Slow System-Wide Inject w/ Driver & InjectLibraryA

c++ / delphi package - dll injection and api hooking
Post Reply
DarkstaR
Posts: 3
Joined: Fri Jul 10, 2015 5:06 pm

Slow System-Wide Inject w/ Driver & InjectLibraryA

Post by DarkstaR »

So, I've found the system-wide injection to be unacceptably slow. On some systems, it can take upwards of a minute to inject, and it seems like many of the injection attempts time-out (having a timeout of 40 seconds makes it take much longer than a timeout of 10 seconds on the same system under the same conditions).

I thought of possibly spinning up multiple threads and injecting from each one (using a PID blacklist to determine which processes each thread should inject into), but this seems a bit messy and I'm not certain that the injection can handle being done from multiple threads, or if the blacklist from one thread will somehow affect another. I assume the driver would multi-thread injection by default if it was possible. Can anyone confirm this either way, or give me some tips of speeding up injection?


Also, as a side-note, how does the driver keep track of which processes it has injected into? Would it be safe to un-link my module from the PEB, or would that confuse the driver?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Slow System-Wide Inject w/ Driver & InjectLibraryA

Post by madshi »

You're talking about the actual InjectLibrary() call, right? The driver is not involved there yet. The driver is loaded and made ready for injection inside of InjectLibrary(), but the driver will only inject into new processes which are started after your InjectLibrary() call. Injection into already running processes is done by user land code inside of InjectLibrary(). The InjectLibrary() call can take a long time if there's a process on your PC which gets stuck trying to load your hook dll. This shouldn't stop other processes from loading your hook dll, though. Basically you could lower the InjectLibrary() timeout value to 0, and injection should still succeed. Basically InjectLibrary() creates a remote thread for each running process. And then InjectLibrary() does nothing but wait for those remote threads to run through. E.g. with a timeout value of "INFINITE", InjectLibrary() will wait eternally, if one of the remote threads gets stuck. With a timeout value of 0, the remote threads will still do their work, and InjectLibrary() will simply not wait for them to run through.

It might make sense to try to get to the bottom of which process is not responding properly and causing this long delay. Might be hard to figure that out, though. First test would be to log the current process name (GetModuleFileName(NULL)) in the hook dll's DllMain(PROCESS_ATTACH) event, together with a timestamp. Of course the logging function needs to be thread and even multi process safe (e.g. use a named mutex for synchronization). After those 40 seconds you can then check which dlls got loaded immediately, which with a delay, and you can also check which processes refused to load your hook dll completely. For the latter you could initiate single InjectLibrary(processHandle, "hook.dll") calls to find out which of those processes gets stuck for so long.

One more interesting test would be to check if the same problem occurs with the madCodeHook demos compiled by me. E.g. try this one:

http://madshi.net/PrintMonitor.zip
DarkstaR
Posts: 3
Joined: Fri Jul 10, 2015 5:06 pm

Re: Slow System-Wide Inject w/ Driver & InjectLibraryA

Post by DarkstaR »

Okay, that makes sense then. I thought you were using something like APC injection from the driver, and that some processes were taking too long to flush the APC queue or something. I figured that after the timeout it would be popped from the queue, I didn't realize that it was just WaitForSingleObject() on a thread handle. I'll try to track down why it's slow in certain cases but, at least for now, this fixes my problem of the injector waiting too long for injection.


Thanks!
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Slow System-Wide Inject w/ Driver & InjectLibraryA

Post by iconic »

DarkstaR,

The only similar thing that I've experienced similar to what you're describing is using remote thread injection and waiting on a suspended process in Windows 8+ for inactive (suspended) metroUI / store apps. See here viewtopic.php?f=7&t=27455 maybe that's what you're experiencing

As Madshi already alluded to, set timeout to 0


--Iconic
Post Reply