Page 1 of 1

ClipUp.exe error

PostPosted: Tue Mar 20, 2018 1:37 pm
by dudul
Hi,
I'm getting an error when the process "c:\windows\System32\ClipUp.exe" runs (the windows activation uses this process).
My dll skipped the hook when this runs, but I still get this error.
The error is ClipUp.exe error which refer to my hook dll (see the attached image).

Please advise.
Thank you in advance

Re: ClipUp.exe error

PostPosted: Tue Mar 20, 2018 1:49 pm
by dudul
Windows 10 PRO X64 - 1709

Re: ClipUp.exe error

PostPosted: Tue Mar 20, 2018 1:51 pm
by madshi
Which exact madCodeHook version are you using?

Does the same problem occur with the PrintMonitor demo (compiled and signed by me)?

http://madshi.net/PrintMonitor.zip

Re: ClipUp.exe error

PostPosted: Tue Mar 20, 2018 2:38 pm
by dudul
I'm using madCodeHook 3.1.17 (I checked it with 3.1.16 too).

It happened with your PrintMonitor.zip too (see the attached image).

Re: ClipUp.exe error

PostPosted: Tue Mar 20, 2018 2:42 pm
by madshi
Interesting. Hmmmm... Can you reproduce this on a clean VM? Or does it only happen on one specific PC?

Re: ClipUp.exe error

PostPosted: Tue Mar 20, 2018 2:48 pm
by dudul
I can reproduce it easily, It happened on 4 out of 4 different Win 10 X64 Pcs (didn't try on X86 yet).

Re: ClipUp.exe error

PostPosted: Tue Mar 20, 2018 2:53 pm
by madshi
Ok, after some googling it seems that 0xc0000428 means "The digital signature for this file couldn't be verified". My best guess right now is that Microsoft only accepts DLLs to be loaded in ClipUp.exe which are signed by Microsoft. Does that make sense to you? I suppose one easy workaround would be to add "c:\windows\System32\ClipUp.exe" to the DLL injection exclusion list. Of course that's not nice at all, but I'm not sure what else we could do right now.

Any thoughts?

Re: ClipUp.exe error

PostPosted: Tue Mar 20, 2018 3:07 pm
by dudul
I see, I tried it, but still get this error
Currently I'm checking at the beginning of the DllMain function if the current process is "c:\windows\System32\ClipUp.exe" and return true if so (if no continue with the hook process).

Is there other way to exclude the process?

Re: ClipUp.exe error

PostPosted: Tue Mar 20, 2018 3:08 pm
by madshi
Yes! In the InjectLibrary() call there's a parameter where you can exclude specific processes from being injected.

(Please note that if you use this parameter, you also need to modify your UninjectLibrary() call in the same way.)

Re: ClipUp.exe error

PostPosted: Tue Mar 20, 2018 3:20 pm
by dudul
Thanks, I'll try and update you asap

Re: ClipUp.exe error

PostPosted: Tue Mar 20, 2018 4:07 pm
by dudul
It works, thank you very much.

One more question about the uninject function:
Currently I'm using "UninjectAllLibrariesW" and pass it only the driver name.
Do I need to switch to "UninjectLibraryW" or can I keep use "UninjectAllLibrariesW"?

Re: ClipUp.exe error

PostPosted: Tue Mar 20, 2018 4:36 pm
by madshi
That's fine, you can keep using UninjectAllLibrariesW.