System wide InjectLibrary fails with 0x1f to x86 from x64

c++ / delphi package - dll injection and api hooking
Post Reply
TCS
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

System wide InjectLibrary fails with 0x1f to x86 from x64

Post by TCS »

Hey,

I am trying to use InjectLibraryW() in 64bit application in order to install system-wide injection for acrord32.exe (acrobat reader), and it fails with 0x1f. InjectLibraryW() to 64bit application works.
InjectLibraryW() is being called from 64bit process (service or application with admin right).
I am running the code in windows 7 x64.

I have done the following:
1. Compiled the injected dll (called acrojet.dll).
2. Configured the driver:

Code: Select all

madConfigDrv.exe Jector86.sys JectorDriver acrojet.dll -unsafeStopAllowed
3. Signed the driver (signing without timestamp).
4. In the application:
a. I first call "InitializeMadCHook();"

b.

Code: Select all

LoadInjectionDriver(INJECTION_DRIVER_NAME,
				               (app_path + L"x86\\jector86.sys").c_str(),
					       (app_path + L"jector64.sys").c_str())
function returns TRUE. (jector64.sys is signed and configured)

c.

Code: Select all

InjectLibraryW(INJECTION_DRIVER_NAME,
		                      app_path + L"x86\\acrojet.dll",
		                      ALL_SESSIONS,
		                      FALSE,
		                      L"acrord32.exe")
function returns FALSE, GetLastError() returns 0x1f.


Any idea what am I missing???


Thanks!!!
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: System wide InjectLibrary fails with 0x1f to x86 from x6

Post by madshi »

What is your command line to configure the 64bit driver?

Error 0x1f means ERROR_GEN_FAILURE, which means "A device attached to the system is not functioning". That suggests some sort of the problem with the driver configuration or signing.
TCS
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: System wide InjectLibrary fails with 0x1f to x86 from x6

Post by TCS »

Code: Select all

madConfigDrv.exe Jector86.sys JectorDriver acrojet.dll -unsafeStopAllowed
Thanks for your help. I'll recheck the configuration and the signing process.
TCS
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: System wide InjectLibrary fails with 0x1f to x86 from x6

Post by TCS »

Is there any way to get output or logs from madConfigDrv.exe ?

I assume that the signing process is successful because the LoadInjectionDriver() function finishes successfully, and I can see "digital signature" tab in the .sys file propery page, therefore I guess that the problem can be only in the configuration, but I can't see what am I doing wrong...

I compared Jector86.sys before the config and after it, and I did see that the file changed (the last modified date doesn't change, I guess you modify it).
I tried to config again with the same "acrojet.dll" to try and get some error, and I did get one stating the "acrojet.dll" is already in the list.

Any other ideas ???
TCS
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: System wide InjectLibrary fails with 0x1f to x86 from x6

Post by TCS »

More info, the problem is only in 32bit, not 64bit.
TCS
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: System wide InjectLibrary fails with 0x1f to x86 from x6

Post by TCS »

Okay found it!
I didn't understand something about the configuration correctly.

I thought that I need to configure to the 64bit driver only the 64bit DLLs and for the 32bit driver only the 32bit DLLs, but in fact In 64bit machine only the 64bit driver is being used, so I have to configure both 32bit DLLs and 64bit DLLs to it.
I'd suggest that in this case you would SetLastError() with ERROR_ACCESS_DENIED.

Thanks!
Post Reply