Issue related to InjectLibrary function.

c++ / delphi package - dll injection and api hooking
Post Reply
manutai
Posts: 85
Joined: Sun Aug 03, 2008 1:40 am

Issue related to InjectLibrary function.

Post by manutai »

Hi,

We are trying to inject a DLL in a 64 bit process using InjectLibrary function.
InjectLibrary returns SUCCESS even if the DLL it is trying to inject fails to load.
I think InjectLibrary should return ERROR in this case.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Issue related to InjectLibrary function.

Post by iconic »

There's not much that can be done about this, here's why... Assume that a process is in a suspended state, perhaps it's not even initialized yet, and you then call InjectLibrary on said process. Since you don't know when this process is going to be unsuspended and be woken up to actually call LoadLibrary on your injected DLL it's impractical to wait on the return of LoadLibrary since it's an indefinite wait on the caller side. Can a remote thread run right away despite a process being uninitialized? Sure, but it's not a stable thing to do and Madshi knows this too. Creating a remote thread in an uninitialized process is not safe so you have to rely on another injection method

--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Issue related to InjectLibrary function.

Post by madshi »

Is the new process already running or was it just started? What timeout value did you use for InjectLibrary() and does the DLL fail to load within that timeout value?
manutai
Posts: 85
Joined: Sun Aug 03, 2008 1:40 am

Re: Issue related to InjectLibrary function.

Post by manutai »

Is the new process already running or was it just started?
Ans: The Process is not running.

What timeout value did you use for InjectLibrary()
Ans: Timeout is 60000

and does the DLL fail to load within that timeout value?
Ans: Yes ... It failed to initialize still InjectLibrary return success.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Issue related to InjectLibrary function.

Post by madshi »

When you say the process is not running, what does that mean exactly? Did you start it with CreateProcess(CREATE_SUSPENDED)?
manutai
Posts: 85
Joined: Sun Aug 03, 2008 1:40 am

Re: Issue related to InjectLibrary function.

Post by manutai »

Case 1
Many processes are running. Then if we do InjectLibrary.
Then initialization of the library failed and it returned FALSE from DllMain() but InjectLibrary() return success.
Thus we assume that we have successfully injected in all processes.

Case 2
Many processes are running. Then if we do InjectLibrary.
Then initialization of the library failed and it returned TRUE from DllMain() but InjectLibrary() return success.
Thus we assume that we have successfully injected in all processes.
Now when user run a new process and if DllMain returns FALSE. Than there is noway for us to know whether injection is failed in some process.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Issue related to InjectLibrary function.

Post by madshi »

That does not really answer my question.

Generally, injection is split into 2 totally separate parts:

(1) Injection into processes which are not initialized yet.
(2) Injection into processes which are already running.

In the case of (1), madCodeHook simply patches the process to load your dll some time later, and then returns with success. In case of (2), madCodeHook actually creates a remote thread in the target process, calls LoadLibrary() and returns the result. So only in case (2) you actually get the real result of the LoadLibrary() call returned. In case of (1) that is not possible because the target process might be suspended and might not resume until much later. Furthermore, the injection method for case (1) does not easily allow reading the LoadLibrary() result.

So my question is: Your InjectLibrary() call, is it for case (1) or for case (2)? I asked "Is the new process already running?" and you answered "The Process is not running". That suggests case (1), but I'm not sure you really understood and correctly answered my question. That's why I asked for confirmation. How do you know the target process "is not running"?
manutai
Posts: 85
Joined: Sun Aug 03, 2008 1:40 am

Re: Issue related to InjectLibrary function.

Post by manutai »

This is what we are doing

We are trying to inject a dll in all running processes in ALL_SESSIONS.
This is handles by Driver.

So when we call InjectLibrary(<DriverName>,
<dll path>,
ALL_SESSIONS,
TRUE,
NULL,
NULL,
NULL,
60000);

It inject the dll to all running processes.
And the driver takes care for injecting the dll whenever a new process create.

Now if dll main failed than is there any way to know that dll is failed to initialized? Using some MadCodeHook APIs.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Issue related to InjectLibrary function.

Post by madshi »

I see. In your original post you wrote "in a 64bit process". So I thought you were talking about injecting your dll into *one* specific process.

When using system/session wide DLL injection, there's no way to know whether injection into newly created processes succeeded or not. Well, I guess you could enumerate the loaded dlls to check whether your dll was loaded or not, but that would be outside of madCodeHook's functionality.

Please understand that InjectLibrary() returns relatively quickly, while injection into newly created processes will continue to work until the OS is rebooted, which can be days or even months later. So it doesn't make sense to have InjectLibrary() return FALSE for newly created processes, simply because once InjectLibrary() returns at all, it can't report success/failure for all newly created processes that are created after InjectLibrary() returned. Of course I could make InjectLibrary() not return at all, but I don't see the sense in that.
manutai
Posts: 85
Joined: Sun Aug 03, 2008 1:40 am

Re: Issue related to InjectLibrary function.

Post by manutai »

Thanks,

That make sense.

I Will handle to situation some.

Thanks Again for quick response.
Post Reply