Problem with madexcept + dll injection

delphi package - automated exception handling

Problem with madexcept + dll injection

Postby Vizit0r » Tue Apr 26, 2016 7:30 pm

Good evening.

So, i have small self-written dll (Delphi), and application, which start another program, and after launch inject this dll there.
Dll have totally disabled madexception, application - enabled.
All is ok, but in Win 10 x64 when application have option "link in madExcept code" - dll failed to inject. Visually all is ok, success on all stages checks, but dll thread not exists in target program's threads. When this option is swithced off - no proble at all, dll injected and started fine.
Delphi 10, madExcept 4.0.14

Pleale advice me, how to solve this problem.

If you need additional info - just ask.

P.S. thanks for exellent package!
Vizit0r
 
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Re: Problem with madexcept + dll injection

Postby madshi » Tue Apr 26, 2016 9:34 pm

What do you mean with "dll thread not exists"? A dll usually doesn't have its own thread - unless you manually create one. Do you?

I'd suggest that you use ProcessExplorer to check if the dll is really loaded in the target process or not.

Which API / method are you using for DLL injection?
madshi
Site Admin
 
Posts: 9431
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem with madexcept + dll injection

Postby Vizit0r » Wed Apr 27, 2016 5:26 am

madshi wrote:I'd suggest that you use ProcessExplorer to check if the dll is really loaded in the target process or not.

i'm using Process Explorer, yes.

madshi wrote:What do you mean with "dll thread not exists"? A dll usually doesn't have its own thread - unless you manually create one. Do you?

for injecting dll i'm using way with start thread inside target application. When all is OK - i can see in list of application threads my threads with dll. In my situation with Win10 - no dll thread there.

UAC, Defender and all stuff like that were disabled (noone of them raise errors, but we try to remove all possible reason of problem).

Injection code:

Code: Select all
function InjectLib(const ProcessID, process_handle : DWORD; DllPath : String) : Boolean;
var
  Process : THandle;
  ThreadRtn : FARPROC;
  RemoteDllPtr : Pointer;
  BytesWriten : SIZE_T;
  Thread{,ErrorID} :  NativeUInt;
  ThreadId : DWORD;
  ExitCode : DWORD;
begin
  // Debug privs for our process.
  Result := SetDebugPriv;
  if not Result then Exit;
  Process := 0;
  Thread  := 0;
  try
    if WineEmul then
      sleep(1000)
    else
      if (WaitForInputIdle(process_handle, INFINITE) <> 0) then
        Exit;

    // Open Process.
    Process := OpenProcess(PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or
      PROCESS_VM_WRITE or PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, True, ProcessID);
    if Process = 0 then Exit;
    // Allocation Memory for string with dll name.
    RemoteDllPtr := VirtualAllocEx(Process, nil, (Length(DllPath) + 1) * SizeOf(Char),
      MEM_COMMIT or MEM_TOP_DOWN, PAGE_READWRITE);
    if RemoteDllPtr = nil then Exit;
    // Writing dll's address into this allocated memory.
    if not WriteProcessMemory(Process, RemoteDllPtr, PChar(DllPath),
      (Length(DllPath) + 1) * SizeOf(Char), BytesWriten) then Exit;
    if BytesWriten <> DWORD((Length(DllPath) + 1) * SizeOf(Char)) then Exit;
    // Obtain address of LoadLibraryW from Kernel32.dll
    ThreadRtn := GetProcAddress(GetModuleHandle('Kernel32.dll'), 'LoadLibraryW');
    if ThreadRtn = nil then Exit;
    // run remote thread
    Thread := CreateRemoteThread(Process, nil, 0, ThreadRtn, RemoteDllPtr, 0, ThreadId);
    ThreadId := GetLastError;
    if Thread = 0 then Exit;
    // waiting for remote thread finish
    if (WaitForSingleObject(Thread, INFINITE) = WAIT_OBJECT_0) then
      if GetExitCodeThread(Thread, ExitCode) then
        Result := ExitCode <> 0;
//    ErrorID := GetLastError;
  finally
    // Remote thread finished sucessfully and start our dll, so
    // we can release allocated memory
    if RemoteDllPtr <> nil then
      VirtualFreeEx(Process, @RemoteDllPtr, 0, MEM_RELEASE);
    if Thread <> 0 then CloseHandle(Thread);
    if Process <> 0 then CloseHandle(Process);
  end;
end;


here's screeshot - an example of normal start, when dll injected.
Image
Vizit0r
 
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Re: Problem with madexcept + dll injection

Postby madshi » Wed Apr 27, 2016 7:18 am

As I said:

> A dll usually doesn't have its own thread - unless you manually create one. Do you?
> I'd suggest that you use ProcessExplorer to check if the dll is really loaded in the target process or not.

In ProcessExplorer, in the menu choose "View -> Lower Pane View -> DLLs". That will give you a list of DLLs loaded in the target process. Is your DLL listed there, when compiled with or without madExcept?
madshi
Site Admin
 
Posts: 9431
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem with madexcept + dll injection

Postby Vizit0r » Wed Apr 27, 2016 8:01 am

with enabled "link in madExcept code" - no dll in list.
Disabled option = dll in list, all is correct.
Vizit0r
 
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Re: Problem with madexcept + dll injection

Postby madshi » Wed Apr 27, 2016 8:40 am

Does this happen for all applications? Even Notepad or MS Paint?
madshi
Site Admin
 
Posts: 9431
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem with madexcept + dll injection

Postby Vizit0r » Wed Apr 27, 2016 9:28 am

i will check it with few different apps, and report.

That's not my PC, but user. I will make small test app, and check it there.
Vizit0r
 
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Re: Problem with madexcept + dll injection

Postby madshi » Wed Apr 27, 2016 9:42 am

The reason I'm asking is that it will be difficult for me to do anything about this problem if I can't reproduce it on my own PC.
madshi
Site Admin
 
Posts: 9431
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem with madexcept + dll injection

Postby Vizit0r » Wed Apr 27, 2016 10:07 am

madshi wrote:The reason I'm asking is that it will be difficult for me to do anything about this problem if I can't reproduce it on my own PC.

same for me. That's good user, he gave me access by TV and confirmation for any exploration on his PC - but the main, what he can't provide for me, thats connect by PA server by Delphi.

On my Win 7 all is ok, user with Win 8 also report about normal injection.

Anyway, i will inform you about news.
Vizit0r
 
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Re: Problem with madexcept + dll injection

Postby madshi » Wed Apr 27, 2016 10:11 am

Just a wild guess: Is it possible that the security software (anti-virus, anti-whatever) on the end user's PC has a false positive on your dll when it's compiled with madExcept?

Anyway, if you find a way to reproduce the problem, please let me know.
madshi
Site Admin
 
Posts: 9431
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem with madexcept + dll injection

Postby Vizit0r » Wed Apr 27, 2016 10:16 am

madshi wrote:Just a wild guess: Is it possible that the security software (anti-virus, anti-whatever) on the end user's PC has a false positive on your dll when it's compiled with madExcept?


as i told before, we switch off all security stuff like antivirus, UAC, Defender and other.
Checked all Windows events - nothing.


madshi wrote:Anyway, if you find a way to reproduce the problem, please let me know.


ofc.
Vizit0r
 
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Re: Problem with madexcept + dll injection

Postby madshi » Wed Apr 27, 2016 10:34 am

Ah sorry, missed that line about antivirus etc.
madshi
Site Admin
 
Posts: 9431
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem with madexcept + dll injection

Postby Vizit0r » Wed Apr 27, 2016 10:37 am

ah, read again your last post :)

no, on my dev PC no antivirus installed, UAC disabled, only firewall working. Right now switch off it, nothing changed.
Vizit0r
 
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Re: Problem with madexcept + dll injection

Postby Vizit0r » Mon Jun 20, 2016 11:55 am

madshi hello again, i'm back.
Sorry for long silence - was too far from internet :)

So, about this bug.
https://cloud.mail.ru/public/9Fia/nqHqWx3h2 - binaries, for reproducing bugs in Win 10\Win 8.1 - start project2.exe and press button.
https://cloud.mail.ru/public/Mrk4/4t4eHtZVd - sources: Injecter (project2), dll for inject, target app (i can't use default apps, like Notepad - because in WINx64 they also x64 and can't be injected by x86 app).

If switch off "link in madExcept Code" in madExcept Options of Project2 - dll injecting correctly, and show message.

In Win7 all is ok in all cases.


In you need any info - ask.
Vizit0r
 
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Re: Problem with madexcept + dll injection

Postby Vizit0r » Wed Jun 22, 2016 5:42 am

madshi

Do you accept this report?
Vizit0r
 
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Next

Return to madExcept

Who is online

Users browsing this forum: No registered users and 2 guests