Page 1 of 1

How to get includemask/excludemask ?

Posted: Sun Feb 19, 2017 10:51 am
by remko
When using

Code: Select all

InstallInjectionDriver 
to install the injection driver permanently I assume it still observes includeMask/excludeMask as specified by

Code: Select all

InjectLibrary
?
So if we only need to specify this once, where is this information stored and how can we see what's currently configured?

The reason for the ask is that I'd like to have different configuration but with one driver:
eg Inject DLL A into process X and Inject DLL B into process Y. But some users might want only DLL A, some only DLL B and some A+B.
When an install has been done for DLL A and later on for DLL B I don't want to overwrite it.

So perhaps it's possible to obtain the current injection settings and modify the includeMask rather than overwrite it?

Re: How to get includemask/excludemask ?

Posted: Wed Feb 22, 2017 2:40 pm
by madshi
Are you talking about "permanent" injection, which is a new feature of madCodeHook 4.0? If so, permanent injection requests are stored in the registry, and the driver reads that information when the OS boots.

Non-permanent injection requests have to be re-issued after every OS boot. These injection requests are stored by the injection driver in RAM, only.

Currently there's no way to change an include or exclude mask. You can only uninject with the old include/exclude mask and then reinject with a new mask.

Re: How to get includemask/excludemask ?

Posted: Mon Mar 13, 2017 10:20 am
by remko
Yes I was indeed talking about permanent and assumed it was registry but I was unable to see what key it is in. Is it possible to change the registry key and effectuate by stopping/starting driver? Obviously that would be for new processes only...

Re: How to get includemask/excludemask ?

Posted: Mon Mar 13, 2017 10:58 am
by madshi
You can use "SetMadCHookOption(INJECT_INTO_RUNNING_PROCESSES, NULL)" + "SetMadCHookOption(UNINJECT_FROM_RUNNING_PROCESSES, NULL)", and then call UninjectLibrary + InjectLibrary. This will effectively just change the driver include/exclude mask, and not touch any running processes.

Re: How to get includemask/excludemask ?

Posted: Mon Mar 13, 2017 12:15 pm
by remko
Can you tell me what registry key is used to store the mask? I'd prefer not to reconfigure if configuration is already correct...

I can of course store it myself somewhere but risk is that it will get out of sync

Re: How to get includemask/excludemask ?

Posted: Mon Mar 13, 2017 1:00 pm
by madshi
It's stored in the registry key of your driver. I'm not sure right now about the exact path, from the top of my head. Probably it's HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\YourDriverName? Would have to do a permanent injection myself right now and then search for it to know for sure. Each driver gets a private registry folder/path in its "DriverEntry" function. I never bothered to check where exactly this ends up being located.