Injected DLL gets instantly unloaded

c++ / delphi package - dll injection and api hooking

Re: Injected DLL gets instantly unloaded

Postby madshi » Tue Apr 07, 2015 2:40 pm

Yes, LdrUnloadDll.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Injected DLL gets instantly unloaded

Postby iconic » Wed Apr 08, 2015 8:18 am

DSp_nrg,

Is Spartan browser a modern UI/metro app? If it is then these apps require the injected DLL to have the ALL APPLICATION PACKAGES group added to the DLL file permissions with read and read & execute permissions set to allow. If you don't want to add this ACE to the ACL manually you can copy your DLL to %SystemRoot%\System32 and try injection from there to perform a quick test, this folder always has this group in its ACL and container objects are granted these permissions by default. Maybe this helps? I would have to test but figured it's worth mentioning after reading this thread. AFAIK Spartan was just introduced to Windows 10 Tech Preview build 10049 so it's just been made recently available. I am upgrading from 9926 as I write this so I'll check to see what it's doing later today. Best regards

--Iconic
iconic
 
Posts: 840
Joined: Wed Jun 08, 2005 5:08 am

Re: Injected DLL gets instantly unloaded

Postby DSp_nrg » Wed Apr 08, 2015 8:33 am

Hi,

I played around with the PrintMonitor some more and changed it to do some outputs on DLL unloads.
I noticed my problem by accident. The loaded PrintMonitor DLL wasn't injected in the spartan I was debugging, but in the debugger itself, which explains a lot.

Sorry for the confusions, but this was quite hard to notice (for me).

And now a big thanks to iconic, since my own DLL already has the permission, i didn't spent any thought about it for the PrintMonitor DLL. After adding this, the DLL stays injected in the spartan :crazy: .

Now my next big task will be comparing the settings for PrintMonitor-dll and my own DLL to find the difference.
DSp_nrg
 
Posts: 18
Joined: Mon Aug 04, 2014 10:26 am

Re: Injected DLL gets instantly unloaded

Postby iconic » Wed Apr 08, 2015 8:35 am

Wow that was a fast response. Glad things are working for you :D

--Iconic
iconic
 
Posts: 840
Joined: Wed Jun 08, 2005 5:08 am

Re: Injected DLL gets instantly unloaded

Postby madshi » Wed Apr 08, 2015 8:48 am

Cool! Good thinking, iconic!

Make sure your dll has no manifest. That has been known to cause issues. I usually recommend to base your own hook dll on one of the demos, so that all your compiler and linker settings are already setup "correctly".
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Injected DLL gets instantly unloaded

Postby DSp_nrg » Wed Apr 08, 2015 9:35 am

I checked my linker options and disabled generation of manifest. After this change my own DLL stays loaded in spartan.

Conclusion:
* DLL injection with enabled manifest does not work for spartan.
* Spartan is handled as "ModernUI" app, so "ALL APPLICATION PACKAGES" permission is essential

Thanks to all of you for your support finding the solution !
DSp_nrg
 
Posts: 18
Joined: Mon Aug 04, 2014 10:26 am

Previous

Return to madCodeHook

Who is online

Users browsing this forum: Baidu [Spider] and 7 guests