madshi.net

high quality low level programming
http://forum.madshi.net/

Injected DLL gets instantly unloaded

http://forum.madshi.net/viewtopic.php?f=7&t=27985

Page 2 of 2

Re: Injected DLL gets instantly unloaded

Posted: Tue Apr 07, 2015 2:40 pm
by madshi
Yes, LdrUnloadDll.

Re: Injected DLL gets instantly unloaded

Posted: Wed Apr 08, 2015 8:18 am
by iconic
DSp_nrg,

Is Spartan browser a modern UI/metro app? If it is then these apps require the injected DLL to have the ALL APPLICATION PACKAGES group added to the DLL file permissions with read and read & execute permissions set to allow. If you don't want to add this ACE to the ACL manually you can copy your DLL to %SystemRoot%\System32 and try injection from there to perform a quick test, this folder always has this group in its ACL and container objects are granted these permissions by default. Maybe this helps? I would have to test but figured it's worth mentioning after reading this thread. AFAIK Spartan was just introduced to Windows 10 Tech Preview build 10049 so it's just been made recently available. I am upgrading from 9926 as I write this so I'll check to see what it's doing later today. Best regards

--Iconic

Re: Injected DLL gets instantly unloaded

Posted: Wed Apr 08, 2015 8:33 am
by DSp_nrg
Hi,

I played around with the PrintMonitor some more and changed it to do some outputs on DLL unloads.
I noticed my problem by accident. The loaded PrintMonitor DLL wasn't injected in the spartan I was debugging, but in the debugger itself, which explains a lot.

Sorry for the confusions, but this was quite hard to notice (for me).

And now a big thanks to iconic, since my own DLL already has the permission, i didn't spent any thought about it for the PrintMonitor DLL. After adding this, the DLL stays injected in the spartan :crazy: .

Now my next big task will be comparing the settings for PrintMonitor-dll and my own DLL to find the difference.

Re: Injected DLL gets instantly unloaded

Posted: Wed Apr 08, 2015 8:35 am
by iconic
Wow that was a fast response. Glad things are working for you :D

--Iconic

Re: Injected DLL gets instantly unloaded

Posted: Wed Apr 08, 2015 8:48 am
by madshi
Cool! Good thinking, iconic!

Make sure your dll has no manifest. That has been known to cause issues. I usually recommend to base your own hook dll on one of the demos, so that all your compiler and linker settings are already setup "correctly".

Re: Injected DLL gets instantly unloaded

Posted: Wed Apr 08, 2015 9:35 am
by DSp_nrg
I checked my linker options and disabled generation of manifest. After this change my own DLL stays loaded in spartan.

Conclusion:
* DLL injection with enabled manifest does not work for spartan.
* Spartan is handled as "ModernUI" app, so "ALL APPLICATION PACKAGES" permission is essential

Thanks to all of you for your support finding the solution !
All times are UTC
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited