InjectLibrary fails when injecting session/systemwide

c++ / delphi package - dll injection and api hooking
Davita
Posts: 163
Joined: Tue Sep 13, 2005 7:31 pm

InjectLibrary fails when injecting session/systemwide

Post by Davita »

Hi madshi

I configured the injection drivers and windows to disable driver signature enforcement. The driver loads fine. IsInjectionDriverRunning returns true. InjectLibrary also works when injecting into a single process. However, as soon as I try to inject with CURRENT_SESSION/ALL_SESSIONS it fails. I'm running the app as administrator.

Here's my specs:
Windows 10 x64 running with disabled driver signature enforcement. I didn't sign the driver, but it loads just fine.
Latest version of madCodeHook downloaded from your site.
VC 2015

Is there any way to debug the problem? GetLastError returns 0.

Thanks

P.S. I'm calling InitializeMadCHook before doing code hook stuff :)
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary fails when injecting session/systemwide

Post by madshi »

You need to create a new driver (copy from original untouched driver, then configure it) every time you recompile your hook dll(s). Did you do that?
Davita
Posts: 163
Joined: Tue Sep 13, 2005 7:31 pm

Re: InjectLibrary fails when injecting session/systemwide

Post by Davita »

Hi madshi

Yes sure, I did that. Also forgot to mention that 32 & 64 bit hook dlls are both in system32 and syswow64 folders

Thanks :)
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary fails when injecting session/systemwide

Post by madshi »

The hook dlls don't need to be in system32/syswow64. I'd recommend to keep them in your application folder so system32/syswow64 stay clean(er).

It's hard for me to say what's going wrong here. I've personally never tested with unsigned drivers and configuring Windows to not force signed drivers. I'm always signing the drivers and it works fine for me. Why don't you sign the drivers?

One thing you could try is run one of the precompiled demos, e.g. this one:

http://madshi.net/PrintMonitor.zip

Does this one work, as it is (compiled and signed by me)? If so, madCodeHook generally seems to work on your PC. The problem must be somewhere in the lack of signature then, or something similar.
Davita
Posts: 163
Joined: Tue Sep 13, 2005 7:31 pm

Re: InjectLibrary fails when injecting session/systemwide

Post by Davita »

Thanks madshi, I will try it soon.
Although, i'm sure previous version worked without a problem, although i dont remember the exact version.
I' not using a certificate because im in dev phase, i was planning to purchase it when im ready to release the product.
Do you do know if self signed certificate work if that's an issue?

Thanks again for your support :)
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary fails when injecting session/systemwide

Post by madshi »

I don't know about self signed certificate, I've never tried that.
Davita
Posts: 163
Joined: Tue Sep 13, 2005 7:31 pm

Re: InjectLibrary fails when injecting session/systemwide

Post by Davita »

Madshi, I'm not sure, maybe I'm doing something wrong, but the demo you provided didn't work. I unzipped it and run PrintMonitor64 or PrintMonitor32. Even though, I don't get any error message, no dll is being injected anywhere (not in 64 bit processes and not in 32 bit processes as well). Trying to print through PDF and XPS print drivers didn't show trigger anything. Please see the attached screenshot. I'd really appreciate your help :(

Thanks again
Attachments
Untitled.jpg
Untitled.jpg (181.94 KiB) Viewed 11459 times
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary fails when injecting session/systemwide

Post by madshi »

Maybe you have some sort of anti-virus or anti-something software running which blocks the dlls from being injected? If that's not the issue, then try giving NTFS read/execute rights to the hook dlls for "Everyone". Also try moving it to a non-user specific location, just to be safe.
Davita
Posts: 163
Joined: Tue Sep 13, 2005 7:31 pm

Re: InjectLibrary fails when injecting session/systemwide

Post by Davita »

Thanks madshi.
No I'm not running any AV or other security software. I even disabled Windows Defender.
The folder has full permission for Everyone and it's outside user's specific location.
I also tried it with Windows 7 32 bit, but also didn't work. nothing was injected.
Strange thing is that, in case of failed injection attempt, there's a code for throwing an error message in PrintForm.pas, but nothing is showing up...

Code: Select all

  if not InjectLibrary(CDriverName, 'HookPrintAPIs32.dll', ALL_SESSIONS, true, 'Project1.exe') then
  begin
    // if you want your stuff to run in under-privileges user accounts, too,
    // you have to do write a little service for the NT family
    // an example for that can be found in the "HookProcessTermination" demo
    MessageBox(Handle, 'only users with administrator privileges can run this demo', 'information...', MB_ICONINFORMATION);
    ExitProcess(0);
  end;
InjectLibrary returns true, but no dll is being injected..?
I'm not blaming madCodeHook madshi, I had perfect experience with it, just trying to find the issue :D
I'm still thinking I'm missing something, but ran out of ideas.

The only thing is that, I'm running the demos inside a VM, but I don't think that could be an issue. Actually, I'll try to run your demo from hte host OS and post the result...
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary fails when injecting session/systemwide

Post by madshi »

VM should not be a problem. FWIW, your screenshot still shows a Windows Defender DLL loaded in chrome.

Anyway, I've not received any complaints at all about injection with the latest madCodeHook build yet. It seems to work well for all users. So I'm not sure what's going on here. Have you tried rebooting the VM?
Davita
Posts: 163
Joined: Tue Sep 13, 2005 7:31 pm

Re: InjectLibrary fails when injecting session/systemwide

Post by Davita »

Yes madshi, I tried rebooting it. I also tried it with host OS (Win 10 x64 Home Edition) and it didn't work here as well. Just to be clear, is there any steps that I need to do before running the demo..?
p.s. the screenshot was taken before I disabled win defender. :)

p.s. is there any way to debug the problem? Something like GetLastError for madCodeHook?
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary fails when injecting session/systemwide

Post by madshi »

Argh. Sorry, it's all my fault!! :cry:

For debug purposes I had changed the DLL injection in the PrintMonitor demo to be limited to "Project1.exe". And stupid as I am, I forgot to remove this limitation when I recently recompiled and reuploaded it.

I've now recompiled it again without this limitation. Please try this new build, it should work now:

http://madshi.net/PrintMonitor.zip

Sorry again for this stupid mistake.
Davita
Posts: 163
Joined: Tue Sep 13, 2005 7:31 pm

Re: InjectLibrary fails when injecting session/systemwide

Post by Davita »

Haha, no problem madshi, it worked. :)
I thought Project1.exe was exclusion process... :)
never mind though.

So your demo is working, myne doesn't. Maybe you know some debugging tricks I don't? something like GetLastError for madcodehook :)

Thanks again
Davita
Posts: 163
Joined: Tue Sep 13, 2005 7:31 pm

Re: InjectLibrary fails when injecting session/systemwide

Post by Davita »

Forgot to mention that i managed to make madcodehook work without a valid cert signature once. But as i said, it was previous version, but >ver 3. So if u didn't modify/implemented cert validation routines, im sure it should work this time as well. Just trying to figure out the problem. If nothing helps ill purchase the certificate, but still, i'd prefer to not pay 300$+ for dev purpose :(
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary fails when injecting session/systemwide

Post by madshi »

Well, you could try using the PrintMonitor demo, and just replace the driver with your own. Does it still work? If not, the demo is supposed to complain, which should at least tell us which API fails.
Post Reply