InjectLibrary into winlogon.exe on Windows 8.1

c++ / delphi package - dll injection and api hooking
Post Reply
codehacker
Posts: 6
Joined: Wed Nov 27, 2013 5:49 pm

InjectLibrary into winlogon.exe on Windows 8.1

Post by codehacker »

Hi madshi,

I have a problem which only exists on Windows 8.1 but not on Windows 8.

While injecting into all (non-system) processes works[1], injection into *only* winlogon.exe[2] works for the first session, but fails for all other sessions.
So the first winlogon got the dll, but as soon as you logout, a different sessions is created with another winlogon.exe, which does not have the dll loaded (same for RDP sessions).
On Windows 8, the problem does not exist, but on Windows 8.1 (preview or full) it does.

Is anything known about this?

[1] InjectLibraryW(DRIVER_NAME, L"my64.dll", ALL_SESSIONS, FALSE);
[2] InjectLibraryW(DRIVER_NAME, L"myother64.dll", ALL_SESSIONS, TRUE, L"winlogon.exe");

Version is madCollection 2.7.7.4 (drivers date to 04.10.2013).
Last edited by codehacker on Thu Nov 28, 2013 11:14 am, edited 1 time in total.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary w/ includeMask on Windows 8.1

Post by madshi »

Just to make sure I got it right: If you use an include list with the value of L"winlogon.exe" injection into some winlogon processes fails. But if you use an empty include list (= inject into everything) injection is done into all winlogon processes successfully? So the problem appears to be a problem with the include list handling and not with the injection code. Is that correct?
codehacker
Posts: 6
Joined: Wed Nov 27, 2013 5:49 pm

Re: InjectLibrary w/ includeMask on Windows 8.1

Post by codehacker »

I just made a few more tests. I changed the injection of the normal dll to inject into system processes as well and removed the winlogon-only injection.
  • InjectLibraryW(DRIVER_NAME, L"my64.dll", ALL_SESSIONS, TRUE);
Same result: the dll is in winlogon of session 1, but not in the other ones. It is, however, injected into dwm.exe, explorer.exe etc. of the other sessions.

New test: I set starting of the service (which does the injection) to manual and started two sessions. Then I started the service.
The dll got injected into winlogon of *both* sessions, but not into winlogon of newer sessions.

i.e. the problem seems to be in the code that triggers the injection code when a new process is started.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary w/ includeMask on Windows 8.1

Post by madshi »

Hmmmm... So injection into already running processes seems to work, but automatic injection into winlogon seems to fail. I'm not sure why. The basic injection method for either case is totally different, but automatic injection into newly created processes has always worked very reliably, so I have my doubts if this could be an injection problem. Just to rule out NTFS access right problems, could you please try providing the hook dll with read+execute access rights for "Everyone"? Does that change anything?
codehacker
Posts: 6
Joined: Wed Nov 27, 2013 5:49 pm

Re: InjectLibrary into winlogon.exe on Windows 8.1

Post by codehacker »

Granted all access to Everyone for the dll. Same results.

Could it be a problem with the path name (C:\Program Files (x86)\...)? I'll try to move the dll to System32.

Edit:
No change. Now winlogon.exe doesn't have "C:\Windows\System32\my64.dll" loaded, except the already running ones.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary into winlogon.exe on Windows 8.1

Post by madshi »

Try a simple folder, e.g. c:\yourFolder, just to be safe, but I don't think that's the problem.
codehacker
Posts: 6
Joined: Wed Nov 27, 2013 5:49 pm

Re: InjectLibrary into winlogon.exe on Windows 8.1

Post by codehacker »

Still no change.
I also tried to inject with absolute path: L"C:\\myfolder\\my64.dll", same results.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary into winlogon.exe on Windows 8.1

Post by madshi »

Ok, I'll check if I can reproduce the problem.
codehacker
Posts: 6
Joined: Wed Nov 27, 2013 5:49 pm

Re: InjectLibrary into winlogon.exe on Windows 8.1

Post by codehacker »

I tried your PrintMonitor.zip linked in the other Win8.1 thread (viewtopic.php?f=11&t=27653).

It has the same problem. And I also use the 64bit version.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary into winlogon.exe on Windows 8.1

Post by madshi »

I've looked into this problem and found that Windows 8.1 added a new kind of protection. Whenever I try to allocate "executable" code for the new Winlogon process from within my kernel mode driver, allocation fails with the error code "STATUS/ERROR_DYNAMIC_CODE_BLOCKED". Patching of the process also fails with the same error code... :(

I'm not sure why injection works from user land. Maybe the process is only "protected" while it's not fully initialized yet? I don't know. I don't have a solution for this problem at the moment. Nor do I have an idea how to solve it right now. If you absolutely have to have your DLL injected into winlogon, I guess you may have to poll for new winlogon processes and manually inject into them by calling InjectLibrary(your.dll, NewWinlogonProcessHandle).
lovejingtao
Posts: 1
Joined: Sat May 17, 2014 6:54 pm

Re: InjectLibrary into winlogon.exe on Windows 8.1

Post by lovejingtao »

MyLoadImageNotifyRoutine
...
if (EqualModuleName(FullImageName, &g_uKernel32))//Must inject after kernel32.dll is loader
{
PidCtx->Flags |= INJECT_KERNEL_LOADED;
break;
}

if ((PidCtx->Flags & INJECT_KERNEL_LOADED) && !EqualModuleName(FullImageName, &g_uKernelbase) &&
!EqualModuleName(FullImageName, &g_uUser32) && !EqualModuleName(FullImageName, &g_uGdi32))
{
inject it
}




When the moment PE just running, if you insert the code is loaded, it will think you are loaded Native PE(your inject's dll file), resulting in failure.
In fact, all systems should be so judged. Otherwise it will happen sometimes inject successfully, sometimes inject failed. (i means driver inject only)
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary into winlogon.exe on Windows 8.1

Post by madshi »

The latest madCodeHook 3.1.7 version has a workaround implemented to make injection work for the spooler service on Windows 8.1. On my PC this workaround also seems to work for winlogon? Can you double check?
codehacker
Posts: 6
Joined: Wed Nov 27, 2013 5:49 pm

Re: InjectLibrary into winlogon.exe on Windows 8.1

Post by codehacker »

After some other tasks and a fight with the new SHA256 certificates I could test the new madCodeHook version.
The problem seems to be fixed. :D

Thanks!
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary into winlogon.exe on Windows 8.1

Post by madshi »

I'm quite happy to hear this - thanks for the heads-up! :D
Post Reply