Driver InjectLibrary from folder

c++ / delphi package - dll injection and api hooking
Post Reply
ameetmalekar
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Driver InjectLibrary from folder

Post by ameetmalekar »

I am trying to call injectLibraryA(injection driver) in C++ exe, InJDrv.exe, with include mask having full path of target exe(in which dll is going to be injected). But when i execute the InJDrv.exe it crashes.

Exe crashes on InjectLibraryA function.

It fails for
InjectLibraryA("TestInjectionDriver","Hook32.dll",-2,true,"C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE",NULL,NULL,7000);
OR
InjectLibraryA("TestInjectionDriver","Hook32.dll",-2,true,"C:\\Program Files (x86)\\Internet Explorer\\*.EXE",NULL,NULL,7000);

It works if I gave only exe name.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Driver InjectLibrary from folder

Post by madshi »

Did you call InitializeMadCHook() before calling InjectLibraryA()?
ameetmalekar
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: Driver InjectLibrary from folder

Post by ameetmalekar »

Seems there was some issue with project setting. Created fresh project and now it is working.
ameetmalekar
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: Driver InjectLibrary from folder

Post by ameetmalekar »

I am facing another issue.
I need to inject dll in a "path mask" from driver. Is there any way to give path mask as relative path instead of full path.

It is working if I gave path mask as "C:\Program Files\MyApps\*.exe"
But not working if path in "path mask" is relative as "MyApps\*.exe" Or "\MyApps\*.exe"

We do not know where MyApps application is installed on Target PCs(in C:\Program Files or D:\Program Files or any other custom location).
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Driver InjectLibrary from folder

Post by madshi »

Good question. I'm not fully sure what the string comparison routines will do with a relative path. Never tried that. Have you tried if it works?
ameetmalekar
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: Driver InjectLibrary from folder

Post by ameetmalekar »

Yes, I tried with relative path (or full path substring) but it is not working. It only works on full path or only exe name.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Driver InjectLibrary from folder

Post by madshi »

Oh well. I guess you can try to find out the full path in user mode? Shouldn't be too hard. Most applications have their paths stored in the registry somewhere.

I'm not sure if I should change the string parsing routines just for one customer. You're the first customer ever asking for this. Changing the routines can introduce regressions... :(
ameetmalekar
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: Driver InjectLibrary from folder

Post by ameetmalekar »

Before raising this to you, we already gave a thought of using registry for solution but it will only work for a known target application pool.
Meanwhile there are certain executables which are not installed and just copied on the system OR they do not have any installation path in Registry.

The reasons we need to use relative paths as path masks are
  • Path masks can be written in external configuration file
  • Target applications may have different methods to get absolute path, so if target application changes we need to recompile code.
  • We came across some portable target applications which do not have any registry entry but there folder name(relative path) is always same.
Currently we are using our own driver but for stability and maintenance purpose we thought of shifting to Madshi driver. We suggest it as "Good to have feature" to increase productivity on a wider scale.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Driver InjectLibrary from folder

Post by madshi »

Well, I usually require at least 3 independent users to ask for a specific feature before I consider adding it. Nobody else has ever asked me for support for relative paths, so I have my doubts if there's any real demand for that. Isn't filtering by EXE name good enough?

You could filter by EXE name, and then in DllMain(PROCESS_ATTACH) check in more detail if you want the current process to be hooked. If not, you can skip all of DllMain and let the DLL sit idle in the process. Shouldn't harm?
Post Reply