How to get includemask/excludemask ?

c++ / delphi package - dll injection and api hooking
Post Reply
remko
Posts: 6
Joined: Tue Jan 31, 2017 2:20 pm

How to get includemask/excludemask ?

Post by remko »

When using

Code: Select all

InstallInjectionDriver 
to install the injection driver permanently I assume it still observes includeMask/excludeMask as specified by

Code: Select all

InjectLibrary
?
So if we only need to specify this once, where is this information stored and how can we see what's currently configured?

The reason for the ask is that I'd like to have different configuration but with one driver:
eg Inject DLL A into process X and Inject DLL B into process Y. But some users might want only DLL A, some only DLL B and some A+B.
When an install has been done for DLL A and later on for DLL B I don't want to overwrite it.

So perhaps it's possible to obtain the current injection settings and modify the includeMask rather than overwrite it?
madshi
Site Admin
Posts: 10338
Joined: Sun Mar 21, 2004 5:25 pm

Re: How to get includemask/excludemask ?

Post by madshi »

Are you talking about "permanent" injection, which is a new feature of madCodeHook 4.0? If so, permanent injection requests are stored in the registry, and the driver reads that information when the OS boots.

Non-permanent injection requests have to be re-issued after every OS boot. These injection requests are stored by the injection driver in RAM, only.

Currently there's no way to change an include or exclude mask. You can only uninject with the old include/exclude mask and then reinject with a new mask.
remko
Posts: 6
Joined: Tue Jan 31, 2017 2:20 pm

Re: How to get includemask/excludemask ?

Post by remko »

Yes I was indeed talking about permanent and assumed it was registry but I was unable to see what key it is in. Is it possible to change the registry key and effectuate by stopping/starting driver? Obviously that would be for new processes only...
madshi
Site Admin
Posts: 10338
Joined: Sun Mar 21, 2004 5:25 pm

Re: How to get includemask/excludemask ?

Post by madshi »

You can use "SetMadCHookOption(INJECT_INTO_RUNNING_PROCESSES, NULL)" + "SetMadCHookOption(UNINJECT_FROM_RUNNING_PROCESSES, NULL)", and then call UninjectLibrary + InjectLibrary. This will effectively just change the driver include/exclude mask, and not touch any running processes.
remko
Posts: 6
Joined: Tue Jan 31, 2017 2:20 pm

Re: How to get includemask/excludemask ?

Post by remko »

Can you tell me what registry key is used to store the mask? I'd prefer not to reconfigure if configuration is already correct...

I can of course store it myself somewhere but risk is that it will get out of sync
madshi
Site Admin
Posts: 10338
Joined: Sun Mar 21, 2004 5:25 pm

Re: How to get includemask/excludemask ?

Post by madshi »

It's stored in the registry key of your driver. I'm not sure right now about the exact path, from the top of my head. Probably it's HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\YourDriverName? Would have to do a permanent injection myself right now and then search for it to know for sure. Each driver gets a private registry folder/path in its "DriverEntry" function. I never bothered to check where exactly this ends up being located.
Post Reply