Page 1 of 1

IsInjectionDriverRunning returns always FALSE on win7 32bit

Posted: Mon Feb 15, 2016 7:43 am
by wj_Lee
Hi,

I've tried to check driver is running or not by calling IsInjectionDriverRunning

That API works well on win 7 64bit, win 8 64bit. But return always FALSE(whether driver is running perfectly or not) on win7 32bit

Is there any constraints to using the API? (something like madconfig option, etc...)

I'm currently using ver 3.1.10

Sorry for my bad english


Sincerely,

Re: IsInjectionDriverRunning returns always FALSE on win7 32

Posted: Thu Feb 18, 2016 5:57 pm
by madshi
Hi there,

you may need to be admin. Are you? The code is very simple. Here's the Delphi code:

Code: Select all

function IsInjectionDriverRunning(driverName: PWideChar) : bool; stdcall;
var fh : THandle;
begin
  EnableAllPrivileges;
  fh := CreateFileW(PWideChar('\\.\' + UnicodeString(driverName)), GENERIC_READ, FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING, 0, 0);
  result := fh <> INVALID_HANDLE_VALUE;
  if result then
    CloseHandle(fh);
end;

Re: IsInjectionDriverRunning returns always FALSE on win7 32

Posted: Fri Feb 19, 2016 8:48 am
by wj_Lee
Sure, my program requires admin execution level and I have run with admin

There is no issues when call LoadInjectionDriver, InjectLibraryW and works well,

IsInjectionDriverRunning returns right result on 64bit OS.

But, Only Win7 32bit returns always FALSE whether driver is running or not
(I didn't tested Win 8 or higher 32bit. neither XP)

Here is my driver loading code,

Code: Select all

	InitializeMadCHook();
	if(LoadInjectionDriver(DEF_MWPGHK_NAME, DEF_MWPGHK_DRV32_FILENAME, DEF_MWPGHK_DRV64_FILENAME))
	{
		if(!InjectLibraryW(DEF_MWPGHK_NAME, DEF_MWPGHK_DLL32_FILENAME, ALL_SESSIONS, true, hookWhiteList))		
		{
			DWORD dwError = GetLastError();
			g_LM.WriteLogW(L"Failed to load x86 DLL: %s : %d, 0x%X\n", DEF_MWPGHK_DLL32_FILENAME, dwError, dwError);
			nRet = dwError;
		}
		if(b64BitOS == TRUE)
		{
			if(!InjectLibraryW(DEF_MWPGHK_NAME, DEF_MWPGHK_DLL64_FILENAME, ALL_SESSIONS, true, hookWhiteList))			
			{
				DWORD dwError = GetLastError();
				g_LM.WriteLogW(L"Failed to load x64 DLL: %s : %d, 0x%X\n", DEF_MWPGHK_DLL64_FILENAME, dwError, dwError);
				nRet = dwError;

			}
		}
	}
	else
	{
		DWORD dwError = GetLastError();
		g_LM.WriteLogW(L"Failed to Load Driver : %d, 0x%X\n", dwError, dwError);
		nRet = dwError;
	}
	FinalizeMadCHook();
And my cheking code

Code: Select all

	if(IsInjectionDriverRunning(DEF_MWPGHK_NAME) == TRUE)
	{
		DWORD dwError = GetLastError();
		g_LM.WriteLogW(L"Hooking Driver is working well~: %d, 0x%X\n", dwError, dwError);		
	}
	else
	{
		DWORD dwError = GetLastError();
		g_LM.WriteLogW(L"Hooking Driver is NOT Running : %d, 0x%X\n", dwError, dwError);
		nRet = dwError;		
	}

Re: IsInjectionDriverRunning returns always FALSE on win7 32

Posted: Fri Feb 19, 2016 8:51 am
by madshi
Well, you have the source code is IsInjectionDriverRunning. So I suppose CreateFile fails for you? What does GetLastError say after CreateFile fails?

Re: IsInjectionDriverRunning returns always FALSE on win7 32

Posted: Tue Feb 23, 2016 6:13 am
by wj_Lee
Oh, Sorry. I didn't get it.

When I've tested with driver file names(DEF_MWPGHK_DRV32_FILENAME, DEF_MWPGHK_DRV64_FILENAME in my code),
It returns valid file handle(not INVALID_HANDLE_VALUE) and GetLastError() value is 0.

And with driver name(DEF_MWPGHK_NAME), It returns INVALID_HANDLE_VALUE) and error value is 2.
Of course, driver name is different from driver file name and not really exists in folder.

Re: IsInjectionDriverRunning returns always FALSE on win7 32

Posted: Tue Feb 23, 2016 8:40 am
by madshi
Opening with the real file name means you're checking if the file exists on the harddisk.

Opening with the driver name means you're checking if the driver is running.

And error code of 2 means ERROR_FILE_NOT_FOUND, which suggests that your driver was most probably *not* running, or there's an error with the driver name. Other than that, the only thing coming to my mind would be a Windows bug or something.