Unhooking on process destroy and manual uninject issues

c++ / delphi package - dll injection and api hooking

Unhooking on process destroy and manual uninject issues

Postby TCS » Thu Feb 18, 2016 11:35 am

Hey,

I recently learned (through a post in this forum) that when I uninject all uninjected DLLs (inject using the driver) I don't need to unhook manually because all the functions get unhooked automatically before PROCESS_DETACH.
I have few questions regarding this:

1. In case the process dies (being closed), do I need to unhook the functions manually during PROCESS_DETACH, or is it done automatically before PROCESS_DETACH?
2. When I uninject manually (from the driver), I have an issue that a hooked function is being called during PROCESS_DETACH cleanup, which ultimately causes a crash because I am during cleanup. If I understand correctly that shouldn't happen because all the hooks should've been removed by that time. Am I right? and if I do, how can I debug this issue?


Thanks!
TCS
 
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: Unhooking on process destroy and manual uninject issues

Postby madshi » Thu Feb 18, 2016 2:07 pm

1. When a process dies, the DLL is usually not even unloaded by Windows at all (Windows does that to speed up process closedown), so the hook stays installed "forever". Which is not a problem.

2. The driver does not have the ability to uninject! So I'm not sure what you mean with "When I uninject manually (from the driver)"? Uninjection is performed by madCodeHook's user mode library, not by the driver. The driver is just notified that it should stop injecting the dll into newly started process. During PROCESS_DETACH all API hooks should already be removed. Are you *100% sure* that your hook callback function is called during PROCESS_DETACH?
madshi
Site Admin
 
Posts: 10268
Joined: Sun Mar 21, 2004 5:25 pm

Re: Unhooking on process destroy and manual uninject issues

Postby TCS » Thu Feb 18, 2016 2:14 pm

2. When I wrote I uninject manually I meant using "UninjectAllLibraries()" function. Sorry, I thought it goes through the driver.
I will recheck again, but I am pretty sure.
I *sometimes* get a create when CoCreateInstance() (my CoCreateInstance) is being called.
I just thought that I can recheck my claim by manually calling CoCreateInstance() in PROCESS_DETACH and see if it gets to the hook.

I'll update.
TCS
 
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: Unhooking on process destroy and manual uninject issues

Postby madshi » Thu Feb 18, 2016 2:17 pm

It asks the driver for the current injections, tells the driver to stop injecting, but the actual uninjection of the hook dll from all running processes is performed by the madCodeHook user mode code.
madshi
Site Admin
 
Posts: 10268
Joined: Sun Mar 21, 2004 5:25 pm

Re: Unhooking on process destroy and manual uninject issues

Postby TCS » Sun Feb 21, 2016 12:18 pm

Hey,
Sorry it took me a few days.

I am sure that the hooks have not been removed before DLLMain() with DLL_PROCESS_DETACH.
I am hooking CoCreateInstance(), in the DLL_PROCESS_DETACH I called CoCreateInstance() and it reached my hooked function.

So what is the next step of debugging this ?
TCS
 
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: Unhooking on process destroy and manual uninject issues

Postby TCS » Sun Feb 21, 2016 12:53 pm

An update:
If I uninstall myself during DLL_PROCESS_DETACH it does work (tried 3 times, but looks okay so far). The point is that it in some applications the functions are getting cleaned-up successfully, so UnhookCode() fails with GetLastError()==0 (my last question).
So my current workaround is to always UnhookCode() in DLL_PROCESS_DETACH, and ignore the failure if GetLastError()==0. Does that workaround sounds fine for now?

And what can we do to further check why it doesn't unhook?
TCS
 
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: Unhooking on process destroy and manual uninject issues

Postby madshi » Tue Feb 23, 2016 6:09 pm

Thing is, even if auto-unhooking as part of the uninjection doesn't work, in the moment when you call FinalizeMadCHook() in DLL_PROCESS_DETACH (you do call it?) there's a 2nd layer of auto-unhooking which again tries to unhook all hooked APIs. So it makes no sense to me that manually calling UnhookCode/API() during DLL_PROCESS_DETACH would make any difference for you.

That said, calling it shouldn't hurt.
madshi
Site Admin
 
Posts: 10268
Joined: Sun Mar 21, 2004 5:25 pm

Re: Unhooking on process destroy and manual uninject issues

Postby TCS » Wed Feb 24, 2016 12:43 pm

I do call it, but I am calling it after the cleanup. I'll call it first.
I will also call the unhook manually (just to be sure....)

The current workaround works fine for me.

Do you want me to help out debugging the auto-unhook? Its pretty easy for me to reproduce....
TCS
 
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: Unhooking on process destroy and manual uninject issues

Postby madshi » Wed Feb 24, 2016 1:38 pm

Please call FinalizeMadCHook as the last thing you do. Calling other APIs after FinalizeMadCHook is not good, because some important stuff (like global critical sections etc) might already be finalized.

Can you reproduce this problem with a little test project? That would be the easiest and best way for me to look into it.

One other option would be to debug the madCodeHook source code, but for that you'd need to have it? Do you have a Company Source Edition license?
madshi
Site Admin
 
Posts: 10268
Joined: Sun Mar 21, 2004 5:25 pm

Re: Unhooking on process destroy and manual uninject issues

Postby TCS » Sat Feb 27, 2016 8:32 pm

1. Okay, I'll move FinalizeMadCHook to be the last thing in the DLL_PROCESS_DETACH (that means that manual unhook will actually perform the unhooking).
2. I will try to reproduce it in a small project
3. No I don't
TCS
 
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 22 guests