InjectLibrary fails when injecting session/systemwide

c++ / delphi package - dll injection and api hooking

InjectLibrary fails when injecting session/systemwide

Postby Davita » Thu Jul 14, 2016 1:32 am

Hi madshi

I configured the injection drivers and windows to disable driver signature enforcement. The driver loads fine. IsInjectionDriverRunning returns true. InjectLibrary also works when injecting into a single process. However, as soon as I try to inject with CURRENT_SESSION/ALL_SESSIONS it fails. I'm running the app as administrator.

Here's my specs:
Windows 10 x64 running with disabled driver signature enforcement. I didn't sign the driver, but it loads just fine.
Latest version of madCodeHook downloaded from your site.
VC 2015

Is there any way to debug the problem? GetLastError returns 0.

Thanks

P.S. I'm calling InitializeMadCHook before doing code hook stuff :)
Davita
 
Posts: 161
Joined: Tue Sep 13, 2005 7:31 pm

Re: InjectLibrary fails when injecting session/systemwide

Postby madshi » Thu Jul 14, 2016 7:54 am

You need to create a new driver (copy from original untouched driver, then configure it) every time you recompile your hook dll(s). Did you do that?
madshi
Site Admin
 
Posts: 9472
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary fails when injecting session/systemwide

Postby Davita » Thu Jul 14, 2016 9:13 am

Hi madshi

Yes sure, I did that. Also forgot to mention that 32 & 64 bit hook dlls are both in system32 and syswow64 folders

Thanks :)
Davita
 
Posts: 161
Joined: Tue Sep 13, 2005 7:31 pm

Re: InjectLibrary fails when injecting session/systemwide

Postby madshi » Thu Jul 14, 2016 9:21 am

The hook dlls don't need to be in system32/syswow64. I'd recommend to keep them in your application folder so system32/syswow64 stay clean(er).

It's hard for me to say what's going wrong here. I've personally never tested with unsigned drivers and configuring Windows to not force signed drivers. I'm always signing the drivers and it works fine for me. Why don't you sign the drivers?

One thing you could try is run one of the precompiled demos, e.g. this one:

http://madshi.net/PrintMonitor.zip

Does this one work, as it is (compiled and signed by me)? If so, madCodeHook generally seems to work on your PC. The problem must be somewhere in the lack of signature then, or something similar.
madshi
Site Admin
 
Posts: 9472
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary fails when injecting session/systemwide

Postby Davita » Thu Jul 14, 2016 9:45 am

Thanks madshi, I will try it soon.
Although, i'm sure previous version worked without a problem, although i dont remember the exact version.
I' not using a certificate because im in dev phase, i was planning to purchase it when im ready to release the product.
Do you do know if self signed certificate work if that's an issue?

Thanks again for your support :)
Davita
 
Posts: 161
Joined: Tue Sep 13, 2005 7:31 pm

Re: InjectLibrary fails when injecting session/systemwide

Postby madshi » Thu Jul 14, 2016 10:37 am

I don't know about self signed certificate, I've never tried that.
madshi
Site Admin
 
Posts: 9472
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary fails when injecting session/systemwide

Postby Davita » Thu Jul 14, 2016 10:57 am

Madshi, I'm not sure, maybe I'm doing something wrong, but the demo you provided didn't work. I unzipped it and run PrintMonitor64 or PrintMonitor32. Even though, I don't get any error message, no dll is being injected anywhere (not in 64 bit processes and not in 32 bit processes as well). Trying to print through PDF and XPS print drivers didn't show trigger anything. Please see the attached screenshot. I'd really appreciate your help :(

Thanks again
Attachments
Untitled.jpg
Untitled.jpg (182.56 KiB) Viewed 1384 times
Davita
 
Posts: 161
Joined: Tue Sep 13, 2005 7:31 pm

Re: InjectLibrary fails when injecting session/systemwide

Postby madshi » Thu Jul 14, 2016 11:23 am

Maybe you have some sort of anti-virus or anti-something software running which blocks the dlls from being injected? If that's not the issue, then try giving NTFS read/execute rights to the hook dlls for "Everyone". Also try moving it to a non-user specific location, just to be safe.
madshi
Site Admin
 
Posts: 9472
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary fails when injecting session/systemwide

Postby Davita » Thu Jul 14, 2016 12:00 pm

Thanks madshi.
No I'm not running any AV or other security software. I even disabled Windows Defender.
The folder has full permission for Everyone and it's outside user's specific location.
I also tried it with Windows 7 32 bit, but also didn't work. nothing was injected.
Strange thing is that, in case of failed injection attempt, there's a code for throwing an error message in PrintForm.pas, but nothing is showing up...

Code: Select all
  if not InjectLibrary(CDriverName, 'HookPrintAPIs32.dll', ALL_SESSIONS, true, 'Project1.exe') then
  begin
    // if you want your stuff to run in under-privileges user accounts, too,
    // you have to do write a little service for the NT family
    // an example for that can be found in the "HookProcessTermination" demo
    MessageBox(Handle, 'only users with administrator privileges can run this demo', 'information...', MB_ICONINFORMATION);
    ExitProcess(0);
  end;


InjectLibrary returns true, but no dll is being injected..?
I'm not blaming madCodeHook madshi, I had perfect experience with it, just trying to find the issue :D
I'm still thinking I'm missing something, but ran out of ideas.

The only thing is that, I'm running the demos inside a VM, but I don't think that could be an issue. Actually, I'll try to run your demo from hte host OS and post the result...
Davita
 
Posts: 161
Joined: Tue Sep 13, 2005 7:31 pm

Re: InjectLibrary fails when injecting session/systemwide

Postby madshi » Thu Jul 14, 2016 12:03 pm

VM should not be a problem. FWIW, your screenshot still shows a Windows Defender DLL loaded in chrome.

Anyway, I've not received any complaints at all about injection with the latest madCodeHook build yet. It seems to work well for all users. So I'm not sure what's going on here. Have you tried rebooting the VM?
madshi
Site Admin
 
Posts: 9472
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary fails when injecting session/systemwide

Postby Davita » Thu Jul 14, 2016 12:11 pm

Yes madshi, I tried rebooting it. I also tried it with host OS (Win 10 x64 Home Edition) and it didn't work here as well. Just to be clear, is there any steps that I need to do before running the demo..?
p.s. the screenshot was taken before I disabled win defender. :)

p.s. is there any way to debug the problem? Something like GetLastError for madCodeHook?
Davita
 
Posts: 161
Joined: Tue Sep 13, 2005 7:31 pm

Re: InjectLibrary fails when injecting session/systemwide

Postby madshi » Thu Jul 14, 2016 12:32 pm

Argh. Sorry, it's all my fault!! :cry:

For debug purposes I had changed the DLL injection in the PrintMonitor demo to be limited to "Project1.exe". And stupid as I am, I forgot to remove this limitation when I recently recompiled and reuploaded it.

I've now recompiled it again without this limitation. Please try this new build, it should work now:

http://madshi.net/PrintMonitor.zip

Sorry again for this stupid mistake.
madshi
Site Admin
 
Posts: 9472
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary fails when injecting session/systemwide

Postby Davita » Thu Jul 14, 2016 12:57 pm

Haha, no problem madshi, it worked. :)
I thought Project1.exe was exclusion process... :)
never mind though.

So your demo is working, myne doesn't. Maybe you know some debugging tricks I don't? something like GetLastError for madcodehook :)

Thanks again
Davita
 
Posts: 161
Joined: Tue Sep 13, 2005 7:31 pm

Re: InjectLibrary fails when injecting session/systemwide

Postby Davita » Thu Jul 14, 2016 1:18 pm

Forgot to mention that i managed to make madcodehook work without a valid cert signature once. But as i said, it was previous version, but >ver 3. So if u didn't modify/implemented cert validation routines, im sure it should work this time as well. Just trying to figure out the problem. If nothing helps ill purchase the certificate, but still, i'd prefer to not pay 300$+ for dev purpose :(
Davita
 
Posts: 161
Joined: Tue Sep 13, 2005 7:31 pm

Re: InjectLibrary fails when injecting session/systemwide

Postby madshi » Thu Jul 14, 2016 1:22 pm

Well, you could try using the PrintMonitor demo, and just replace the driver with your own. Does it still work? If not, the demo is supposed to complain, which should at least tell us which API fails.
madshi
Site Admin
 
Posts: 9472
Joined: Sun Mar 21, 2004 5:25 pm

Next

Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 2 guests

cron