InjectLibrary fails, GetLastError = 0

[chrome]

I've just upgraded to the new MadCollection v2.7.4. My development and test environment for now is 32-bit Windows Server 2003.

InjectLibrary is returning false, indicating a failure of some sort, however GetLastError is returning 0. I'm sure its something I'm doing wrong (had to recompile the injection dll for the new version of MadCollection, might have missed something). My question though is, why would GetLastError be returning 0 for a failed injection attempt? Is it really the case that InjectLibrary has no idea why it failed?

[madshi]

Are we talking about injection into one target process? Or system/user/session wide injection? Which development language are you using? Can I see your injection code, please?

[chrome]

I'm developing using C++ (Visual Studio 2008), and here's the relevant code snippets.

First we check that the driver is installed (it is):

Code: Select all

IsInjectionDriverInstalled(L"MyDriver")

Then we check that the driver is running (it is):

Code: Select all

IsInjectionDriverRunning(L"MyDriver")

And finally we attempt the injection (this was working until we upgraded MadCollection):

Code: Select all

InjectLibraryW(L"MyDriver", <path to 32-bit DLL to be injected>, ALL_SESSIONS)

The InjectLibrary call returns FALSE, and GetLastError returns 0.

[madshi]

Hmmmmm... Not sure why InjectLibrary is not returning an error value. Anyway, you say you recompiled the hook dll. Did you also reconfigure and resign the driver? That's necessary if the hook dll changes...

[chrome]

Yes definately, and codesigned with the microsoft cross certificate too. But this is an area where, like you say, errors can creep in. If the driver was bound to a different dll to the one I'm attempting to inject, would InjectLibrary return some sort of error code? Do you have a function that will take, for example, a driver and a dll, and tell me if the driver is bound to the dll or not?

Any other ideas?

[chrome]

I ran some more tests. I can call InjectLibrary(<path to dll>, GetCurrentProcess()) and it succeeds. It only fails if I use the driver-facilitated function call. And if I give a bad dll path GetLastError returns the correct error code (123).

[madshi]

I don't really have a good way to test whether a driver supports a specific hook dll, or whether the driver was signed correctly. The first thing would be possible for me to add, but the 2nd I don't know how to do.

My suggestion would be to double check with one of the madCodeHook demos. E.g. try this one:

http://madshi.net/HookProcessCreation.zip

Try to just create a driver for this demo with your own certificate, using the same configuration and signing logic you're using for your main project. If the demo then still works then the configuration and signing should be fine. If the demo stops working as soon as you use your "self-made" driver then there must be a problem somewhere with the configuration and/or signing.

I wish I had a better way to help you. But for now trying with the demo seems like the best approach to me.

[chrome]

I've tracked it down. The driver had been bound to a different injection dll (a debug version of the same filename).

Under those circumstances, could you make GetLastError return something more meaningful than 'success'? And I'd really love to have that extra function if you could add it, to check whether a driver has been bound to a specified dll.

Thanks

[madshi]

I'll put it on my to do list, but it could take a while until I get to that...