Possible bug in Injection driver

[EaSy]

Hi,
we discovered an issue with injecting 32bit apps on winXP64. This is only happening while there are two or more dlls active in driver. So, we got our dlls active twice or more times set in driver sometimes (i mean more items in the DllList). Your driver code calls "InjectLibrary(ph, dll->Name);" multiple times. This behaviour is OK and it works, because that function knows that there is already injected routine "NtTestAlert" and so on. Well, you know your code I guess...

The problem is in the injection routines. There is a rare case (winXP64 32b apps) when the "Lld32" variable is actually a NULL (I don't know why yet).
And this is a problem, since routines are calling this:

Code: Select all

//               repeat
//                 buf.lld(0, nil, @buf.dll, c1);
//                 buf := buf.next;
//               until buf = nil;

Routine actually gets the "buf.lld" address, but it gets that address only for the first "buf".

Code: Select all

// step 2: locate LdrLoadDll and NtProtectVirtualMemory

In the second cycle that "buf.lld" address is NULL again and app dies.

Thanks

[madshi]

Thank you very much! That's a nasty bug you found there, so I'm happy that you brought it to my attention. It should be fixed in this new beta build:

http://madshi.net/madCollectionBeta.exe (2.7.4.8)

Could you please confirm that the problem is fixed? I plan to release a new official version very soon. But it would be great to have this bug confirmed as fixed. Thanks!

[immer000]

Not sure about the bug in this thread but that beta 2.7.4.8 has a pretty nasty pop-up window on InitializeMadCHook(), you might want to fix that

[madshi]

Ouch. I have just reinstalled my development PC (formerly XPSP3, now Windows 8 x64) and it seems the installation of one of the helper tools wasn't complete. So here's a new build which should have those nasty popups fixed:

http://madshi.net/madCollectionBeta.exe (2.7.4.9)

[EaSy]

Fixed. It does't crash anymore.