Win 8.1 DeviceIoControl fail in SendDriverCommand() (3.1.6)

c++ / delphi package - dll injection and api hooking
Post Reply
pjthompson
Posts: 12
Joined: Tue Feb 04, 2014 8:10 pm

Win 8.1 DeviceIoControl fail in SendDriverCommand() (3.1.6)

Post by pjthompson »

I'm seeing a failure in my 64bit Win8.1 Injection Service.

In the particular failure case, the service is attempting to inject a 32-bit dll into a process and appears to have the correct dll name, path, etc. The code gets as far as calling DeviceIoControl in SendDriverCommand but fails with GetLastError code of 0x1f (31) which appears to translate to something like: "a device attached to the system is not functioning." The 64-bit .sys file is present and correct and as far as I know is being installed correctly and without errors (all of this works on earlier versions of windows). Annoyingly, Microsoft seems to have removed the capability to inspect non-plug and play drivers from Device Manager in Win 8.1 :(

Any insight appreciated.

Pete
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Win 8.1 DeviceIoControl fail in SendDriverCommand() (3.1

Post by madshi »

My best guess would be that the driver didn't start for whatever reason, maybe a signature problem of some sort. Please try one of the demo projects:

http://madshi.net/HookProcessCreation.zip
http://madshi.net/PrintMonitor.zip

Do these run and work ok on your machine? If so, try to recreate the driver of the demo project with your own certificate and check if the demo still works correctly. If it does not, something is wrong with your signing process.
pjthompson
Posts: 12
Joined: Tue Feb 04, 2014 8:10 pm

Re: Win 8.1 DeviceIoControl fail in SendDriverCommand() (3.1

Post by pjthompson »

OK, thanks for the info. I'll give the demos a try. BTW, does Win8.1 impose any known new/different signing requirements?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Win 8.1 DeviceIoControl fail in SendDriverCommand() (3.1

Post by madshi »

Not for normal processes. Some of the key system processes/services refuse to accept dlls which are not signed with a custom Microsoft certificate in Windows 8.1, though... :(
pjthompson
Posts: 12
Joined: Tue Feb 04, 2014 8:10 pm

Re: Win 8.1 DeviceIoControl fail in SendDriverCommand() (3.1

Post by pjthompson »

The HookProcessCreate example works fine in my Win8.1 environment.
I realized I had not updated my build environment with the 3.1.6 renameme64.sys - I was still using the old (3.1.2) instance. So, I rebuilt my 64-bit dll and created and signed my sys file using the correct one. Unfortunately I'm now seeing an error when I attempt to load the driver using my ControlInjectionDriver app. This fails in StartInjectionDriver() on the call to QueryServiceStatus() which gives a last error of 193 which is "ERROR_BAD_EXE_FORMAT - not a valid Win32 Application." Not sure what 32-bit item it's looking for but the app is 64-bit and the .sys is 64-bit. Probably something silly I did in the build. I'm guessing if I can get past this issue, the use of the correct .sys file will fix my prior problem.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Win 8.1 DeviceIoControl fail in SendDriverCommand() (3.1

Post by madshi »

Yeah, the 3.1.2 driver doesn't work in win 8.1. Not sure where the ERROR_BAD_EXE_FORMAT problem comes from. Sounds weird, haven't seen this yet. I guess you would get that when trying to use a 64bit exe in a 32bit OS, but your OS is 64bit, right?
pjthompson
Posts: 12
Joined: Tue Feb 04, 2014 8:10 pm

Re: Win 8.1 DeviceIoControl fail in SendDriverCommand() (3.1

Post by pjthompson »

Yes, definitely a 64-bit instance of Windows 8.1.

I'm in the process of rebuilding, making sure everything points to 3.1.6 and will try again in a bit and report back.

Thanks.
pjthompson
Posts: 12
Joined: Tue Feb 04, 2014 8:10 pm

Re: Win 8.1 DeviceIoControl fail in SendDriverCommand() (3.1

Post by pjthompson »

Rebuilding with the correct driver (the one with the version resource) fixed my issues. Our confiDriver.sh script depends on having that driver present so we can update the version info. So I can confirm that 3.1.6 fixes the initial problem we observed when using Win 8.1.

Thanks for the support.
Post Reply