InjectLibrary into winlogon.exe on Windows 8.1
-
- Posts: 6
- Joined: Wed Nov 27, 2013 5:49 pm
InjectLibrary into winlogon.exe on Windows 8.1
Hi madshi,
I have a problem which only exists on Windows 8.1 but not on Windows 8.
While injecting into all (non-system) processes works[1], injection into *only* winlogon.exe[2] works for the first session, but fails for all other sessions.
So the first winlogon got the dll, but as soon as you logout, a different sessions is created with another winlogon.exe, which does not have the dll loaded (same for RDP sessions).
On Windows 8, the problem does not exist, but on Windows 8.1 (preview or full) it does.
Is anything known about this?
[1] InjectLibraryW(DRIVER_NAME, L"my64.dll", ALL_SESSIONS, FALSE);
[2] InjectLibraryW(DRIVER_NAME, L"myother64.dll", ALL_SESSIONS, TRUE, L"winlogon.exe");
Version is madCollection 2.7.7.4 (drivers date to 04.10.2013).
I have a problem which only exists on Windows 8.1 but not on Windows 8.
While injecting into all (non-system) processes works[1], injection into *only* winlogon.exe[2] works for the first session, but fails for all other sessions.
So the first winlogon got the dll, but as soon as you logout, a different sessions is created with another winlogon.exe, which does not have the dll loaded (same for RDP sessions).
On Windows 8, the problem does not exist, but on Windows 8.1 (preview or full) it does.
Is anything known about this?
[1] InjectLibraryW(DRIVER_NAME, L"my64.dll", ALL_SESSIONS, FALSE);
[2] InjectLibraryW(DRIVER_NAME, L"myother64.dll", ALL_SESSIONS, TRUE, L"winlogon.exe");
Version is madCollection 2.7.7.4 (drivers date to 04.10.2013).
Last edited by codehacker on Thu Nov 28, 2013 11:14 am, edited 1 time in total.
Re: InjectLibrary w/ includeMask on Windows 8.1
Just to make sure I got it right: If you use an include list with the value of L"winlogon.exe" injection into some winlogon processes fails. But if you use an empty include list (= inject into everything) injection is done into all winlogon processes successfully? So the problem appears to be a problem with the include list handling and not with the injection code. Is that correct?
-
- Posts: 6
- Joined: Wed Nov 27, 2013 5:49 pm
Re: InjectLibrary w/ includeMask on Windows 8.1
I just made a few more tests. I changed the injection of the normal dll to inject into system processes as well and removed the winlogon-only injection.
New test: I set starting of the service (which does the injection) to manual and started two sessions. Then I started the service.
The dll got injected into winlogon of *both* sessions, but not into winlogon of newer sessions.
i.e. the problem seems to be in the code that triggers the injection code when a new process is started.
- InjectLibraryW(DRIVER_NAME, L"my64.dll", ALL_SESSIONS, TRUE);
New test: I set starting of the service (which does the injection) to manual and started two sessions. Then I started the service.
The dll got injected into winlogon of *both* sessions, but not into winlogon of newer sessions.
i.e. the problem seems to be in the code that triggers the injection code when a new process is started.
Re: InjectLibrary w/ includeMask on Windows 8.1
Hmmmm... So injection into already running processes seems to work, but automatic injection into winlogon seems to fail. I'm not sure why. The basic injection method for either case is totally different, but automatic injection into newly created processes has always worked very reliably, so I have my doubts if this could be an injection problem. Just to rule out NTFS access right problems, could you please try providing the hook dll with read+execute access rights for "Everyone"? Does that change anything?
-
- Posts: 6
- Joined: Wed Nov 27, 2013 5:49 pm
Re: InjectLibrary into winlogon.exe on Windows 8.1
Granted all access to Everyone for the dll. Same results.
Could it be a problem with the path name (C:\Program Files (x86)\...)? I'll try to move the dll to System32.
Edit:
No change. Now winlogon.exe doesn't have "C:\Windows\System32\my64.dll" loaded, except the already running ones.
Could it be a problem with the path name (C:\Program Files (x86)\...)? I'll try to move the dll to System32.
Edit:
No change. Now winlogon.exe doesn't have "C:\Windows\System32\my64.dll" loaded, except the already running ones.
Re: InjectLibrary into winlogon.exe on Windows 8.1
Try a simple folder, e.g. c:\yourFolder, just to be safe, but I don't think that's the problem.
-
- Posts: 6
- Joined: Wed Nov 27, 2013 5:49 pm
Re: InjectLibrary into winlogon.exe on Windows 8.1
Still no change.
I also tried to inject with absolute path: L"C:\\myfolder\\my64.dll", same results.
I also tried to inject with absolute path: L"C:\\myfolder\\my64.dll", same results.
Re: InjectLibrary into winlogon.exe on Windows 8.1
Ok, I'll check if I can reproduce the problem.
-
- Posts: 6
- Joined: Wed Nov 27, 2013 5:49 pm
Re: InjectLibrary into winlogon.exe on Windows 8.1
I tried your PrintMonitor.zip linked in the other Win8.1 thread (viewtopic.php?f=11&t=27653).
It has the same problem. And I also use the 64bit version.
It has the same problem. And I also use the 64bit version.
Re: InjectLibrary into winlogon.exe on Windows 8.1
I've looked into this problem and found that Windows 8.1 added a new kind of protection. Whenever I try to allocate "executable" code for the new Winlogon process from within my kernel mode driver, allocation fails with the error code "STATUS/ERROR_DYNAMIC_CODE_BLOCKED". Patching of the process also fails with the same error code...
I'm not sure why injection works from user land. Maybe the process is only "protected" while it's not fully initialized yet? I don't know. I don't have a solution for this problem at the moment. Nor do I have an idea how to solve it right now. If you absolutely have to have your DLL injected into winlogon, I guess you may have to poll for new winlogon processes and manually inject into them by calling InjectLibrary(your.dll, NewWinlogonProcessHandle).
I'm not sure why injection works from user land. Maybe the process is only "protected" while it's not fully initialized yet? I don't know. I don't have a solution for this problem at the moment. Nor do I have an idea how to solve it right now. If you absolutely have to have your DLL injected into winlogon, I guess you may have to poll for new winlogon processes and manually inject into them by calling InjectLibrary(your.dll, NewWinlogonProcessHandle).
-
- Posts: 1
- Joined: Sat May 17, 2014 6:54 pm
Re: InjectLibrary into winlogon.exe on Windows 8.1
MyLoadImageNotifyRoutine
...
if (EqualModuleName(FullImageName, &g_uKernel32))//Must inject after kernel32.dll is loader
{
PidCtx->Flags |= INJECT_KERNEL_LOADED;
break;
}
if ((PidCtx->Flags & INJECT_KERNEL_LOADED) && !EqualModuleName(FullImageName, &g_uKernelbase) &&
!EqualModuleName(FullImageName, &g_uUser32) && !EqualModuleName(FullImageName, &g_uGdi32))
{
inject it
}
When the moment PE just running, if you insert the code is loaded, it will think you are loaded Native PE(your inject's dll file), resulting in failure.
In fact, all systems should be so judged. Otherwise it will happen sometimes inject successfully, sometimes inject failed. (i means driver inject only)
...
if (EqualModuleName(FullImageName, &g_uKernel32))//Must inject after kernel32.dll is loader
{
PidCtx->Flags |= INJECT_KERNEL_LOADED;
break;
}
if ((PidCtx->Flags & INJECT_KERNEL_LOADED) && !EqualModuleName(FullImageName, &g_uKernelbase) &&
!EqualModuleName(FullImageName, &g_uUser32) && !EqualModuleName(FullImageName, &g_uGdi32))
{
inject it
}
When the moment PE just running, if you insert the code is loaded, it will think you are loaded Native PE(your inject's dll file), resulting in failure.
In fact, all systems should be so judged. Otherwise it will happen sometimes inject successfully, sometimes inject failed. (i means driver inject only)
Re: InjectLibrary into winlogon.exe on Windows 8.1
The latest madCodeHook 3.1.7 version has a workaround implemented to make injection work for the spooler service on Windows 8.1. On my PC this workaround also seems to work for winlogon? Can you double check?
-
- Posts: 6
- Joined: Wed Nov 27, 2013 5:49 pm
Re: InjectLibrary into winlogon.exe on Windows 8.1
After some other tasks and a fight with the new SHA256 certificates I could test the new madCodeHook version.
The problem seems to be fixed.
Thanks!
The problem seems to be fixed.
Thanks!
Re: InjectLibrary into winlogon.exe on Windows 8.1
I'm quite happy to hear this - thanks for the heads-up!