IsInjectionDriverRunning returns always FALSE on win7 32bit

c++ / delphi package - dll injection and api hooking

IsInjectionDriverRunning returns always FALSE on win7 32bit

Postby wj_Lee » Mon Feb 15, 2016 7:43 am

Hi,

I've tried to check driver is running or not by calling IsInjectionDriverRunning

That API works well on win 7 64bit, win 8 64bit. But return always FALSE(whether driver is running perfectly or not) on win7 32bit

Is there any constraints to using the API? (something like madconfig option, etc...)

I'm currently using ver 3.1.10

Sorry for my bad english


Sincerely,
wj_Lee
 
Posts: 6
Joined: Tue Apr 28, 2015 12:29 pm

Re: IsInjectionDriverRunning returns always FALSE on win7 32

Postby madshi » Thu Feb 18, 2016 5:57 pm

Hi there,

you may need to be admin. Are you? The code is very simple. Here's the Delphi code:

Code: Select all
function IsInjectionDriverRunning(driverName: PWideChar) : bool; stdcall;
var fh : THandle;
begin
  EnableAllPrivileges;
  fh := CreateFileW(PWideChar('\\.\' + UnicodeString(driverName)), GENERIC_READ, FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING, 0, 0);
  result := fh <> INVALID_HANDLE_VALUE;
  if result then
    CloseHandle(fh);
end;
madshi
Site Admin
 
Posts: 10266
Joined: Sun Mar 21, 2004 5:25 pm

Re: IsInjectionDriverRunning returns always FALSE on win7 32

Postby wj_Lee » Fri Feb 19, 2016 8:48 am

Sure, my program requires admin execution level and I have run with admin

There is no issues when call LoadInjectionDriver, InjectLibraryW and works well,

IsInjectionDriverRunning returns right result on 64bit OS.

But, Only Win7 32bit returns always FALSE whether driver is running or not
(I didn't tested Win 8 or higher 32bit. neither XP)

Here is my driver loading code,
Code: Select all
   InitializeMadCHook();
   if(LoadInjectionDriver(DEF_MWPGHK_NAME, DEF_MWPGHK_DRV32_FILENAME, DEF_MWPGHK_DRV64_FILENAME))
   {
      if(!InjectLibraryW(DEF_MWPGHK_NAME, DEF_MWPGHK_DLL32_FILENAME, ALL_SESSIONS, true, hookWhiteList))      
      {
         DWORD dwError = GetLastError();
         g_LM.WriteLogW(L"Failed to load x86 DLL: %s : %d, 0x%X\n", DEF_MWPGHK_DLL32_FILENAME, dwError, dwError);
         nRet = dwError;
      }
      if(b64BitOS == TRUE)
      {
         if(!InjectLibraryW(DEF_MWPGHK_NAME, DEF_MWPGHK_DLL64_FILENAME, ALL_SESSIONS, true, hookWhiteList))         
         {
            DWORD dwError = GetLastError();
            g_LM.WriteLogW(L"Failed to load x64 DLL: %s : %d, 0x%X\n", DEF_MWPGHK_DLL64_FILENAME, dwError, dwError);
            nRet = dwError;

         }
      }
   }
   else
   {
      DWORD dwError = GetLastError();
      g_LM.WriteLogW(L"Failed to Load Driver : %d, 0x%X\n", dwError, dwError);
      nRet = dwError;
   }
   FinalizeMadCHook();

And my cheking code
Code: Select all
   if(IsInjectionDriverRunning(DEF_MWPGHK_NAME) == TRUE)
   {
      DWORD dwError = GetLastError();
      g_LM.WriteLogW(L"Hooking Driver is working well~: %d, 0x%X\n", dwError, dwError);      
   }
   else
   {
      DWORD dwError = GetLastError();
      g_LM.WriteLogW(L"Hooking Driver is NOT Running : %d, 0x%X\n", dwError, dwError);
      nRet = dwError;      
   }
wj_Lee
 
Posts: 6
Joined: Tue Apr 28, 2015 12:29 pm

Re: IsInjectionDriverRunning returns always FALSE on win7 32

Postby madshi » Fri Feb 19, 2016 8:51 am

Well, you have the source code is IsInjectionDriverRunning. So I suppose CreateFile fails for you? What does GetLastError say after CreateFile fails?
madshi
Site Admin
 
Posts: 10266
Joined: Sun Mar 21, 2004 5:25 pm

Re: IsInjectionDriverRunning returns always FALSE on win7 32

Postby wj_Lee » Tue Feb 23, 2016 6:13 am

Oh, Sorry. I didn't get it.

When I've tested with driver file names(DEF_MWPGHK_DRV32_FILENAME, DEF_MWPGHK_DRV64_FILENAME in my code),
It returns valid file handle(not INVALID_HANDLE_VALUE) and GetLastError() value is 0.

And with driver name(DEF_MWPGHK_NAME), It returns INVALID_HANDLE_VALUE) and error value is 2.
Of course, driver name is different from driver file name and not really exists in folder.
wj_Lee
 
Posts: 6
Joined: Tue Apr 28, 2015 12:29 pm

Re: IsInjectionDriverRunning returns always FALSE on win7 32

Postby madshi » Tue Feb 23, 2016 8:40 am

Opening with the real file name means you're checking if the file exists on the harddisk.

Opening with the driver name means you're checking if the driver is running.

And error code of 2 means ERROR_FILE_NOT_FOUND, which suggests that your driver was most probably *not* running, or there's an error with the driver name. Other than that, the only thing coming to my mind would be a Windows bug or something.
madshi
Site Admin
 
Posts: 10266
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: Google [Bot] and 24 guests

cron