Issue related to InjectLibrary function.
Issue related to InjectLibrary function.
Hi,
We are trying to inject a DLL in a 64 bit process using InjectLibrary function.
InjectLibrary returns SUCCESS even if the DLL it is trying to inject fails to load.
I think InjectLibrary should return ERROR in this case.
We are trying to inject a DLL in a 64 bit process using InjectLibrary function.
InjectLibrary returns SUCCESS even if the DLL it is trying to inject fails to load.
I think InjectLibrary should return ERROR in this case.
Re: Issue related to InjectLibrary function.
There's not much that can be done about this, here's why... Assume that a process is in a suspended state, perhaps it's not even initialized yet, and you then call InjectLibrary on said process. Since you don't know when this process is going to be unsuspended and be woken up to actually call LoadLibrary on your injected DLL it's impractical to wait on the return of LoadLibrary since it's an indefinite wait on the caller side. Can a remote thread run right away despite a process being uninitialized? Sure, but it's not a stable thing to do and Madshi knows this too. Creating a remote thread in an uninitialized process is not safe so you have to rely on another injection method
--Iconic
--Iconic
Re: Issue related to InjectLibrary function.
Is the new process already running or was it just started? What timeout value did you use for InjectLibrary() and does the DLL fail to load within that timeout value?
Re: Issue related to InjectLibrary function.
Is the new process already running or was it just started?
Ans: The Process is not running.
What timeout value did you use for InjectLibrary()
Ans: Timeout is 60000
and does the DLL fail to load within that timeout value?
Ans: Yes ... It failed to initialize still InjectLibrary return success.
Ans: The Process is not running.
What timeout value did you use for InjectLibrary()
Ans: Timeout is 60000
and does the DLL fail to load within that timeout value?
Ans: Yes ... It failed to initialize still InjectLibrary return success.
Re: Issue related to InjectLibrary function.
When you say the process is not running, what does that mean exactly? Did you start it with CreateProcess(CREATE_SUSPENDED)?
Re: Issue related to InjectLibrary function.
Case 1
Many processes are running. Then if we do InjectLibrary.
Then initialization of the library failed and it returned FALSE from DllMain() but InjectLibrary() return success.
Thus we assume that we have successfully injected in all processes.
Case 2
Many processes are running. Then if we do InjectLibrary.
Then initialization of the library failed and it returned TRUE from DllMain() but InjectLibrary() return success.
Thus we assume that we have successfully injected in all processes.
Now when user run a new process and if DllMain returns FALSE. Than there is noway for us to know whether injection is failed in some process.
Many processes are running. Then if we do InjectLibrary.
Then initialization of the library failed and it returned FALSE from DllMain() but InjectLibrary() return success.
Thus we assume that we have successfully injected in all processes.
Case 2
Many processes are running. Then if we do InjectLibrary.
Then initialization of the library failed and it returned TRUE from DllMain() but InjectLibrary() return success.
Thus we assume that we have successfully injected in all processes.
Now when user run a new process and if DllMain returns FALSE. Than there is noway for us to know whether injection is failed in some process.
Re: Issue related to InjectLibrary function.
That does not really answer my question.
Generally, injection is split into 2 totally separate parts:
(1) Injection into processes which are not initialized yet.
(2) Injection into processes which are already running.
In the case of (1), madCodeHook simply patches the process to load your dll some time later, and then returns with success. In case of (2), madCodeHook actually creates a remote thread in the target process, calls LoadLibrary() and returns the result. So only in case (2) you actually get the real result of the LoadLibrary() call returned. In case of (1) that is not possible because the target process might be suspended and might not resume until much later. Furthermore, the injection method for case (1) does not easily allow reading the LoadLibrary() result.
So my question is: Your InjectLibrary() call, is it for case (1) or for case (2)? I asked "Is the new process already running?" and you answered "The Process is not running". That suggests case (1), but I'm not sure you really understood and correctly answered my question. That's why I asked for confirmation. How do you know the target process "is not running"?
Generally, injection is split into 2 totally separate parts:
(1) Injection into processes which are not initialized yet.
(2) Injection into processes which are already running.
In the case of (1), madCodeHook simply patches the process to load your dll some time later, and then returns with success. In case of (2), madCodeHook actually creates a remote thread in the target process, calls LoadLibrary() and returns the result. So only in case (2) you actually get the real result of the LoadLibrary() call returned. In case of (1) that is not possible because the target process might be suspended and might not resume until much later. Furthermore, the injection method for case (1) does not easily allow reading the LoadLibrary() result.
So my question is: Your InjectLibrary() call, is it for case (1) or for case (2)? I asked "Is the new process already running?" and you answered "The Process is not running". That suggests case (1), but I'm not sure you really understood and correctly answered my question. That's why I asked for confirmation. How do you know the target process "is not running"?
Re: Issue related to InjectLibrary function.
This is what we are doing
We are trying to inject a dll in all running processes in ALL_SESSIONS.
This is handles by Driver.
So when we call InjectLibrary(<DriverName>,
<dll path>,
ALL_SESSIONS,
TRUE,
NULL,
NULL,
NULL,
60000);
It inject the dll to all running processes.
And the driver takes care for injecting the dll whenever a new process create.
Now if dll main failed than is there any way to know that dll is failed to initialized? Using some MadCodeHook APIs.
We are trying to inject a dll in all running processes in ALL_SESSIONS.
This is handles by Driver.
So when we call InjectLibrary(<DriverName>,
<dll path>,
ALL_SESSIONS,
TRUE,
NULL,
NULL,
NULL,
60000);
It inject the dll to all running processes.
And the driver takes care for injecting the dll whenever a new process create.
Now if dll main failed than is there any way to know that dll is failed to initialized? Using some MadCodeHook APIs.
Re: Issue related to InjectLibrary function.
I see. In your original post you wrote "in a 64bit process". So I thought you were talking about injecting your dll into *one* specific process.
When using system/session wide DLL injection, there's no way to know whether injection into newly created processes succeeded or not. Well, I guess you could enumerate the loaded dlls to check whether your dll was loaded or not, but that would be outside of madCodeHook's functionality.
Please understand that InjectLibrary() returns relatively quickly, while injection into newly created processes will continue to work until the OS is rebooted, which can be days or even months later. So it doesn't make sense to have InjectLibrary() return FALSE for newly created processes, simply because once InjectLibrary() returns at all, it can't report success/failure for all newly created processes that are created after InjectLibrary() returned. Of course I could make InjectLibrary() not return at all, but I don't see the sense in that.
When using system/session wide DLL injection, there's no way to know whether injection into newly created processes succeeded or not. Well, I guess you could enumerate the loaded dlls to check whether your dll was loaded or not, but that would be outside of madCodeHook's functionality.
Please understand that InjectLibrary() returns relatively quickly, while injection into newly created processes will continue to work until the OS is rebooted, which can be days or even months later. So it doesn't make sense to have InjectLibrary() return FALSE for newly created processes, simply because once InjectLibrary() returns at all, it can't report success/failure for all newly created processes that are created after InjectLibrary() returned. Of course I could make InjectLibrary() not return at all, but I don't see the sense in that.
Re: Issue related to InjectLibrary function.
Thanks,
That make sense.
I Will handle to situation some.
Thanks Again for quick response.
That make sense.
I Will handle to situation some.
Thanks Again for quick response.