Injected DLL gets instantly unloaded

c++ / delphi package - dll injection and api hooking
DSp_nrg
Posts: 18
Joined: Mon Aug 04, 2014 10:26 am

Injected DLL gets instantly unloaded

Post by DSp_nrg »

Hi,

I have a working application which injects a DLL into iexplore.exe. The DLL then hooks some functions of wininet.

Now I downloaded tech preview of Win10 and made a test if my application is able to support spartan. The MSIE Injection part is still working fine in Win10, but when injecting into spartan and it's renderer processes I discover a very strange behavior:

Code: Select all

"spartan.exe" : "C:\Program Files (x86)\myApplication\myHook64.dll" loaded. Symbols were loaded.
"spartan.exe" : "C:\Program Files (x86)\myApplication\myHook64.dll" unloaded.
When placing breakpoints in DllMain of myHook64.dll nothing happens. Even a DebugBreak(); call in first line of DllMain has no effect. So it seems like the DLL get's loaded, the code is not executed and the Dll gets unloaded again.

Does anyone have an explanation for this behavior? Or an idea how to find out, why it's unloaded without execution of the code?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Injected DLL gets instantly unloaded

Post by madshi »

Could be one of three things:

1) Either your dll has some static links which can not be resolved by the OS loader.
2) Or one of the dlls statically linked to by your hook dll crashes when loaded, so your hook dll can't be loaded, either.
3) Or your hook dll itself crashes when loaded, so the OS loader removes it again.

Or maybe it's something completely different, hard to say right now. I've not tested Windows 10 myself yet, but plan on doing that very soon.
DSp_nrg
Posts: 18
Joined: Mon Aug 04, 2014 10:26 am

Re: Injected DLL gets instantly unloaded

Post by DSp_nrg »

Hi, thanks for your quick answer.

My dll is very minimalistic, it only has the basic links added by VS.

For documentation:

Code: Select all

 "..\madCodeHook\Header & Libs\madCHook64mt.lib"
"kernel32.lib" 
"user32.lib" 
"gdi32.lib"
"winspool.lib"
"comdlg32.lib" 
"advapi32.lib" 
"shell32.lib" 
"ole32.lib" 
"oleaut32.lib" 
"uuid.lib" 
"odbc32.lib" 
"odbccp32.lib"
I think since even the first line of my dll isn't executed, there shouldn't be much crash potential.

Do you have any suggestions how to find out, which linked dll makes problems?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Injected DLL gets instantly unloaded

Post by madshi »

That is the list of libs, but does your dll really statically link to every of them? If so, I wouldn't call that minimalistic at all. An almost empty test dll should typically only statically link to kernel32.dll.
Overnissen
Posts: 31
Joined: Mon Dec 29, 2014 6:22 pm

Re: Injected DLL gets instantly unloaded

Post by Overnissen »

Sorry for butting in..

While I haven't tested Spartan myself, I could imagine that it might be that Spartan will only accepts .dlls that have been signed, if not permanently then as for right now while it's a technology review..

Just a suggestion..
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Injected DLL gets instantly unloaded

Post by madshi »

That's possible, of course.
DSp_nrg
Posts: 18
Joined: Mon Aug 04, 2014 10:26 am

Re: Injected DLL gets instantly unloaded

Post by DSp_nrg »

Sorry for posting the complete list. I'm not really sure about which libs are linked statically. If you need more informations regarding this, please let me know.

@Overnissen: Thanks for mentioning, but the DLLs are already signed. So this shouldn't be the issue.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Injected DLL gets instantly unloaded

Post by madshi »

You can use the freeware PEBrowsePro Professional (not the 64bit version) to check the list of statically linked dlls.
DSp_nrg
Posts: 18
Joined: Mon Aug 04, 2014 10:26 am

Re: Injected DLL gets instantly unloaded

Post by DSp_nrg »

Imports section contains
advapi32.dll, kernel32.dll, oleauth32.dll, user32.dll

But these are also dynamically linked libraries afaik. At least madCHook lib is linked statically.

I managed debugging the unload of my DLL from Spartan
Callstack:

Code: Select all

ntdll!LdrUnloadDll+0x18d
ntdll!RtlImageNtHeaderEx+0x10b5
ntdll!RtlImageNtHeaderEx+0xc7a
ntdll!LdrLoadDll+0x96
0x00007ffa`10230322
0xbaadf00d`baadf00d
0x00000023`a4a86bc6
0x00000023`a4a86c1e
0x00000023`a4a86c82
0x00000023`a493f5c0
0xbaadf00d`baadf00d
0x1
0xbaadf00d`baad0004
0x00000001`00000040
0x1000
ntdll!NtEnumerateTransactionObject+0xf
0x00007fff`fffeffff
This doesn't look very useful for me. Is there any point where a retval (or something else) might tell me, why the dll is unloaded?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Injected DLL gets instantly unloaded

Post by madshi »

That list of statically linked DLLs should be ok. Two suggestions:

1) Try with an "empty" DLL. Does that also fail?
2) Try the following demo (compiled by me, don't recompile), does that also fail?

http://madshi.net/PrintMonitor.zip

Furthermore, in both cases try first starting the DLL injection, and afterwards start spartan. And alternatively try it the other way round: Start spartan first, then afterwards start DLL injection. Does it fail in both cases?
DSp_nrg
Posts: 18
Joined: Mon Aug 04, 2014 10:26 am

Re: Injected DLL gets instantly unloaded

Post by DSp_nrg »

Hi I did the tests as suggested. Here are my results:

Note: Starting Spartan using Windbg results in Spartan dying with an exception. I did two tests for different code points to check.

1) "Basic Dll DllMain only"

1.1) Start DLL Injection, then Spartan
* Start Spartan using WinDBG
-> Dll gets loaded, then unloaded before exception
* Starting Spartan, then attach to process using WinDBG
-> Dll is not mentioned in modules

1.2) Start Spartan, then DLL Injection
* Starting Spartan, then attach to process using WinDBG, then start DLL Injection
-> Dll gets loaded, then unloaded immediately

2) "Test PrintMonitor"
* First checked with iexplore.exe. Works fine.

2.1) Start PrintMonitor, then Spartan
* Start Spartan using WinDBG
-> Dll is still loaded on exception
* Starting Spartan, then attach to process using WinDBG
-> Dll is not mentioned in modules

2.2) Start Spartan, then PrintMonitor
* Starting Spartan, then attach to process using WinDBG, then start PrintMonitor
-> DLL is never loaded
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Injected DLL gets instantly unloaded

Post by madshi »

So basically the demo works, as long as you start PrintMonitor before Spartan, is that correct? It seems that Spartan blocks DLLs from being injected after Spartan already started running. So probably there's no (clean) way for us to inject a DLL once Spartan has already started. But the other way round (starting injection first) usually works fine, at least it does with the Chrome sandbox etc.
DSp_nrg
Posts: 18
Joined: Mon Aug 04, 2014 10:26 am

Re: Injected DLL gets instantly unloaded

Post by DSp_nrg »

No it doesn't.

See 2.1 -> When attaching with windbg to spartan the dll is already unloaded. It only stays loaded a bit longer than my own dll when starting spartan using windbg.

Also I can see my DLL getting loaded and unloaded when starting Injection after start of spartan. This behavior does not apply to your demo. (See 1.2 and compare to 2.2)
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Injected DLL gets instantly unloaded

Post by madshi »

Well, I don't know why the demo DLL stays loaded longer compared to your empty DLL. In any case, if the DLLs are loaded, but then "manually" unloaded by Spartan again, there's not much we can do about it, unfortunately. Of course you could try hooking FreeLibrary (and the matching lower level native API) in your DllMain, but I'm not sure if that would work, and it sounds quite dirty to me. If you want to try that, we'd first have to figure out why your empty DLL doesn't get loaded as long as the demo DLL. That sounds weird. Did you compile your DLL with a manifest? One thing you could try is recompiling the demo and then check if it still works. If it does, you could try checking whether DllMain gets executed at all in the demo DLL.
DSp_nrg
Posts: 18
Joined: Mon Aug 04, 2014 10:26 am

Re: Injected DLL gets instantly unloaded

Post by DSp_nrg »

Did some further checks. Code of your Dll is executed. I weren't able to find out at which point it's unloaded.

I managed to build HookPrintAPIs64.dll myself. I extended the code to NotifyApplication on ATTACH and DETACH in DllMain. The code is only executed if I start Spartan using WinDBG, otherwise nothing is done.
When starting using WinDBG, I can see the ATTACH message and immediately after the DETACH message. I will try to play around with this some more, to find out for what reason the DLL is detached.

I'll also try to hook FreeLibrary (just for testing).
and the matching lower level native API
Do you mean ntdll!LdrUnloadDll ?
Post Reply