IsInjectionDriverInstalled returns TRUE incorrectly

c++ / delphi package - dll injection and api hooking

IsInjectionDriverInstalled returns TRUE incorrectly

Postby _NN_ » Sun Jul 15, 2018 10:35 am

I don't see a driver in WinObj , but IsInjectionDriverInstalled returns TRUE.
_NN_
 
Posts: 43
Joined: Mon Jan 21, 2013 4:00 pm

Re: IsInjectionDriverInstalled returns TRUE incorrectly

Postby _NN_ » Sun Jul 15, 2018 10:49 am

I think I got it.
When there is any process with injected dll, this function returns TRUE, but it is not possible to stop the driver since the dll is still loaded.

With the current API it is hard to understand that this what happens.

The flow is:

IsInjectionDriverInstalled
InstallInjectionDriver
InjectLibraryW (dll is loaded in some process)
StopInjectionDriver
UninstallInjectionDriver

Now if you run this flow again, IsInjectionDriverInstalled returns TRUE, InstallInjectionDriver will fail and StopInjectionDriver will fail too.
What is the correct way to work with the driver if I don't want to uninject my dlls. It is dangerous to do this.
_NN_
 
Posts: 43
Joined: Mon Jan 21, 2013 4:00 pm

Re: IsInjectionDriverInstalled returns TRUE incorrectly

Postby madshi » Wed Jul 18, 2018 8:11 am

It's done this way for security reasons. I have many customers in the security business, and they usually don't want malware to be able to stop the driver. So one protection method is to reject any attemps to stop the driver while any DLL injection request is still active. So if you want to stop the driver, you have to deactivate all the injection requests first (again you can use SetMadCHookOption() to make sure you only update the driver information without uninjecting from running processes).

However, if you don't care about protection from malware, you can change your "madConfigDrv.exe" parameters. There's an option there which allows you to configure the driver in such a way that it supports stopping even if there are still active injection requests.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 3 guests