Problem with madexcept + dll injection

delphi package - automated exception handling
Vizit0r
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Problem with madexcept + dll injection

Post by Vizit0r »

Good evening.

So, i have small self-written dll (Delphi), and application, which start another program, and after launch inject this dll there.
Dll have totally disabled madexception, application - enabled.
All is ok, but in Win 10 x64 when application have option "link in madExcept code" - dll failed to inject. Visually all is ok, success on all stages checks, but dll thread not exists in target program's threads. When this option is swithced off - no proble at all, dll injected and started fine.
Delphi 10, madExcept 4.0.14

Pleale advice me, how to solve this problem.

If you need additional info - just ask.

P.S. thanks for exellent package!
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem with madexcept + dll injection

Post by madshi »

What do you mean with "dll thread not exists"? A dll usually doesn't have its own thread - unless you manually create one. Do you?

I'd suggest that you use ProcessExplorer to check if the dll is really loaded in the target process or not.

Which API / method are you using for DLL injection?
Vizit0r
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Re: Problem with madexcept + dll injection

Post by Vizit0r »

madshi wrote:I'd suggest that you use ProcessExplorer to check if the dll is really loaded in the target process or not.
i'm using Process Explorer, yes.
madshi wrote:What do you mean with "dll thread not exists"? A dll usually doesn't have its own thread - unless you manually create one. Do you?
for injecting dll i'm using way with start thread inside target application. When all is OK - i can see in list of application threads my threads with dll. In my situation with Win10 - no dll thread there.

UAC, Defender and all stuff like that were disabled (noone of them raise errors, but we try to remove all possible reason of problem).

Injection code:

Code: Select all

function InjectLib(const ProcessID, process_handle : DWORD; DllPath : String) : Boolean;
var
  Process : THandle;
  ThreadRtn : FARPROC;
  RemoteDllPtr : Pointer;
  BytesWriten : SIZE_T;
  Thread{,ErrorID} :  NativeUInt;
  ThreadId : DWORD;
  ExitCode : DWORD;
begin
  // Debug privs for our process.
  Result := SetDebugPriv;
  if not Result then Exit;
  Process := 0;
  Thread  := 0;
  try
    if WineEmul then
      sleep(1000)
    else
      if (WaitForInputIdle(process_handle, INFINITE) <> 0) then
        Exit;

    // Open Process.
    Process := OpenProcess(PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or
      PROCESS_VM_WRITE or PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, True, ProcessID);
    if Process = 0 then Exit;
    // Allocation Memory for string with dll name.
    RemoteDllPtr := VirtualAllocEx(Process, nil, (Length(DllPath) + 1) * SizeOf(Char),
      MEM_COMMIT or MEM_TOP_DOWN, PAGE_READWRITE);
    if RemoteDllPtr = nil then Exit;
    // Writing dll's address into this allocated memory.
    if not WriteProcessMemory(Process, RemoteDllPtr, PChar(DllPath),
      (Length(DllPath) + 1) * SizeOf(Char), BytesWriten) then Exit;
    if BytesWriten <> DWORD((Length(DllPath) + 1) * SizeOf(Char)) then Exit;
    // Obtain address of LoadLibraryW from Kernel32.dll
    ThreadRtn := GetProcAddress(GetModuleHandle('Kernel32.dll'), 'LoadLibraryW');
    if ThreadRtn = nil then Exit;
    // run remote thread 
    Thread := CreateRemoteThread(Process, nil, 0, ThreadRtn, RemoteDllPtr, 0, ThreadId);
    ThreadId := GetLastError;
    if Thread = 0 then Exit;
    // waiting for remote thread finish
    if (WaitForSingleObject(Thread, INFINITE) = WAIT_OBJECT_0) then
      if GetExitCodeThread(Thread, ExitCode) then
        Result := ExitCode <> 0;
//    ErrorID := GetLastError;
  finally
    // Remote thread finished sucessfully and start our dll, so
    // we can release allocated memory
    if RemoteDllPtr <> nil then
      VirtualFreeEx(Process, @RemoteDllPtr, 0, MEM_RELEASE);
    if Thread <> 0 then CloseHandle(Thread);
    if Process <> 0 then CloseHandle(Process);
  end;
end;
here's screeshot - an example of normal start, when dll injected.
Image
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem with madexcept + dll injection

Post by madshi »

As I said:

> A dll usually doesn't have its own thread - unless you manually create one. Do you?
> I'd suggest that you use ProcessExplorer to check if the dll is really loaded in the target process or not.

In ProcessExplorer, in the menu choose "View -> Lower Pane View -> DLLs". That will give you a list of DLLs loaded in the target process. Is your DLL listed there, when compiled with or without madExcept?
Vizit0r
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Re: Problem with madexcept + dll injection

Post by Vizit0r »

with enabled "link in madExcept code" - no dll in list.
Disabled option = dll in list, all is correct.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem with madexcept + dll injection

Post by madshi »

Does this happen for all applications? Even Notepad or MS Paint?
Vizit0r
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Re: Problem with madexcept + dll injection

Post by Vizit0r »

i will check it with few different apps, and report.

That's not my PC, but user. I will make small test app, and check it there.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem with madexcept + dll injection

Post by madshi »

The reason I'm asking is that it will be difficult for me to do anything about this problem if I can't reproduce it on my own PC.
Vizit0r
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Re: Problem with madexcept + dll injection

Post by Vizit0r »

madshi wrote:The reason I'm asking is that it will be difficult for me to do anything about this problem if I can't reproduce it on my own PC.
same for me. That's good user, he gave me access by TV and confirmation for any exploration on his PC - but the main, what he can't provide for me, thats connect by PA server by Delphi.

On my Win 7 all is ok, user with Win 8 also report about normal injection.

Anyway, i will inform you about news.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem with madexcept + dll injection

Post by madshi »

Just a wild guess: Is it possible that the security software (anti-virus, anti-whatever) on the end user's PC has a false positive on your dll when it's compiled with madExcept?

Anyway, if you find a way to reproduce the problem, please let me know.
Vizit0r
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Re: Problem with madexcept + dll injection

Post by Vizit0r »

madshi wrote:Just a wild guess: Is it possible that the security software (anti-virus, anti-whatever) on the end user's PC has a false positive on your dll when it's compiled with madExcept?
as i told before, we switch off all security stuff like antivirus, UAC, Defender and other.
Checked all Windows events - nothing.

madshi wrote:Anyway, if you find a way to reproduce the problem, please let me know.
ofc.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problem with madexcept + dll injection

Post by madshi »

Ah sorry, missed that line about antivirus etc.
Vizit0r
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Re: Problem with madexcept + dll injection

Post by Vizit0r »

ah, read again your last post :)

no, on my dev PC no antivirus installed, UAC disabled, only firewall working. Right now switch off it, nothing changed.
Vizit0r
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Re: Problem with madexcept + dll injection

Post by Vizit0r »

madshi hello again, i'm back.
Sorry for long silence - was too far from internet :)

So, about this bug.
https://cloud.mail.ru/public/9Fia/nqHqWx3h2 - binaries, for reproducing bugs in Win 10\Win 8.1 - start project2.exe and press button.
https://cloud.mail.ru/public/Mrk4/4t4eHtZVd - sources: Injecter (project2), dll for inject, target app (i can't use default apps, like Notepad - because in WINx64 they also x64 and can't be injected by x86 app).

If switch off "link in madExcept Code" in madExcept Options of Project2 - dll injecting correctly, and show message.

In Win7 all is ok in all cases.


In you need any info - ask.
Vizit0r
Posts: 15
Joined: Tue Apr 26, 2016 7:19 pm

Re: Problem with madexcept + dll injection

Post by Vizit0r »

madshi

Do you accept this report?
Post Reply