we are experiencing some BSODs in MadCodeHook driver and I traced origin of last BSOD to this code. To be exact: "dll->IncCount" crashed.
Code: Select all
driver InjectIntoProcess:
...
if ( ((pathLen) || (nameLen)) &&
( ((dll->IncCount) && (!MatchStrArray(pathBuf, nameBuf, pathLen, nameLen, dll->IncCount, dll->IncPathBuf, dll->IncNameBuf, dll->IncPathLen, dll->IncNameLen))) ||
((dll->ExcCount) && ( MatchStrArray(pathBuf, nameBuf, pathLen, nameLen, dll->ExcCount, dll->ExcPathBuf, dll->ExcNameBuf, dll->ExcPathLen, dll->ExcNameLen))) ) )
...
When we get a new rule we erase the old ones from driver and insert a new one.
Code: Select all
user space InjectAllLibs:
...
//disable uninjection of running processes
SetMadCHookOption( UNINJECT_FROM_RUNNING_PROCESSES, (LPCWSTR)0 );
//delete last session from driver
UninjectLibraryW(CINJ_DRIVER_NAME, CINJ_DLP_FILE_32, ALL_SESSIONS, true, ProcessIncludeMaskLast, ProcessExcludeMaskLast);
#ifdef _WIN64
UninjectLibraryW(CINJ_DRIVER_NAME, CINJ_DLP_FILE_64, ALL_SESSIONS, true, ProcessIncludeMaskLast, ProcessExcludeMaskLast);
#endif
//enable uninjection of running processes again
SetMadCHookOption( UNINJECT_FROM_RUNNING_PROCESSES, (LPCWSTR)1 );
...
//insert new session into driver
ret = (InjectLibraryW(CINJ_DRIVER_NAME, CINJ_DLP_FILE_32, ALL_SESSIONS, true, ProcessIncludeMask, ProcessExcludeMask) != FALSE) && ret;
#ifdef _WIN64
ret = (InjectLibraryW(CINJ_DRIVER_NAME, CINJ_DLP_FILE_64, ALL_SESSIONS, true, ProcessIncludeMask, ProcessExcludeMask) != FALSE) && ret;
#endif
...
PP