Showcasing two different techniques for changing DLL load order by using undocumented APIs. These are not novel techniques but I never saw them documented anywhere.
The proper signatures for RtlCreateUserProcess and RtlCreateProcessParameters are:
RtlCreateUserProcess(
IN PUNICODE_STRING ImagePath,
IN ULONG ObjectAttributes,
IN OUT PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
IN PSECURITY_DESCRIPTOR ProcessSecurityDescriptor OPTIONAL,
IN PSECURITY_DESCRIPTOR ThreadSecurityDescriptor OPTIONAL,
IN HANDLE ParentProcess,
IN BOOLEAN InheritHandles,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
OUT PRTL_USER_PROCESS_INFORMATION ProcessInformation );
RtlCreateProcessParameters(
_Out_ PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
_In_ PUNICODE_STRING ImagePathName,
_In_opt_ PUNICODE_STRING DllPath,
_In_opt_ PUNICODE_STRING CurrentDirectory,
_In_opt_ PUNICODE_STRING CommandLine,
_In_opt_ PVOID Environment,
_In_opt_ PUNICODE_STRING WindowTitle,
_In_opt_ PUNICODE_STRING DesktopInfo,
_In_opt_ PUNICODE_STRING ShellInfo,
_In_opt_ PUNICODE_STRING RuntimeData
);
By changing some values in RtlCreateProcessParameters we can achieve interesting behavior.
Writing this one up for people was inspired by this tweet, thank you for reminding me of it :)
const wchar_t Path[] = LR"(C:/Windows/System32/WerFault.exe)";
const wchar_t CmdLine[] = LR"(C:/ProgramData/WerFault.exe)";
const wchar_t DllLocation[] = LR"()";
...
status = RtlCreateProcessParameters(&UserProcessParam, &CommandLine, &CommandLine, NULL, &CommandLine, NULL, NULL, NULL, NULL, NULL);
This one will will cause the application to still look into it's own directory before the one you choose, but it may come useful in some cases.
const wchar_t Path[] = LR"(C:/Tools/TestApplication.exe)";
const wchar_t CmdLine[] = LR"()";
const wchar_t DllLocation[] = LR"(C:/ProgramData/)";
...
status = RtlCreateProcessParameters(&UserProcessParam, &ImagePathName, &DllPath, NULL, &CommandLine, NULL, NULL, NULL, NULL, NULL);
Many thanks to this post for helping me work out some parts.