InjectLibrary network paths in included/excluded processes

c++ / delphi package - dll injection and api hooking
Post Reply
princezna
Posts: 13
Joined: Thu Mar 01, 2012 1:40 pm

InjectLibrary network paths in included/excluded processes

Post by princezna »

How does InjectLibrary handle network paths (UNC e.g. "\\server\share\blabla.exe")?

I tried to add a few network paths into the excluded list, but their processes are still getting injected unless I use the executable name only.

exclude: \\server\share\program.exe
running \\server\share\program.exe gets injected

exclude: program.exe
running \\server\share\program.exe doesn't get injected
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary network paths in included/excluded process

Post by madshi »

Oh well. The injection driver internally does some tricks to convert driver land file paths to user land file paths. E.g. a typical driver land file path reads like "\Device\HarddiskVolume1\Some Folder\Hook.dll", which converted to user land reads like "C:\Some Folder\Some.dll". I guess that this conversion code in the driver doesn't work for network paths. To be honest, I never tested that, and nobody complained until now. So I guess you're the first one trying to use full network paths in the exclusion/inclusion lists.

Could you try adding "\Device\LanmanRedirector\server\share\blabla.exe" to the exclusion list? Does that work?
princezna
Posts: 13
Joined: Thu Mar 01, 2012 1:40 pm

Re: InjectLibrary network paths in included/excluded process

Post by princezna »

Tried the \Device\LanmanRedirector\server\share notation and it doesn't work.

Maybe you could try it and see what kind of path does your driver see when you run a program over the network as \\server\share or point us where we could find this information in the driver source. Then we could modify the path before sending it to InjectLibrary.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary network paths in included/excluded process

Post by madshi »

Ok, I'll give it a try. Might take a couple of days, though.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary network paths in included/excluded process

Post by madshi »

Sorry for the late reply. I've now tested this and I've found that it works better than expected. In XP x86, when starting from an UNC network path, the driver gets the exact correct UNC network path. When starting from a driver letter connected to an UNC network path, the driver gets the driver letter path. In win7 x64, the driver always gets the UNC network path, regardless of whether the exe is started from an UNC network path or from a connected drive letter.

I'm not sure why this seems to fail for you? It definitely worked for me here on both XP x86 and win7 x64. Could you please double check? Please also make sure you're using the latest madCodeHook build, just to be safe:

http://madshi.net/madCollection.exe
princezna
Posts: 13
Joined: Thu Mar 01, 2012 1:40 pm

Re: InjectLibrary network paths in included/excluded process

Post by princezna »

Tested it again and it works well for UNC paths with netbios names. It doesn't work for UNC paths with IP adresses for example, but that's not really a problem for us at this point. We have ways to translate IPs to NBS.

Thanks for looking into it. :)
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary network paths in included/excluded process

Post by madshi »

Would you mind describing your findings in more detail (e.g. examples for UNC/netbios/IP paths)? Netbios isn't the only naming protocol. How about DNS names? Does that work? Etc... That might be helpful for other customers, and maybe also for future development. Thanks...
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: InjectLibrary network paths in included/excluded process

Post by EaSy »

Hi,
the problem is that mch driver sometimes tests exe paths against
"\Device\Mup\192.168.29.153\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe"
instead of
"\\192.168.29.153\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe".
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary network paths in included/excluded process

Post by madshi »

So if you want to exclude an exe "\\192.168.29.153\some.exe" you could tell madCodeHook to exclude both "\\192.168.29.153\some.exe" and "\Device\Mup\192.168.29.153\some.exe" to make things work with the current madCodeHook driver version. Is that correct?
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: InjectLibrary network paths in included/excluded process

Post by EaSy »

yes, this is how we currently handle this issue
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary network paths in included/excluded process

Post by madshi »

Thanks, I'll check if I can handle this inside of the driver. I hope this is the same for all OSs?
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: InjectLibrary network paths in included/excluded process

Post by EaSy »

We quickly tested only win7 64b and winXP 32b. Win7 has this issue. WinXP is OK. But, I guess it won't hurt to add it in all systems.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary network paths in included/excluded process

Post by madshi »

Ok, thanks.
Post Reply