to worry
     // about
     // double hooking, and also they call into the 'real' implementation in kernelbase.dll
@@ -74,16 +104,25 @@ public:
                                     API110CreateProcessA_hook);
     API110CreateProcessW.Initialize("CreateProcessW", "api-ms-win-core-processthreads-l1-1-0.dll",
                                     API110CreateProcessW_hook);
+    API110CreateProcessAsUserW.Initialize("CreateProcessAsUserW",
+                                          "api-ms-win-core-processthreads-l1-1-0.dll",
+                                          API110CreateProcessAsUserW_hook);
 
     API111CreateProcessA.Initialize("CreateProcessA", "api-ms-win-core-processthreads-l1-1-1.dll",
                                     API111CreateProcessA_hook);
     API111CreateProcessW.Initialize("CreateProcessW", "api-ms-win-core-processthreads-l1-1-1.dll",
                                     API111CreateProcessW_hook);
+    API111CreateProcessAsUserW.Initialize("CreateProcessAsUserW",
+                                          "api-ms-win-core-processthreads-l1-1-0.dll",
+                                          API111CreateProcessAsUserW_hook);
 
     API112CreateProcessA.Initialize("CreateProcessA", "api-ms-win-core-processthreads-l1-1-2.dll",
                                     API112CreateProcessA_hook);
     API112CreateProcessW.Initialize("CreateProcessW", "api-ms-win-core-processthreads-l1-1-2.dll",
                                     API112CreateProcessW_hook);
+    API112CreateProcessAsUserW.Initialize("CreateProcessAsUserW",
+                                          "api-ms-win-core-processthreads-l1-1-0.dll",
+                                          API112CreateProcessAsUserW_hook);
 
     success &= WSAStartup.Initialize("WSAStartup", "ws2_32.dll", WSAStartup_hook);
     success &= WSACleanup.Initialize("WSACleanup", "ws2_32.dll", WSACleanup_hook);
@@ -120,6 +159,15 @@ private:
   Hook<PFN_CREATE_PROCESS_A> API112CreateProcessA;
   Hook<PFN_CREATE_PROCESS_W> API112CreateProcessW;
 
+  Hook<PFN_CREATE_PROCESS_AS_USER_A> CreateProcessAsUserA;
+  Hook<PFN_CREATE_PROCESS_AS_USER_W> CreateProcessAsUserW;
+
+  Hook<PFN_CREATE_PROCESS_AS_USER_W> API110CreateProcessAsUserW;
+  Hook<PFN_CREATE_PROCESS_AS_USER_W> API111CreateProcessAsUserW;
+  Hook<PFN_CREATE_PROCESS_AS_USER_W> API112CreateProcessAsUserW;
+
+  Hook<PFN_CREATE_PROCESS_WITH_LOGON_W> CreateProcessWithLogonW;
+
   Hook<PFN_WSASTARTUP> WSAStartup;
   Hook<PFN_WSACLEANUP> WSACleanup;
 
@@ -149,6 +197,101 @@ private:
     return syshooks.WSACleanup()();
   }
 
+  static BOOL WINAPI Hooked_CreateProcess(
+      const char *entryPoint,
+      std::function<BOOL(DWORD dwCreationFlags, LPPROCESS_INFORMATION lpProcessInformation)> realFunc,
+      DWORD dwCreationFlags, bool inject, LPPROCESS_INFORMATION lpProcessInformation)
+  {
+    PROCESS_INFORMATION dummy;
+    RDCEraseEl(dummy);
+
+    // not sure if this is valid, but I need the PID so I'll fill in my own struct to ensure that.
+    if(lpProcessInformation == NULL)
+    {
+      lpProcessInformation = &dummy;
+    }
+    else
+    {
+      *lpProcessInformation = dummy;
+    }
+
+    bool resume = (dwCreationFlags & CREATE_SUSPENDED) == 0;
+    dwCreationFlags |= CREATE_SUSPENDED;
+
+    BOOL ret = realFunc(dwCreationFlags, lpProcessInformation);
+
+    if(ret && inject)
+    {
+      RDCDEBUG("Intercepting %s", entryPoint);
+
+      rdcarray<EnvironmentModification> env;
+
+      // inherit logfile and capture options
+      uint32_t ident = RENDERDOC_InjectIntoProcess(lpProcessInformation->dwProcessId, env,
+                                                   RenderDoc::Inst().GetLogFile(),
+                                                   RenderDoc::Inst().GetCaptureOptions(), false);
+
+      RenderDoc::Inst().AddChildProcess((uint32_t)lpProcessInformation->dwProcessId, ident);
+    }
+
+    if(resume)
+    {
+      ResumeThread(lpProcessInformation->hThread);
+    }
+
+    // ensure we clean up after ourselves
+    if(dummy.dwProcessId != 0)
+    {
+      CloseHandle(dummy.hProcess);
+      CloseHandle(dummy.hThread);
+    }
+
+    return ret;
+  }
+
+  static bool ShouldInject(LPCWSTR lpApplicationName, LPCWSTR lpCommandLine)
+  {
+    if(!RenderDoc::Inst().GetCaptureOptions().HookIntoChildren)
+      return false;
+
+    bool inject = true;
+
+    // sanity check to make sure we're not going to go into an infinity loop injecting into
+    // ourselves.
+    if(lpApplicationName)
+    {
+      wstring app = lpApplicationName;
+      app = strlower(app);
+
+      if(app.find(L"renderdoccmd.exe") != wstring::npos || app.find(L"qrenderdoc.exe") != string::npos)
+      {
+        inject = false;
+      }
+    }
+    if(lpCommandLine)
+    {
+      wstring cmd = lpCommandLine;
+      cmd = strlower(cmd);
+
+      if(cmd.find(L"renderdoccmd.exe") != wstring::npos ||
+         cmd.find(L"qrenderdoc.exe") != wstring::npos)
+      {
+        inject = false;
+      }
+    }
+
+    return inject;
+  }
+
+  static bool ShouldInject(LPCSTR lpApplicationName, LPCSTR lpCommandLine)
+  {
+    if(!RenderDoc::Inst().GetCaptureOptions().HookIntoChildren)
+      return false;
+
+    return ShouldInject(lpApplicationName ? StringFormat::UTF82Wide(lpApplicationName).c_str() : NULL,
+                        lpCommandLine ? StringFormat::UTF82Wide(lpCommandLine).c_str() : NULL);
+  }
+
   static BOOL WINAPI CreateProcessA_hook(
       __in_opt LPCSTR lpApplicationName, __inout_opt LPSTR lpCommandLine,
       __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
@@ -156,10 +299,14 @@ private:
       __in DWORD dwCreationFlags, __in_opt LPVOID lpEnvironment, __in_opt LPCSTR lpCurrentDirectory,
       __in LPSTARTUPINFOA lpStartupInfo, __out LPPROCESS_INFORMATION lpProcessInformation)
   {
-    return Hook_CreateProcessA(syshooks.CreateProcessA(), lpApplicationName, lpCommandLine,
-                               lpProcessAttributes, lpThreadAttributes, bInheritHandles,
-                               dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo,
-                               lpProcessInformation);
+    return Hooked_CreateProcess(
+        "CreateProcessA",
+        [=](DWORD flags, LPPROCESS_INFORMATION pi) {
+          return syshooks.CreateProcessA()(lpApplicationName, lpCommandLine, lpProcessAttributes,
+                                           lpThreadAttributes, bInheritHandles, flags,
+                                           lpEnvironment, lpCurrentDirectory, lpStartupInfo, pi);
+        },
+        dwCreationFlags, ShouldInject(lpApplicationName, lpCommandLine), lpProcessInformation);
   }
 
   static BOOL WINAPI CreateProcessW_hook(__in_opt LPCWSTR lpApplicationName,
@@ -172,10 +319,14 @@ private:
                                          __in LPSTARTUPINFOW lpStartupInfo,
                                          __out LPPROCESS_INFORMATION lpProcessInformation)
   {
-    return Hook_CreateProcessW(syshooks.CreateProcessW(), lpApplicationName, lpCommandLine,
-                               lpProcessAttributes, lpThreadAttributes, bInheritHandles,
-                               dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo,
-                               lpProcessInformation);
+    return Hooked_CreateProcess(
+        "CreateProcessW",
+        [=](DWORD flags, LPPROCESS_INFORMATION pi) {
+          return syshooks.CreateProcessW()(lpApplicationName, lpCommandLine, lpProcessAttributes,
+                                           lpThreadAttributes, bInheritHandles, flags,
+                                           lpEnvironment, lpCurrentDirectory, lpStartupInfo, pi);
+        },
+        dwCreationFlags, ShouldInject(lpApplicationName, lpCommandLine), lpProcessInformation);
   }
 
   static BOOL WINAPI API110CreateProcessA_hook(
@@ -185,10 +336,14 @@ private:
       __in DWORD dwCreationFlags, __in_opt LPVOID lpEnvironment, __in_opt LPCSTR lpCurrentDirectory,
       __in LPSTARTUPINFOA lpStartupInfo, __out LPPROCESS_INFORMATION lpProcessInformation)
   {
-    return Hook_CreateProcessA(syshooks.API110CreateProcessA(), lpApplicationName, lpCommandLine,
-                               lpProcessAttributes, lpThreadAttributes, bInheritHandles,
-                               dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo,
-                               lpProcessInformation);
+    return Hooked_CreateProcess(
+        "CreateProcessA",
+        [=](DWORD flags, LPPROCESS_INFORMATION pi) {
+          return syshooks.API110CreateProcessA()(
+              lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
+              bInheritHandles, flags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, pi);
+        },
+        dwCreationFlags, ShouldInject(lpApplicationName, lpCommandLine), lpProcessInformation);
   }
 
   static BOOL WINAPI API110CreateProcessW_hook(
@@ -198,10 +353,14 @@ private:
       __in DWORD dwCreationFlags, __in_opt LPVOID lpEnvironment, __in_opt LPCWSTR lpCurrentDirectory,
       __in LPSTARTUPINFOW lpStartupInfo, __out LPPROCESS_INFORMATION lpProcessInformation)
   {
-    return Hook_CreateProcessW(syshooks.API110CreateProcessW(), lpApplicationName, lpCommandLine,
-                               lpProcessAttributes, lpThreadAttributes, bInheritHandles,
-                               dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo,
-                               lpProcessInformation);
+    return Hooked_CreateProcess(
+        "CreateProcessW",
+        [=](DWORD flags, LPPROCESS_INFORMATION pi) {
+          return syshooks.API110CreateProcessW()(
+              lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
+              bInheritHandles, flags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, pi);
+        },
+        dwCreationFlags, ShouldInject(lpApplicationName, lpCommandLine), lpProcessInformation);
   }
 
   static BOOL WINAPI API111CreateProcessA_hook(
@@ -211,10 +370,14 @@ private:
       __in DWORD dwCreationFlags, __in_opt LPVOID lpEnvironment, __in_opt LPCSTR lpCurrentDirectory,
       __in LPSTARTUPINFOA lpStartupInfo, __out LPPROCESS_INFORMATION lpProcessInformation)
   {
-    return Hook_CreateProcessA(syshooks.API111CreateProcessA(), lpApplicationName, lpCommandLine,
-                               lpProcessAttributes, lpThreadAttributes, bInheritHandles,
-                               dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo,
-                               lpProcessInformation);
+    return Hooked_CreateProcess(
+        "CreateProcessA",
+        [=](DWORD flags, LPPROCESS_INFORMATION pi) {
+          return syshooks.API111CreateProcessA()(
+              lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
+              bInheritHandles, flags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, pi);
+        },
+        dwCreationFlags, ShouldInject(lpApplicationName, lpCommandLine), lpProcessInformation);
   }
 
   static BOOL WINAPI API111CreateProcessW_hook(
@@ -224,10 +387,14 @@ private:
       __in DWORD dwCreationFlags, __in_opt LPVOID lpEnvironment, __in_opt LPCWSTR lpCurrentDirectory,
       __in LPSTARTUPINFOW lpStartupInfo, __out LPPROCESS_INFORMATION lpProcessInformation)
   {
-    return Hook_CreateProcessW(syshooks.API111CreateProcessW(), lpApplicationName, lpCommandLine,
-                               lpProcessAttributes, lpThreadAttributes, bInheritHandles,
-                               dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo,
-                               lpProcessInformation);
+    return Hooked_CreateProcess(
+        "CreateProcessW",
+        [=](DWORD flags, LPPROCESS_INFORMATION pi) {
+          return syshooks.API111CreateProcessW()(
+              lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
+              bInheritHandles, flags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, pi);
+        },
+        dwCreationFlags, ShouldInject(lpApplicationName, lpCommandLine), lpProcessInformation);
   }
 
   static BOOL WINAPI API112CreateProcessA_hook(
@@ -237,10 +404,14 @@ private:
       __in DWORD dwCreationFlags, __in_opt LPVOID lpEnvironment, __in_opt LPCSTR lpCurrentDirectory,
       __in LPSTARTUPINFOA lpStartupInfo, __out LPPROCESS_INFORMATION lpProcessInformation)
   {
-    return Hook_CreateProcessA(syshooks.API112CreateProcessA(), lpApplicationName, lpCommandLine,
-                               lpProcessAttributes, lpThreadAttributes, bInheritHandles,
-                               dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo,
-                               lpProcessInformation);
+    return Hooked_CreateProcess(
+        "CreateProcessA",
+        [=](DWORD flags, LPPROCESS_INFORMATION pi) {
+          return syshooks.API112CreateProcessA()(
+              lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
+              bInheritHandles, flags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, pi);
+        },
+        dwCreationFlags, ShouldInject(lpApplicationName, lpCommandLine), lpProcessInformation);
   }
 
   static BOOL WINAPI API112CreateProcessW_hook(
@@ -250,180 +421,112 @@ private:
       __in DWORD dwCreationFlags, __in_opt LPVOID lpEnvironment, __in_opt LPCWSTR lpCurrentDirectory,
       __in LPSTARTUPINFOW lpStartupInfo, __out LPPROCESS_INFORMATION lpProcessInformation)
   {
-    return Hook_CreateProcessW(syshooks.API112CreateProcessW(), lpApplicationName, lpCommandLine,
-                               lpProcessAttributes, lpThreadAttributes, bInheritHandles,
-                               dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo,
-                               lpProcessInformation);
+    return Hooked_CreateProcess(
+        "CreateProcessW",
+        [=](DWORD flags, LPPROCESS_INFORMATION pi) {
+          return syshooks.API112CreateProcessW()(
+              lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
+              bInheritHandles, flags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, pi);
+        },
+        dwCreationFlags, ShouldInject(lpApplicationName, lpCommandLine), lpProcessInformation);
   }
 
-  static BOOL WINAPI Hook_CreateProcessA(
-      PFN_CREATE_PROCESS_A realFunc, __in_opt LPCSTR lpApplicationName,
-      __inout_opt LPSTR lpCommandLine, __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
-      __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes, __in BOOL bInheritHandles,
-      __in DWORD dwCreationFlags, __in_opt LPVOID lpEnvironment, __in_opt LPCSTR lpCurrentDirectory,
-      __in LPSTARTUPINFOA lpStartupInfo, __out LPPROCESS_INFORMATION lpProcessInformation)
+  static BOOL WINAPI CreateProcessAsUserA_hook(
+      HANDLE hToken, LPCSTR lpApplicationName, LPSTR lpCommandLine,
+      LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes,
+      BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCSTR lpCurrentDirectory,
+      LPSTARTUPINFOA lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation)
   {
-    PROCESS_INFORMATION dummy;
-    RDCEraseEl(dummy);
-
-    // not sure if this is valid, but I need the PID so I'll fill in my own struct to ensure that.
-    if(lpProcessInformation == NULL)
-    {
-      lpProcessInformation = &dummy;
-    }
-    else
-    {
-      *lpProcessInformation = dummy;
-    }
-
-    bool resume = (dwCreationFlags & CREATE_SUSPENDED) == 0;
-    dwCreationFlags |= CREATE_SUSPENDED;
-
-    BOOL ret = realFunc(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
-                        bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory,
-                        lpStartupInfo, lpProcessInformation);
-
-    if(ret && RenderDoc::Inst().GetCaptureOptions().HookIntoChildren)
-    {
-      RDCDEBUG("Intercepting CreateProcessA");
-
-      bool inject = true;
-
-      // sanity check to make sure we're not going to go into an infinity loop injecting into
-      // ourselves.
-      if(lpApplicationName)
-      {
-        string app = lpApplicationName;
-        app = strlower(app);
-
-        if(app.find("renderdoccmd.exe") != string::npos || app.find("qrenderdoc.exe") != string::npos)
-        {
-          inject = false;
-        }
-      }
-      if(lpCommandLine)
-      {
-        string cmd = lpCommandLine;
-        cmd = strlower(cmd);
-
-        if(cmd.find("renderdoccmd.exe") != string::npos || cmd.find("qrenderdoc.exe") != string::npos)
-        {
-          inject = false;
-        }
-      }
-
-      if(inject)
-      {
-        rdcarray<EnvironmentModification> env;
-
-        // inherit logfile and capture options
-        uint32_t ident = RENDERDOC_InjectIntoProcess(lpProcessInformation->dwProcessId, env,
-                                                     RenderDoc::Inst().GetLogFile(),
-                                                     RenderDoc::Inst().GetCaptureOptions(), false);
-
-        RenderDoc::Inst().AddChildProcess((uint32_t)lpProcessInformation->dwProcessId, ident);
-      }
-    }
-
-    if(resume)
-    {
-      ResumeThread(lpProcessInformation->hThread);
-    }
-
-    // ensure we clean up after ourselves
-    if(dummy.dwProcessId != 0)
-    {
-      CloseHandle(dummy.hProcess);
-      CloseHandle(dummy.hThread);
-    }
-
-    return ret;
+    return Hooked_CreateProcess(
+        "CreateProcessAsUserA",
+        [=](DWORD flags, LPPROCESS_INFORMATION pi) {
+          return syshooks.CreateProcessAsUserA()(
+              hToken, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
+              bInheritHandles, flags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, pi);
+        },
+        dwCreationFlags, ShouldInject(lpApplicationName, lpCommandLine), lpProcessInformation);
   }
 
-  static BOOL WINAPI Hook_CreateProcessW(
-      PFN_CREATE_PROCESS_W realFunc, __in_opt LPCWSTR lpApplicationName,
-      __inout_opt LPWSTR lpCommandLine, __in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
-      __in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes, __in BOOL bInheritHandles,
-      __in DWORD dwCreationFlags, __in_opt LPVOID lpEnvironment, __in_opt LPCWSTR lpCurrentDirectory,
-      __in LPSTARTUPINFOW lpStartupInfo, __out LPPROCESS_INFORMATION lpProcessInformation)
+  static BOOL WINAPI CreateProcessAsUserW_hook(
+      HANDLE hToken, LPCWSTR lpApplicationName, LPWSTR lpCommandLine,
+      LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes,
+      BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory,
+      LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation)
   {
-    PROCESS_INFORMATION dummy;
-    RDCEraseEl(dummy);
+    return Hooked_CreateProcess(
+        "CreateProcessAsUserW",
+        [=](DWORD flags, LPPROCESS_INFORMATION pi) {
+          return syshooks.CreateProcessAsUserW()(
+              hToken, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
+              bInheritHandles, flags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, pi);
+        },
+        dwCreationFlags, ShouldInject(lpApplicationName, lpCommandLine), lpProcessInformation);
+  }
 
-    // not sure if this is valid, but I need the PID so I'll fill in my own struct to ensure that.
-    if(lpProcessInformation == NULL)
-    {
-      lpProcessInformation = &dummy;
-    }
-    else
-    {
-      *lpProcessInformation = dummy;
-    }
+  static BOOL WINAPI CreateProcessWithLogonW_hook(LPCWSTR lpUsername, LPCWSTR lpDomain,
+                                                  LPCWSTR lpPassword, DWORD dwLogonFlags,
+                                                  LPCWSTR lpApplicationName, LPWSTR lpCommandLine,
+                                                  DWORD dwCreationFlags, LPVOID lpEnvironment,
+                                                  LPCWSTR lpCurrentDirectory,
+                                                  LPSTARTUPINFOW lpStartupInfo,
+                                                  LPPROCESS_INFORMATION lpProcessInformation)
+  {
+    return Hooked_CreateProcess(
+        "CreateProcessAsUserW",
+        [=](DWORD flags, LPPROCESS_INFORMATION pi) {
+          return syshooks.CreateProcessWithLogonW()(
+              lpUsername, lpDomain, lpPassword, dwLogonFlags, lpApplicationName, lpCommandLine,
+              flags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, pi);
+        },
+        dwCreationFlags, ShouldInject(lpApplicationName, lpCommandLine), lpProcessInformation);
+  }
 
-    bool resume = (dwCreationFlags & CREATE_SUSPENDED) == 0;
-    dwCreationFlags |= CREATE_SUSPENDED;
+  static BOOL WINAPI API110CreateProcessAsUserW_hook(
+      HANDLE hToken, LPCWSTR lpApplicationName, LPWSTR lpCommandLine,
+      LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes,
+      BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory,
+      LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation)
+  {
+    return Hooked_CreateProcess(
+        "CreateProcessAsUserW",
+        [=](DWORD flags, LPPROCESS_INFORMATION pi) {
+          return syshooks.API110CreateProcessAsUserW()(
+              hToken, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
+              bInheritHandles, flags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, pi);
+        },
+        dwCreationFlags, ShouldInject(lpApplicationName, lpCommandLine), lpProcessInformation);
+  }
 
-    BOOL ret = realFunc(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
-                        bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory,
-                        lpStartupInfo, lpProcessInformation);
+  static BOOL WINAPI API111CreateProcessAsUserW_hook(
+      HANDLE hToken, LPCWSTR lpApplicationName, LPWSTR lpCommandLine,
+      LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes,
+      BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory,
+      LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation)
+  {
+    return Hooked_CreateProcess(
+        "CreateProcessAsUserW",
+        [=](DWORD flags, LPPROCESS_INFORMATION pi) {
+          return syshooks.API111CreateProcessAsUserW()(
+              hToken, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
+              bInheritHandles, flags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, pi);
+        },
+        dwCreationFlags, ShouldInject(lpApplicationName, lpCommandLine), lpProcessInformation);
+  }
 
-    if(ret && RenderDoc::Inst().GetCaptureOptions().HookIntoChildren)
-    {
-      RDCDEBUG("Intercepting CreateProcessW");
-
-      bool inject = true;
-
-      // sanity check to make sure we're not going to go into an infinity loop injecting into
-      // ourselves.
-      if(lpApplicationName)
-      {
-        wstring app = lpApplicationName;
-        app = strlower(app);
-
-        if(app.find(L"renderdoccmd.exe") != wstring::npos ||
-           app.find(L"qrenderdoc.exe") != string::npos)
-        {
-          inject = false;
-        }
-      }
-      if(lpCommandLine)
-      {
-        wstring cmd = lpCommandLine;
-        cmd = strlower(cmd);
-
-        if(cmd.find(L"renderdoccmd.exe") != wstring::npos ||
-           cmd.find(L"qrenderdoc.exe") != wstring::npos)
-        {
-          inject = false;
-        }
-      }
-
-      if(inject)
-      {
-        rdcarray<EnvironmentModification> env;
-
-        // inherit logfile and capture options
-        uint32_t ident = RENDERDOC_InjectIntoProcess(lpProcessInformation->dwProcessId, env,
-                                                     RenderDoc::Inst().GetLogFile(),
-                                                     RenderDoc::Inst().GetCaptureOptions(), false);
-
-        RenderDoc::Inst().AddChildProcess((uint32_t)lpProcessInformation->dwProcessId, ident);
-      }
-    }
-
-    if(resume)
-    {
-      ResumeThread(lpProcessInformation->hThread);
-    }
-
-    // ensure we clean up after ourselves
-    if(dummy.dwProcessId != 0)
-    {
-      CloseHandle(dummy.hProcess);
-      CloseHandle(dummy.hThread);
-    }
-
-    return ret;
+  static BOOL WINAPI API112CreateProcessAsUserW_hook(
+      HANDLE hToken, LPCWSTR lpApplicationName, LPWSTR lpCommandLine,
+      LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes,
+      BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory,
+      LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation)
+  {
+    return Hooked_CreateProcess(
+        "CreateProcessAsUserW",
+        [=](DWORD flags, LPPROCESS_INFORMATION pi) {
+          return syshooks.API112CreateProcessAsUserW()(
+              hToken, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
+              bInheritHandles, flags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, pi);
+        },
+        dwCreationFlags, ShouldInject(lpApplicationName, lpCommandLine), lpProcessInformation);
   }
 };