Injected DLL gets instantly unloaded

c++ / delphi package - dll injection and api hooking
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Injected DLL gets instantly unloaded

Post by madshi »

Yes, LdrUnloadDll.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Injected DLL gets instantly unloaded

Post by iconic »

DSp_nrg,

Is Spartan browser a modern UI/metro app? If it is then these apps require the injected DLL to have the ALL APPLICATION PACKAGES group added to the DLL file permissions with read and read & execute permissions set to allow. If you don't want to add this ACE to the ACL manually you can copy your DLL to %SystemRoot%\System32 and try injection from there to perform a quick test, this folder always has this group in its ACL and container objects are granted these permissions by default. Maybe this helps? I would have to test but figured it's worth mentioning after reading this thread. AFAIK Spartan was just introduced to Windows 10 Tech Preview build 10049 so it's just been made recently available. I am upgrading from 9926 as I write this so I'll check to see what it's doing later today. Best regards

--Iconic
DSp_nrg
Posts: 18
Joined: Mon Aug 04, 2014 10:26 am

Re: Injected DLL gets instantly unloaded

Post by DSp_nrg »

Hi,

I played around with the PrintMonitor some more and changed it to do some outputs on DLL unloads.
I noticed my problem by accident. The loaded PrintMonitor DLL wasn't injected in the spartan I was debugging, but in the debugger itself, which explains a lot.

Sorry for the confusions, but this was quite hard to notice (for me).

And now a big thanks to iconic, since my own DLL already has the permission, i didn't spent any thought about it for the PrintMonitor DLL. After adding this, the DLL stays injected in the spartan :crazy: .

Now my next big task will be comparing the settings for PrintMonitor-dll and my own DLL to find the difference.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Injected DLL gets instantly unloaded

Post by iconic »

Wow that was a fast response. Glad things are working for you :D

--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Injected DLL gets instantly unloaded

Post by madshi »

Cool! Good thinking, iconic!

Make sure your dll has no manifest. That has been known to cause issues. I usually recommend to base your own hook dll on one of the demos, so that all your compiler and linker settings are already setup "correctly".
DSp_nrg
Posts: 18
Joined: Mon Aug 04, 2014 10:26 am

Re: Injected DLL gets instantly unloaded

Post by DSp_nrg »

I checked my linker options and disabled generation of manifest. After this change my own DLL stays loaded in spartan.

Conclusion:
* DLL injection with enabled manifest does not work for spartan.
* Spartan is handled as "ModernUI" app, so "ALL APPLICATION PACKAGES" permission is essential

Thanks to all of you for your support finding the solution !
Post Reply