How to get includemask/excludemask ?

c++ / delphi package - dll injection and api hooking

How to get includemask/excludemask ?

Postby remko » Sun Feb 19, 2017 10:51 am

When using
Code: Select all
InstallInjectionDriver
to install the injection driver permanently I assume it still observes includeMask/excludeMask as specified by
Code: Select all
InjectLibrary
?
So if we only need to specify this once, where is this information stored and how can we see what's currently configured?

The reason for the ask is that I'd like to have different configuration but with one driver:
eg Inject DLL A into process X and Inject DLL B into process Y. But some users might want only DLL A, some only DLL B and some A+B.
When an install has been done for DLL A and later on for DLL B I don't want to overwrite it.

So perhaps it's possible to obtain the current injection settings and modify the includeMask rather than overwrite it?
remko
 
Posts: 3
Joined: Tue Jan 31, 2017 2:20 pm

Re: How to get includemask/excludemask ?

Postby madshi » Wed Feb 22, 2017 2:40 pm

Are you talking about "permanent" injection, which is a new feature of madCodeHook 4.0? If so, permanent injection requests are stored in the registry, and the driver reads that information when the OS boots.

Non-permanent injection requests have to be re-issued after every OS boot. These injection requests are stored by the injection driver in RAM, only.

Currently there's no way to change an include or exclude mask. You can only uninject with the old include/exclude mask and then reinject with a new mask.
madshi
Site Admin
 
Posts: 9387
Joined: Sun Mar 21, 2004 5:25 pm

Re: How to get includemask/excludemask ?

Postby remko » Mon Mar 13, 2017 10:20 am

Yes I was indeed talking about permanent and assumed it was registry but I was unable to see what key it is in. Is it possible to change the registry key and effectuate by stopping/starting driver? Obviously that would be for new processes only...
remko
 
Posts: 3
Joined: Tue Jan 31, 2017 2:20 pm

Re: How to get includemask/excludemask ?

Postby madshi » Mon Mar 13, 2017 10:58 am

You can use "SetMadCHookOption(INJECT_INTO_RUNNING_PROCESSES, NULL)" + "SetMadCHookOption(UNINJECT_FROM_RUNNING_PROCESSES, NULL)", and then call UninjectLibrary + InjectLibrary. This will effectively just change the driver include/exclude mask, and not touch any running processes.
madshi
Site Admin
 
Posts: 9387
Joined: Sun Mar 21, 2004 5:25 pm

Re: How to get includemask/excludemask ?

Postby remko » Mon Mar 13, 2017 12:15 pm

Can you tell me what registry key is used to store the mask? I'd prefer not to reconfigure if configuration is already correct...

I can of course store it myself somewhere but risk is that it will get out of sync
remko
 
Posts: 3
Joined: Tue Jan 31, 2017 2:20 pm

Re: How to get includemask/excludemask ?

Postby madshi » Mon Mar 13, 2017 1:00 pm

It's stored in the registry key of your driver. I'm not sure right now about the exact path, from the top of my head. Probably it's HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\YourDriverName? Would have to do a permanent injection myself right now and then search for it to know for sure. Each driver gets a private registry folder/path in its "DriverEntry" function. I never bothered to check where exactly this ends up being located.
madshi
Site Admin
 
Posts: 9387
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 2 guests