we have experienced an issue with uninjection. We use a little hack to force MCH to uninject apps as we please:
Code: Select all
bool UnInjectFrom(const wchar_t *LibraryFileName, const wchar_t *ProcessNameMask)
{
//MCH uses UninjectLibraryW differently than we originally thought
//first we dont want to inject running processes
SetMadCHookOption(INJECT_INTO_RUNNING_PROCESSES, (LPCWSTR)0);
//first we must create phony rule in MCH driver,
//so MCD does't fail during uninjection...
InjectLibraryW(CINJ_DRIVER_NAME, LibraryFileName, ALL_SESSIONS,
true, ProcessNameMask);
SetMadCHookOption(INJECT_INTO_RUNNING_PROCESSES, (LPCWSTR)1);
//now we can uninject library from all processes with same name mask
return (
UninjectLibraryW(CINJ_DRIVER_NAME, LibraryFileName, ALL_SESSIONS,
true, ProcessNameMask) != FALSE
);
}
The crash usually looks like this:
Code: Select all
FAULTING_IP:
ntdll!LdrpUpdateLoadCount2+4d
77099820 0fb74638 movzx eax,word ptr [esi+38h]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 77099820 (ntdll!LdrpUpdateLoadCount2+0x0000004d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 41005438
Attempt to read from address 41005438
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
PROCESS_NAME: CSISYNCCLIENT.EXE
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 41005438
READ_ADDRESS: 41005438
FOLLOWUP_IP:
ntdll!LdrpUpdateLoadCount2+4d
77099820 0fb74638 movzx eax,word ptr [esi+38h]
MOD_LIST: <ANALYSIS/>
APPLICATION_VERIFIER_FLAGS: 0
FAULTING_THREAD: 000007e4
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ
LAST_CONTROL_TRANSFER: from 7709987a to 77099820
STACK_TEXT:
09bef9dc 7709987a 00000000 00000002 6bd40000 ntdll!LdrpUpdateLoadCount2+0x4d
09bef9f8 770a3aea 00000000 00000002 7ea38353 ntdll!LdrpUpdateLoadCount2+0xff
09befa78 770a3c45 6bd40000 09befa9c 7ea38397 ntdll!LdrpUnloadDll+0x9c
09befabc 74d92d32 6bd40000 00000000 09befe88 ntdll!LdrUnloadDll+0x4a
09befacc 71af020b 6bd40000 00000000 00000000 KERNELBASE!FreeLibrary+0x15
WARNING: Frame IP not in any known module. Following frames may be wrong.
09befe88 76a7337a 71ae0000 09befed4 770992e2 0x71af020b
09befe94 770992e2 71ae0000 7ea387ff 00000000 kernel32!BaseThreadInitThunk+0xe
09befed4 770992b5 71af0000 71ae0000 00000000 ntdll!__RtlUserThreadStart+0x70
09befeec 00000000 71af0000 71ae0000 00000000 ntdll!_RtlUserThreadStart+0x1b
What do you think?
PP