Driver InjectLibrary from folder

c++ / delphi package - dll injection and api hooking

Driver InjectLibrary from folder

Postby ameetmalekar » Wed Jun 01, 2016 9:11 am

I am trying to call injectLibraryA(injection driver) in C++ exe, InJDrv.exe, with include mask having full path of target exe(in which dll is going to be injected). But when i execute the InJDrv.exe it crashes.

Exe crashes on InjectLibraryA function.

It fails for
InjectLibraryA("TestInjectionDriver","Hook32.dll",-2,true,"C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE",NULL,NULL,7000);
OR
InjectLibraryA("TestInjectionDriver","Hook32.dll",-2,true,"C:\\Program Files (x86)\\Internet Explorer\\*.EXE",NULL,NULL,7000);

It works if I gave only exe name.
ameetmalekar
 
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: Driver InjectLibrary from folder

Postby madshi » Wed Jun 01, 2016 9:19 am

Did you call InitializeMadCHook() before calling InjectLibraryA()?
madshi
Site Admin
 
Posts: 9275
Joined: Sun Mar 21, 2004 5:25 pm

Re: Driver InjectLibrary from folder

Postby ameetmalekar » Mon Jun 13, 2016 9:56 am

Seems there was some issue with project setting. Created fresh project and now it is working.
ameetmalekar
 
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: Driver InjectLibrary from folder

Postby ameetmalekar » Tue Jun 14, 2016 6:38 am

I am facing another issue.
I need to inject dll in a "path mask" from driver. Is there any way to give path mask as relative path instead of full path.

It is working if I gave path mask as "C:\Program Files\MyApps\*.exe"
But not working if path in "path mask" is relative as "MyApps\*.exe" Or "\MyApps\*.exe"

We do not know where MyApps application is installed on Target PCs(in C:\Program Files or D:\Program Files or any other custom location).
ameetmalekar
 
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: Driver InjectLibrary from folder

Postby madshi » Tue Jun 14, 2016 7:54 am

Good question. I'm not fully sure what the string comparison routines will do with a relative path. Never tried that. Have you tried if it works?
madshi
Site Admin
 
Posts: 9275
Joined: Sun Mar 21, 2004 5:25 pm

Re: Driver InjectLibrary from folder

Postby ameetmalekar » Tue Jun 14, 2016 8:55 am

Yes, I tried with relative path (or full path substring) but it is not working. It only works on full path or only exe name.
ameetmalekar
 
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: Driver InjectLibrary from folder

Postby madshi » Tue Jun 14, 2016 9:22 am

Oh well. I guess you can try to find out the full path in user mode? Shouldn't be too hard. Most applications have their paths stored in the registry somewhere.

I'm not sure if I should change the string parsing routines just for one customer. You're the first customer ever asking for this. Changing the routines can introduce regressions... :(
madshi
Site Admin
 
Posts: 9275
Joined: Sun Mar 21, 2004 5:25 pm

Re: Driver InjectLibrary from folder

Postby ameetmalekar » Tue Jun 14, 2016 11:59 am

Before raising this to you, we already gave a thought of using registry for solution but it will only work for a known target application pool.
Meanwhile there are certain executables which are not installed and just copied on the system OR they do not have any installation path in Registry.

The reasons we need to use relative paths as path masks are
  • Path masks can be written in external configuration file
  • Target applications may have different methods to get absolute path, so if target application changes we need to recompile code.
  • We came across some portable target applications which do not have any registry entry but there folder name(relative path) is always same.

Currently we are using our own driver but for stability and maintenance purpose we thought of shifting to Madshi driver. We suggest it as "Good to have feature" to increase productivity on a wider scale.
ameetmalekar
 
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: Driver InjectLibrary from folder

Postby madshi » Tue Jun 14, 2016 1:26 pm

Well, I usually require at least 3 independent users to ask for a specific feature before I consider adding it. Nobody else has ever asked me for support for relative paths, so I have my doubts if there's any real demand for that. Isn't filtering by EXE name good enough?

You could filter by EXE name, and then in DllMain(PROCESS_ATTACH) check in more detail if you want the current process to be hooked. If not, you can skip all of DllMain and let the DLL sit idle in the process. Shouldn't harm?
madshi
Site Admin
 
Posts: 9275
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 8 guests