Unhooking on process destroy and manual uninject issues

c++ / delphi package - dll injection and api hooking
Post Reply
TCS
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Unhooking on process destroy and manual uninject issues

Post by TCS »

Hey,

I recently learned (through a post in this forum) that when I uninject all uninjected DLLs (inject using the driver) I don't need to unhook manually because all the functions get unhooked automatically before PROCESS_DETACH.
I have few questions regarding this:

1. In case the process dies (being closed), do I need to unhook the functions manually during PROCESS_DETACH, or is it done automatically before PROCESS_DETACH?
2. When I uninject manually (from the driver), I have an issue that a hooked function is being called during PROCESS_DETACH cleanup, which ultimately causes a crash because I am during cleanup. If I understand correctly that shouldn't happen because all the hooks should've been removed by that time. Am I right? and if I do, how can I debug this issue?


Thanks!
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Unhooking on process destroy and manual uninject issues

Post by madshi »

1. When a process dies, the DLL is usually not even unloaded by Windows at all (Windows does that to speed up process closedown), so the hook stays installed "forever". Which is not a problem.

2. The driver does not have the ability to uninject! So I'm not sure what you mean with "When I uninject manually (from the driver)"? Uninjection is performed by madCodeHook's user mode library, not by the driver. The driver is just notified that it should stop injecting the dll into newly started process. During PROCESS_DETACH all API hooks should already be removed. Are you *100% sure* that your hook callback function is called during PROCESS_DETACH?
TCS
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: Unhooking on process destroy and manual uninject issues

Post by TCS »

2. When I wrote I uninject manually I meant using "UninjectAllLibraries()" function. Sorry, I thought it goes through the driver.
I will recheck again, but I am pretty sure.
I *sometimes* get a create when CoCreateInstance() (my CoCreateInstance) is being called.
I just thought that I can recheck my claim by manually calling CoCreateInstance() in PROCESS_DETACH and see if it gets to the hook.

I'll update.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Unhooking on process destroy and manual uninject issues

Post by madshi »

It asks the driver for the current injections, tells the driver to stop injecting, but the actual uninjection of the hook dll from all running processes is performed by the madCodeHook user mode code.
TCS
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: Unhooking on process destroy and manual uninject issues

Post by TCS »

Hey,
Sorry it took me a few days.

I am sure that the hooks have not been removed before DLLMain() with DLL_PROCESS_DETACH.
I am hooking CoCreateInstance(), in the DLL_PROCESS_DETACH I called CoCreateInstance() and it reached my hooked function.

So what is the next step of debugging this ?
TCS
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: Unhooking on process destroy and manual uninject issues

Post by TCS »

An update:
If I uninstall myself during DLL_PROCESS_DETACH it does work (tried 3 times, but looks okay so far). The point is that it in some applications the functions are getting cleaned-up successfully, so UnhookCode() fails with GetLastError()==0 (my last question).
So my current workaround is to always UnhookCode() in DLL_PROCESS_DETACH, and ignore the failure if GetLastError()==0. Does that workaround sounds fine for now?

And what can we do to further check why it doesn't unhook?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Unhooking on process destroy and manual uninject issues

Post by madshi »

Thing is, even if auto-unhooking as part of the uninjection doesn't work, in the moment when you call FinalizeMadCHook() in DLL_PROCESS_DETACH (you do call it?) there's a 2nd layer of auto-unhooking which again tries to unhook all hooked APIs. So it makes no sense to me that manually calling UnhookCode/API() during DLL_PROCESS_DETACH would make any difference for you.

That said, calling it shouldn't hurt.
TCS
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: Unhooking on process destroy and manual uninject issues

Post by TCS »

I do call it, but I am calling it after the cleanup. I'll call it first.
I will also call the unhook manually (just to be sure....)

The current workaround works fine for me.

Do you want me to help out debugging the auto-unhook? Its pretty easy for me to reproduce....
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Unhooking on process destroy and manual uninject issues

Post by madshi »

Please call FinalizeMadCHook as the last thing you do. Calling other APIs after FinalizeMadCHook is not good, because some important stuff (like global critical sections etc) might already be finalized.

Can you reproduce this problem with a little test project? That would be the easiest and best way for me to look into it.

One other option would be to debug the madCodeHook source code, but for that you'd need to have it? Do you have a Company Source Edition license?
TCS
Posts: 33
Joined: Tue Aug 19, 2014 8:58 pm

Re: Unhooking on process destroy and manual uninject issues

Post by TCS »

1. Okay, I'll move FinalizeMadCHook to be the last thing in the DLL_PROCESS_DETACH (that means that manual unhook will actually perform the unhooking).
2. I will try to reproduce it in a small project
3. No I don't
Post Reply