IsInjectionDriverRunning returns always FALSE on win7 32bit

c++ / delphi package - dll injection and api hooking
Post Reply
wj_Lee
Posts: 7
Joined: Tue Apr 28, 2015 12:29 pm

IsInjectionDriverRunning returns always FALSE on win7 32bit

Post by wj_Lee »

Hi,

I've tried to check driver is running or not by calling IsInjectionDriverRunning

That API works well on win 7 64bit, win 8 64bit. But return always FALSE(whether driver is running perfectly or not) on win7 32bit

Is there any constraints to using the API? (something like madconfig option, etc...)

I'm currently using ver 3.1.10

Sorry for my bad english


Sincerely,
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: IsInjectionDriverRunning returns always FALSE on win7 32

Post by madshi »

Hi there,

you may need to be admin. Are you? The code is very simple. Here's the Delphi code:

Code: Select all

function IsInjectionDriverRunning(driverName: PWideChar) : bool; stdcall;
var fh : THandle;
begin
  EnableAllPrivileges;
  fh := CreateFileW(PWideChar('\\.\' + UnicodeString(driverName)), GENERIC_READ, FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING, 0, 0);
  result := fh <> INVALID_HANDLE_VALUE;
  if result then
    CloseHandle(fh);
end;
wj_Lee
Posts: 7
Joined: Tue Apr 28, 2015 12:29 pm

Re: IsInjectionDriverRunning returns always FALSE on win7 32

Post by wj_Lee »

Sure, my program requires admin execution level and I have run with admin

There is no issues when call LoadInjectionDriver, InjectLibraryW and works well,

IsInjectionDriverRunning returns right result on 64bit OS.

But, Only Win7 32bit returns always FALSE whether driver is running or not
(I didn't tested Win 8 or higher 32bit. neither XP)

Here is my driver loading code,

Code: Select all

	InitializeMadCHook();
	if(LoadInjectionDriver(DEF_MWPGHK_NAME, DEF_MWPGHK_DRV32_FILENAME, DEF_MWPGHK_DRV64_FILENAME))
	{
		if(!InjectLibraryW(DEF_MWPGHK_NAME, DEF_MWPGHK_DLL32_FILENAME, ALL_SESSIONS, true, hookWhiteList))		
		{
			DWORD dwError = GetLastError();
			g_LM.WriteLogW(L"Failed to load x86 DLL: %s : %d, 0x%X\n", DEF_MWPGHK_DLL32_FILENAME, dwError, dwError);
			nRet = dwError;
		}
		if(b64BitOS == TRUE)
		{
			if(!InjectLibraryW(DEF_MWPGHK_NAME, DEF_MWPGHK_DLL64_FILENAME, ALL_SESSIONS, true, hookWhiteList))			
			{
				DWORD dwError = GetLastError();
				g_LM.WriteLogW(L"Failed to load x64 DLL: %s : %d, 0x%X\n", DEF_MWPGHK_DLL64_FILENAME, dwError, dwError);
				nRet = dwError;

			}
		}
	}
	else
	{
		DWORD dwError = GetLastError();
		g_LM.WriteLogW(L"Failed to Load Driver : %d, 0x%X\n", dwError, dwError);
		nRet = dwError;
	}
	FinalizeMadCHook();
And my cheking code

Code: Select all

	if(IsInjectionDriverRunning(DEF_MWPGHK_NAME) == TRUE)
	{
		DWORD dwError = GetLastError();
		g_LM.WriteLogW(L"Hooking Driver is working well~: %d, 0x%X\n", dwError, dwError);		
	}
	else
	{
		DWORD dwError = GetLastError();
		g_LM.WriteLogW(L"Hooking Driver is NOT Running : %d, 0x%X\n", dwError, dwError);
		nRet = dwError;		
	}
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: IsInjectionDriverRunning returns always FALSE on win7 32

Post by madshi »

Well, you have the source code is IsInjectionDriverRunning. So I suppose CreateFile fails for you? What does GetLastError say after CreateFile fails?
wj_Lee
Posts: 7
Joined: Tue Apr 28, 2015 12:29 pm

Re: IsInjectionDriverRunning returns always FALSE on win7 32

Post by wj_Lee »

Oh, Sorry. I didn't get it.

When I've tested with driver file names(DEF_MWPGHK_DRV32_FILENAME, DEF_MWPGHK_DRV64_FILENAME in my code),
It returns valid file handle(not INVALID_HANDLE_VALUE) and GetLastError() value is 0.

And with driver name(DEF_MWPGHK_NAME), It returns INVALID_HANDLE_VALUE) and error value is 2.
Of course, driver name is different from driver file name and not really exists in folder.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: IsInjectionDriverRunning returns always FALSE on win7 32

Post by madshi »

Opening with the real file name means you're checking if the file exists on the harddisk.

Opening with the driver name means you're checking if the driver is running.

And error code of 2 means ERROR_FILE_NOT_FOUND, which suggests that your driver was most probably *not* running, or there's an error with the driver name. Other than that, the only thing coming to my mind would be a Windows bug or something.
Post Reply