Page 1 of 2
Problem with madexcept + dll injection
Posted: Tue Apr 26, 2016 7:30 pm
by Vizit0r
Good evening.
So, i have small self-written dll (Delphi), and application, which start another program, and after launch inject this dll there.
Dll have totally disabled madexception, application - enabled.
All is ok, but in Win 10 x64 when application have option "link in madExcept code" - dll failed to inject. Visually all is ok, success on all stages checks, but dll thread not exists in target program's threads. When this option is swithced off - no proble at all, dll injected and started fine.
Delphi 10, madExcept 4.0.14
Pleale advice me, how to solve this problem.
If you need additional info - just ask.
P.S. thanks for exellent package!
Re: Problem with madexcept + dll injection
Posted: Tue Apr 26, 2016 9:34 pm
by madshi
What do you mean with "dll thread not exists"? A dll usually doesn't have its own thread - unless you manually create one. Do you?
I'd suggest that you use ProcessExplorer to check if the dll is really loaded in the target process or not.
Which API / method are you using for DLL injection?
Re: Problem with madexcept + dll injection
Posted: Wed Apr 27, 2016 5:26 am
by Vizit0r
madshi wrote:I'd suggest that you use ProcessExplorer to check if the dll is really loaded in the target process or not.
i'm using Process Explorer, yes.
madshi wrote:What do you mean with "dll thread not exists"? A dll usually doesn't have its own thread - unless you manually create one. Do you?
for injecting dll i'm using way with start thread inside target application. When all is OK - i can see in list of application threads my threads with dll. In my situation with Win10 - no dll thread there.
UAC, Defender and all stuff like that were disabled (noone of them raise errors, but we try to remove all possible reason of problem).
Injection code:
Code: Select all
function InjectLib(const ProcessID, process_handle : DWORD; DllPath : String) : Boolean;
var
Process : THandle;
ThreadRtn : FARPROC;
RemoteDllPtr : Pointer;
BytesWriten : SIZE_T;
Thread{,ErrorID} : NativeUInt;
ThreadId : DWORD;
ExitCode : DWORD;
begin
// Debug privs for our process.
Result := SetDebugPriv;
if not Result then Exit;
Process := 0;
Thread := 0;
try
if WineEmul then
sleep(1000)
else
if (WaitForInputIdle(process_handle, INFINITE) <> 0) then
Exit;
// Open Process.
Process := OpenProcess(PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or
PROCESS_VM_WRITE or PROCESS_QUERY_INFORMATION or PROCESS_VM_READ, True, ProcessID);
if Process = 0 then Exit;
// Allocation Memory for string with dll name.
RemoteDllPtr := VirtualAllocEx(Process, nil, (Length(DllPath) + 1) * SizeOf(Char),
MEM_COMMIT or MEM_TOP_DOWN, PAGE_READWRITE);
if RemoteDllPtr = nil then Exit;
// Writing dll's address into this allocated memory.
if not WriteProcessMemory(Process, RemoteDllPtr, PChar(DllPath),
(Length(DllPath) + 1) * SizeOf(Char), BytesWriten) then Exit;
if BytesWriten <> DWORD((Length(DllPath) + 1) * SizeOf(Char)) then Exit;
// Obtain address of LoadLibraryW from Kernel32.dll
ThreadRtn := GetProcAddress(GetModuleHandle('Kernel32.dll'), 'LoadLibraryW');
if ThreadRtn = nil then Exit;
// run remote thread
Thread := CreateRemoteThread(Process, nil, 0, ThreadRtn, RemoteDllPtr, 0, ThreadId);
ThreadId := GetLastError;
if Thread = 0 then Exit;
// waiting for remote thread finish
if (WaitForSingleObject(Thread, INFINITE) = WAIT_OBJECT_0) then
if GetExitCodeThread(Thread, ExitCode) then
Result := ExitCode <> 0;
// ErrorID := GetLastError;
finally
// Remote thread finished sucessfully and start our dll, so
// we can release allocated memory
if RemoteDllPtr <> nil then
VirtualFreeEx(Process, @RemoteDllPtr, 0, MEM_RELEASE);
if Thread <> 0 then CloseHandle(Thread);
if Process <> 0 then CloseHandle(Process);
end;
end;
here's screeshot - an example of normal start, when dll injected.
Re: Problem with madexcept + dll injection
Posted: Wed Apr 27, 2016 7:18 am
by madshi
As I said:
> A dll usually doesn't have its own thread - unless you manually create one. Do you?
> I'd suggest that you use ProcessExplorer to check if the dll is really loaded in the target process or not.
In ProcessExplorer, in the menu choose "View -> Lower Pane View -> DLLs". That will give you a list of DLLs loaded in the target process. Is your DLL listed there, when compiled with or without madExcept?
Re: Problem with madexcept + dll injection
Posted: Wed Apr 27, 2016 8:01 am
by Vizit0r
with enabled "link in madExcept code" - no dll in list.
Disabled option = dll in list, all is correct.
Re: Problem with madexcept + dll injection
Posted: Wed Apr 27, 2016 8:40 am
by madshi
Does this happen for all applications? Even Notepad or MS Paint?
Re: Problem with madexcept + dll injection
Posted: Wed Apr 27, 2016 9:28 am
by Vizit0r
i will check it with few different apps, and report.
That's not my PC, but user. I will make small test app, and check it there.
Re: Problem with madexcept + dll injection
Posted: Wed Apr 27, 2016 9:42 am
by madshi
The reason I'm asking is that it will be difficult for me to do anything about this problem if I can't reproduce it on my own PC.
Re: Problem with madexcept + dll injection
Posted: Wed Apr 27, 2016 10:07 am
by Vizit0r
madshi wrote:The reason I'm asking is that it will be difficult for me to do anything about this problem if I can't reproduce it on my own PC.
same for me. That's good user, he gave me access by TV and confirmation for any exploration on his PC - but the main, what he can't provide for me, thats connect by PA server by Delphi.
On my Win 7 all is ok, user with Win 8 also report about normal injection.
Anyway, i will inform you about news.
Re: Problem with madexcept + dll injection
Posted: Wed Apr 27, 2016 10:11 am
by madshi
Just a wild guess: Is it possible that the security software (anti-virus, anti-whatever) on the end user's PC has a false positive on your dll when it's compiled with madExcept?
Anyway, if you find a way to reproduce the problem, please let me know.
Re: Problem with madexcept + dll injection
Posted: Wed Apr 27, 2016 10:16 am
by Vizit0r
madshi wrote:Just a wild guess: Is it possible that the security software (anti-virus, anti-whatever) on the end user's PC has a false positive on your dll when it's compiled with madExcept?
as i told before, we switch off all security stuff like antivirus, UAC, Defender and other.
Checked all Windows events - nothing.
madshi wrote:Anyway, if you find a way to reproduce the problem, please let me know.
ofc.
Re: Problem with madexcept + dll injection
Posted: Wed Apr 27, 2016 10:34 am
by madshi
Ah sorry, missed that line about antivirus etc.
Re: Problem with madexcept + dll injection
Posted: Wed Apr 27, 2016 10:37 am
by Vizit0r
ah, read again your last post
no, on my dev PC no antivirus installed, UAC disabled, only firewall working. Right now switch off it, nothing changed.
Re: Problem with madexcept + dll injection
Posted: Mon Jun 20, 2016 11:55 am
by Vizit0r
madshi hello again, i'm back.
Sorry for long silence - was too far from internet
So, about this bug.
https://cloud.mail.ru/public/9Fia/nqHqWx3h2 - binaries, for reproducing bugs in Win 10\Win 8.1 - start project2.exe and press button.
https://cloud.mail.ru/public/Mrk4/4t4eHtZVd - sources: Injecter (project2), dll for inject, target app (i can't use default apps, like Notepad - because in WINx64 they also x64 and can't be injected by x86 app).
If switch off "link in madExcept Code" in madExcept Options of Project2 - dll injecting correctly, and show message.
In Win7 all is ok in all cases.
In you need any info - ask.
Re: Problem with madexcept + dll injection
Posted: Wed Jun 22, 2016 5:42 am
by Vizit0r
madshi
Do you accept this report?