InjectLibrary failed on microsoft windows server 2003

c++ / delphi package - dll injection and api hooking

Re: InjectLibrary failed on microsoft windows server 2003

Postby ameetmalekar » Tue Nov 26, 2013 5:02 am

Hi,

Here I am summarizing the scenario.
I am trying to inject a simple dll in internet explorer. The VM is Windows server 2003 standard edition service pack 2 and I am trying through RDP. The target application (internet explorer) is running on RDP session.
It is getting successfully injected through an exe which is running on same session. But the injection fails if dll is injected through service mode exe. Here the injector service is installed and running from main session (not RDP) and target application (internet explorer) is running on RDP session.

Thanks,
Ameet
ameetmalekar
 
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: InjectLibrary failed on microsoft windows server 2003

Postby madshi » Thu Nov 28, 2013 8:57 am

Sorry for the lack of replying. Will have a look at that ASAP and let you know...
madshi
Site Admin
 
Posts: 9880
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary failed on microsoft windows server 2003

Postby madshi » Mon Dec 02, 2013 5:39 pm

Ok, I've tried again like this:

(1) Started VM, logged in directly (no RDP), user "Administrator", with full admin rights and member of "remote desktop users" group.
(2) Started Internet Explorer.
(3) Started Process Explorer to watch the dlls loaded in the Internet Explorer.

(4) Started mstsc, connected to VM via RDP, logged in as "Adminstrator" another time.
(5) In RDP session: Installed a little service, which does nothing but InjectLibrary(InternetExplorerProcessHandle, empty.dll) in its service proc.
(6) In original session: Checked Process Explorer to see if injection succeeded.

Everything works fine here. The empty dll is injected into the Internet Explorer of the original VM session (no RDP) successfully, by the service installed in the RDP session.

If you want me to find out what is going on, I need to be able to reproduce the problem. If I can't reproduce it, there's nothing I can do. Maybe you want to try giving me an exact and very detailed step-by-step guide to reproduce the problem. I can't read your mind what exact steps you're taking to reproduce the problem, and based on the limited amount of information I have, I'm not able to reproduce the problem.
madshi
Site Admin
 
Posts: 9880
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary failed on microsoft windows server 2003

Postby ameetmalekar » Fri Dec 20, 2013 1:16 pm

Thanks for the reply,

What you are doing is exactly opposite. That is, running service on remote session and target process on main session.

Here in below description I will use the term “main session” for VM without RDP. And will use the term “remote session” for the RDP session taken by mstsc of the VM.

Below is step by steps description of what we are doing.

    Started VM, logged in directly on main session (no RDP), user "Administrator", with full admin rights and member of "remote desktop users" group.
    Started Internet Explorer 8(IE) on main session
    Added PID of IE process manually in your given code. Service is installed and run on main session. The service has InjectLibrary function.
    It Works Fine.
    Closed Internet Explorer from main session.
    Now, Stopped the service from main session.

    Now took RDP of the VM. At this time actual VM is also running without lock. So RDP gives a new session of 2003 server. We call this new RDP session as remote session.
    Then started IE at remote session. Note down pid of IE.
    Now at main session added PID of IE Process (running on remote session) in your given service code(and compiled). Installed and ran service on main session (no RDP).
    It is not working.
    So whenever I try to inject a library into a process running on remote session by a process(Service mode) running on main session, it is not able to inject.

We also observed that it is not working if we run both the target process and injector(Service mode) on remote session.
ameetmalekar
 
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: InjectLibrary failed on microsoft windows server 2003

Postby jmpc » Wed Feb 12, 2014 1:59 pm

Hello All.

Did you find a solution for this issue? I'm experiencing the same problem. I have a service running under system account that sometimes injects a dll into processes running under different accounts. Injection works OK for processes running under a different session if the user is NOT logged through RDP, but it fails if the (same) user is logged through RDP.

Thank you.
jmpc
 
Posts: 4
Joined: Tue Oct 08, 2013 12:08 pm

Re: InjectLibrary failed on microsoft windows server 2003

Postby ameetmalekar » Wed Feb 19, 2014 11:33 am

Not yet :(
ameetmalekar
 
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: InjectLibrary failed on microsoft windows server 2003

Postby madshi » Wed Feb 19, 2014 2:21 pm

Sorry for the very late reply, once again.

I've just tried to reproduce the problem again, accordingly to the latest info, but still can't.

(1) Started clean Windows 2003 Server SP2 VM, logged in directly (no RDP), user "Administrator", with full admin rights and member of "remote desktop users" group.
(2) Started mstsc, connected to VM via RDP, logged in as "Adminstrator" another time.
(3) In RDP session: Started Internet Explorer.
(4) In main session: Installed a little service, which does nothing but InjectLibrary(InternetExplorerProcessHandle, empty.dll) in its service proc.
(5) In main session: Started Process Explorer to see if injection succeeded.

Injection works just fine here. Here's the exact project I've been testing with:

http://madshi.net/InjectService.rar
madshi
Site Admin
 
Posts: 9880
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary failed on microsoft windows server 2003

Postby jmpc » Wed Feb 19, 2014 4:03 pm

Thank you for your answer, madshi.

I can't download your code because the link seems to be broken and produces a 404 Not Found error.
Could you please fix it so we can test it in our enviroments?

In main session: Installed a little service, which does nothing but InjectLibrary(InternetExplorerProcessHandle, empty.dll) in its service proc.


Is the service running under 'Administrator' account or under 'SYSTEM' account? In my case, it's the second one and that's the scenario where the error happens.

To reproduce it, I don't even need to register a service. I created a simple executable that injects a dll into a running process, passing the dll path and the process id as parameters, and ran it under SYSTEM account using the Microsoft PsExec utility from SysInternals:

Code: Select all
c:\PSTools\PsExec.exe -s c:\PSTools\inject_dll.exe c:\PSTools\empty_dll.dll <pid>


Adding -s parameter executes the process under SYSTEM account.
Inject_dll.exe simply opens the specified process and injects the dll passed as parameter through a call to InjectLibrary.
empty_dll.dll is an empty dll that only returns TRUE on DllMain routine.

I hope this helps.
jmpc
 
Posts: 4
Joined: Tue Oct 08, 2013 12:08 pm

Re: InjectLibrary failed on microsoft windows server 2003

Postby madshi » Wed Feb 19, 2014 4:13 pm

Sorry, uploaded the file to the wrong folder. The link should work now.
madshi
Site Admin
 
Posts: 9880
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary failed on microsoft windows server 2003

Postby jmpc » Wed Feb 19, 2014 4:47 pm

madshi wrote:Sorry, uploaded the file to the wrong folder. The link should work now.


Thank you so much madshi.
Your example works OK for me. Also, I'm able to inject your empty.dll into a RDP process from SYSTEM account using my injection executable, so the problem seems to be in my dll. I need to investigate further...

Thank you very much.
jmpc
 
Posts: 4
Joined: Tue Oct 08, 2013 12:08 pm

Re: InjectLibrary failed on microsoft windows server 2003

Postby madshi » Wed Feb 19, 2014 4:59 pm

Please keep us posted about what you find. It might be helpful for other madCodeHook users!
madshi
Site Admin
 
Posts: 9880
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary failed on microsoft windows server 2003

Postby jmpc » Wed Feb 19, 2014 7:20 pm

Setting "Enable String Pooling" to "Yes" (/GF) in my empty dll project made injection work, I have no idea why.
Tried the exact same thing with a bigger dll (~500k) that hooks some gdi API and it worked as well.
But in a more complex dll (~12MB) , where I hook multiple Windows API functions and program specific code, it did not solve the problem.
I'll let you know if I find a solution.
jmpc
 
Posts: 4
Joined: Tue Oct 08, 2013 12:08 pm

Re: InjectLibrary failed on microsoft windows server 2003

Postby madshi » Wed Feb 19, 2014 7:22 pm

Make sure you disable the manifest and set a proper image base address for the hook dll.
madshi
Site Admin
 
Posts: 9880
Joined: Sun Mar 21, 2004 5:25 pm

Previous

Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 4 guests

cron