madshi.net

The driver won't work in any 64bit OS. madCodeHook 3.0 will feature full 64bit support, but you will need MSVC++ for that. 3.0 will be available later this year, hopefully soon. You mean, it wont work for 32-bit processes under a 64-bit OS? But it looks like it works. Hm... MSVC? No thanks... not g...

I am now running Windows 7 64-bit. MCH seems still to work, at least regarding 32-bit processes. I digitally sign the driver, but from time to time, I get an AV when calling injectlibrary, but only 1 time, then it will work until I restart the PC. Are you planning a 64-bit compatible version in futu...

That's great, makes things very easy. I read anywhere here that the driver is only installed when I hook system processes. I use for testing this: InjectLibrary((CURRENT_USER) and (not CURRENT_PROCESS),DLLNAME); Avira flags the mchInjDrv.sys driver as a trojan/rootkit, located in sysdir. On inspecti...

Yes, the 2nd parameter is the file path of the driver. As long as you only rename and sign the driver, it will be compatible to other madCodeHook 2.x software. Meaning that other madCodeHook software will be able to make use of your driver, even though the file is renamed. This will change with mad...

Thanks, did not know that, thought 3.0 will only have that feature. I assume that the 2nd parameter of SetMadCHookOption is the path to the driver (so i can rename it, and sign it)? I thought of a service, which will install the driver and inject the dll etc., so the user app (the gui application) c...

I don't know where the delay is coming from, but it's most probably not the loading of the driver. At least on my PC the loading of the driver doesn't take any time at all. So you first need to find out exactly where the delay is coming from. My first suggestion would be to try this one a freshly i...

Madshi, when starting a program which use mch for the first time after starting the pc, it takes 20 seconds before the program starts. I guess this is because MchInjdrv.sys will be installed. People get confused about the delay, because "just nothing happen". Is there any way to get a feed...

Is there a way to ensure the dll get injected when the pc boot into safe mode? Will it work when: 1. Installing a service, which inject the dll 2. Adding that service to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeB...

Indeed, when using as the last 2 parameters INFINITE, false, explorer works normal, and firefox stop crashing...

I tried again and again, and firefox always crash (the crash reporter popup) when clicking home and ntopenfile and/or ntcreatefile is hooked, even when the hook code is empty and just call the original code. I noticed when sending via ipc all ntopen/ntcreate file to the pc, that firefox called creat...

I hook NtCreateFile (which was always working, until yesterday, it suddenly cause issues). As soon I send an IPC Message from the hook code, explorer does not display drives anymore, in fact, when opening my computer, its just a white empty window with no drives or anything else listed. What I am do...

madshi wrote:Ok, so it's called NtQueryInformationFile.

Yes, I figured that out...
To my previous question, you get valid names, why does it freeze when reading the objname property with some handles? It should not because of your code in madkernel.pas.

You know, Delphi has a search function. NtQueryFileInformation. You could have thought of that yourself... :wink: Guess... I did that, but I could not find any NtQueryFileInformation inside madkernel.pas, but I found NtQueryObject which you used to get the name. And yes, its similar to what I do. I...

madshi wrote:Check out madKernel.pas, it already does a similar thing.

Seriously? Hell... but that code is almost 400kb, far too much to dig into.

I found a solution.

I create a thread which will access the name object, with a timeout of 500ms.
When waitforsingleobject with a timeout of 1s returns with WAIT_OBJECT_0, I know the access was ok and I process the name.

Works just fine.