System wide InjectLibrary fails with 0x1f to x86 from x64

c++ / delphi package - dll injection and api hooking

System wide InjectLibrary fails with 0x1f to x86 from x64

Postby TCS » Wed Sep 03, 2014 7:26 am

Hey,

I am trying to use InjectLibraryW() in 64bit application in order to install system-wide injection for acrord32.exe (acrobat reader), and it fails with 0x1f. InjectLibraryW() to 64bit application works.
InjectLibraryW() is being called from 64bit process (service or application with admin right).
I am running the code in windows 7 x64.

I have done the following:
1. Compiled the injected dll (called acrojet.dll).
2. Configured the driver:
Code: Select all
madConfigDrv.exe Jector86.sys JectorDriver acrojet.dll -unsafeStopAllowed

3. Signed the driver (signing without timestamp).
4. In the application:
a. I first call "InitializeMadCHook();"

b.
Code: Select all
LoadInjectionDriver(INJECTION_DRIVER_NAME,
                           (app_path + L"x86\\jector86.sys").c_str(),
                      (app_path + L"jector64.sys").c_str())

function returns TRUE. (jector64.sys is signed and configured)

c.
Code: Select all
InjectLibraryW(INJECTION_DRIVER_NAME,
                            app_path + L"x86\\acrojet.dll",
                            ALL_SESSIONS,
                            FALSE,
                            L"acrord32.exe")

function returns FALSE, GetLastError() returns 0x1f.


Any idea what am I missing???


Thanks!!!
TCS
 
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: System wide InjectLibrary fails with 0x1f to x86 from x6

Postby madshi » Thu Sep 04, 2014 9:46 am

What is your command line to configure the 64bit driver?

Error 0x1f means ERROR_GEN_FAILURE, which means "A device attached to the system is not functioning". That suggests some sort of the problem with the driver configuration or signing.
madshi
Site Admin
 
Posts: 9880
Joined: Sun Mar 21, 2004 5:25 pm

Re: System wide InjectLibrary fails with 0x1f to x86 from x6

Postby TCS » Thu Sep 04, 2014 11:11 am

Code: Select all
madConfigDrv.exe Jector86.sys JectorDriver acrojet.dll -unsafeStopAllowed


Thanks for your help. I'll recheck the configuration and the signing process.
TCS
 
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: System wide InjectLibrary fails with 0x1f to x86 from x6

Postby TCS » Thu Sep 04, 2014 12:56 pm

Is there any way to get output or logs from madConfigDrv.exe ?

I assume that the signing process is successful because the LoadInjectionDriver() function finishes successfully, and I can see "digital signature" tab in the .sys file propery page, therefore I guess that the problem can be only in the configuration, but I can't see what am I doing wrong...

I compared Jector86.sys before the config and after it, and I did see that the file changed (the last modified date doesn't change, I guess you modify it).
I tried to config again with the same "acrojet.dll" to try and get some error, and I did get one stating the "acrojet.dll" is already in the list.

Any other ideas ???
TCS
 
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: System wide InjectLibrary fails with 0x1f to x86 from x6

Postby TCS » Thu Sep 04, 2014 1:03 pm

More info, the problem is only in 32bit, not 64bit.
TCS
 
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: System wide InjectLibrary fails with 0x1f to x86 from x6

Postby TCS » Thu Sep 04, 2014 7:45 pm

Okay found it!
I didn't understand something about the configuration correctly.

I thought that I need to configure to the 64bit driver only the 64bit DLLs and for the 32bit driver only the 32bit DLLs, but in fact In 64bit machine only the 64bit driver is being used, so I have to configure both 32bit DLLs and 64bit DLLs to it.
I'd suggest that in this case you would SetLastError() with ERROR_ACCESS_DENIED.

Thanks!
TCS
 
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 5 guests