Uninjection problem (DLL ref count + AutoUnhookCounter)

c++ / delphi package - dll injection and api hooking

Uninjection problem (DLL ref count + AutoUnhookCounter)

Postby EaSy » Wed Aug 19, 2015 1:45 pm

Hi,
we found that if we call injection of dll on one process more than 10times we are not able to uninject dll anymore. It is because calling of FreeLibrary is stopped after 10 calls and AutoUnhookCounter is 0. So no more threads are able to uninject anything. It is also reproducible with your demos.

I propose to raise a limit to 0xFFFF.

PP
EaSy
 
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Postby EaSy » Wed Aug 19, 2015 1:51 pm

And also... that ExitThread is ugly.

PP
EaSy
 
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Postby madshi » Sat Aug 22, 2015 11:41 am

Thanks, will have a look at this.

Why do you find the ExitThread ugly? This is *always* called from an injection remote thread created by madCodeHook, it's never called in any other situation. ExitThread is the fastest and cleanest way to close that remote thread without doing further processing.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Postby iconic » Sat Aug 22, 2015 2:28 pm

Just adding to Madshi's last post, in some cases an explicit call to ExitThread is absolutely needed for "proper" thread closure. This is the case for native threads and require a call to RtlExitUserThread (native equivalent of a WIN32 ExitThread) inside the thread's callback procedure. RtlCreateUserThread is an example of a native thread creation API which just wraps NtCreateThread(Ex)

--Iconic
iconic
 
Posts: 840
Joined: Wed Jun 08, 2005 5:08 am

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Postby madshi » Sat Aug 22, 2015 6:31 pm

Test build available here:

http://madshi.net/madCollectionBeta.exe (2.7.11.7)
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Postby EaSy » Wed Sep 16, 2015 10:36 am

Hi,
you forgot to update InjectThread with 0xFFFF as well.

PP
EaSy
 
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Postby madshi » Fri Oct 09, 2015 1:22 pm

I was a bit afraid of simple switching to 0xFFFF because I wasn't sure it would be the correct value on all OSs. But I think I found a nice solution. Try this build:

http://madshi.net/madCollectionBeta.exe (installer 2.7.12.2)

What do you think?
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Postby EaSy » Mon Oct 12, 2015 11:59 am

Hi, I can't see any change in your code that is relevant to this issue.

Can you explain it a bit? Thx.

PP
EaSy
 
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Postby madshi » Mon Oct 12, 2015 12:26 pm

Stupid me. I modified the code in the wip madCodeHook 4.0, but failed to copy it down to madCodeHook 3. Basically I've replaced this code:

Code: Select all
                dll.LoadCount := $ff;


with this:

Code: Select all
                if firstDll.LoadCount >= $ff then
                  dll.LoadCount := firstDll.LoadCount
                else
                  dll.LoadCount := $ff;

The idea is that the first DLL in the list should be a statically linked dll, so I simply use that dll's load count value.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Postby EaSy » Mon Oct 12, 2015 1:10 pm

Now the hooking dll doesn't have its count changed by LoadLibrary/FreeLibrary anymore, because it will be considered as static.

Will be the behaviour all the same for both 64b and 32b versions?
I thought that you modify load counts only in 32b version.
EaSy
 
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Postby madshi » Mon Oct 12, 2015 1:13 pm

EaSy wrote:Now the hooking dll doesn't have its count changed by LoadLibrary/FreeLibrary anymore, because it will be considered as static.

Yes, that was the whole idea. I'm confused. Using 0xFFFF, as you suggested, should have the same effect, so why are you now seemingly not happy with this? Or am I misunderstanding you?

EaSy wrote:Will be the behaviour all the same for both 64b and 32b versions?
I thought that you modify load counts only in 32b version.

This is currently only done for 32bit.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Postby EaSy » Thu Oct 22, 2015 8:21 am

Hi, sorry for the late reply.

I believe, that if I call InjectDll more than 10 times on the process (for example possible in your demo) it will call LoadLibrary more than 10times. Once I call Uninject, it will disable hooks and call up to10times FreeLibrary. But the DLL will stay loaded in process but dormant. But later if I call Uninject again it will do nothing because AutoUnhookCounter blocks it, but the DLL is still in the process.

Am I right?

PP
EaSy
 
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Postby madshi » Thu Oct 22, 2015 8:35 am

Oh, I see now. You're looking at the C++ code, right? I've made the changes to the Delphi code, and I thought that would be enough because the Delphi code is compiled into the CInjectThread32 array which is then used by the C++ code. But I missed the fact that I'm doing that for 32bit, only, so I still have to change the C++ code, to make the changes work in 64bit, too. Sorry about that, will do the same changes for the C++ code in the next build.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Postby EaSy » Thu Oct 22, 2015 1:34 pm

Great, thx.
EaSy
 
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 5 guests