ClipUp.exe error

c++ / delphi package - dll injection and api hooking

ClipUp.exe error

Postby dudul » Tue Mar 20, 2018 1:37 pm

Hi,
I'm getting an error when the process "c:\windows\System32\ClipUp.exe" runs (the windows activation uses this process).
My dll skipped the hook when this runs, but I still get this error.
The error is ClipUp.exe error which refer to my hook dll (see the attached image).

Please advise.
Thank you in advance
Attachments
madshi.png
madshi.png (24.59 KiB) Viewed 2705 times
dudul
 
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: ClipUp.exe error

Postby dudul » Tue Mar 20, 2018 1:49 pm

Windows 10 PRO X64 - 1709
dudul
 
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: ClipUp.exe error

Postby madshi » Tue Mar 20, 2018 1:51 pm

Which exact madCodeHook version are you using?

Does the same problem occur with the PrintMonitor demo (compiled and signed by me)?

http://madshi.net/PrintMonitor.zip
madshi
Site Admin
 
Posts: 9830
Joined: Sun Mar 21, 2004 5:25 pm

Re: ClipUp.exe error

Postby dudul » Tue Mar 20, 2018 2:38 pm

I'm using madCodeHook 3.1.17 (I checked it with 3.1.16 too).

It happened with your PrintMonitor.zip too (see the attached image).
Attachments
madshi2.png
madshi2.png (27.91 KiB) Viewed 2700 times
dudul
 
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: ClipUp.exe error

Postby madshi » Tue Mar 20, 2018 2:42 pm

Interesting. Hmmmm... Can you reproduce this on a clean VM? Or does it only happen on one specific PC?
madshi
Site Admin
 
Posts: 9830
Joined: Sun Mar 21, 2004 5:25 pm

Re: ClipUp.exe error

Postby dudul » Tue Mar 20, 2018 2:48 pm

I can reproduce it easily, It happened on 4 out of 4 different Win 10 X64 Pcs (didn't try on X86 yet).
dudul
 
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: ClipUp.exe error

Postby madshi » Tue Mar 20, 2018 2:53 pm

Ok, after some googling it seems that 0xc0000428 means "The digital signature for this file couldn't be verified". My best guess right now is that Microsoft only accepts DLLs to be loaded in ClipUp.exe which are signed by Microsoft. Does that make sense to you? I suppose one easy workaround would be to add "c:\windows\System32\ClipUp.exe" to the DLL injection exclusion list. Of course that's not nice at all, but I'm not sure what else we could do right now.

Any thoughts?
madshi
Site Admin
 
Posts: 9830
Joined: Sun Mar 21, 2004 5:25 pm

Re: ClipUp.exe error

Postby dudul » Tue Mar 20, 2018 3:07 pm

I see, I tried it, but still get this error
Currently I'm checking at the beginning of the DllMain function if the current process is "c:\windows\System32\ClipUp.exe" and return true if so (if no continue with the hook process).

Is there other way to exclude the process?
dudul
 
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: ClipUp.exe error

Postby madshi » Tue Mar 20, 2018 3:08 pm

Yes! In the InjectLibrary() call there's a parameter where you can exclude specific processes from being injected.

(Please note that if you use this parameter, you also need to modify your UninjectLibrary() call in the same way.)
madshi
Site Admin
 
Posts: 9830
Joined: Sun Mar 21, 2004 5:25 pm

Re: ClipUp.exe error

Postby dudul » Tue Mar 20, 2018 3:20 pm

Thanks, I'll try and update you asap
dudul
 
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: ClipUp.exe error

Postby dudul » Tue Mar 20, 2018 4:07 pm

It works, thank you very much.

One more question about the uninject function:
Currently I'm using "UninjectAllLibrariesW" and pass it only the driver name.
Do I need to switch to "UninjectLibraryW" or can I keep use "UninjectAllLibrariesW"?
dudul
 
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: ClipUp.exe error

Postby madshi » Tue Mar 20, 2018 4:36 pm

That's fine, you can keep using UninjectAllLibrariesW.
madshi
Site Admin
 
Posts: 9830
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: madshi and 13 guests