we discovered an issue with injecting 32bit apps on winXP64. This is only happening while there are two or more dlls active in driver. So, we got our dlls active twice or more times set in driver sometimes (i mean more items in the DllList). Your driver code calls "InjectLibrary(ph, dll->Name);" multiple times. This behaviour is OK and it works, because that function knows that there is already injected routine "NtTestAlert" and so on. Well, you know your code I guess...
The problem is in the injection routines. There is a rare case (winXP64 32b apps) when the "Lld32" variable is actually a NULL (I don't know why yet).
And this is a problem, since routines are calling this:
Code: Select all
// repeat
// buf.lld(0, nil, @buf.dll, c1);
// buf := buf.next;
// until buf = nil;
Code: Select all
// step 2: locate LdrLoadDll and NtProtectVirtualMemory
Thanks