IsInjectionDriverInstalled returns TRUE incorrectly

c++ / delphi package - dll injection and api hooking
Post Reply
_NN_
Posts: 55
Joined: Mon Jan 21, 2013 4:00 pm

IsInjectionDriverInstalled returns TRUE incorrectly

Post by _NN_ »

I don't see a driver in WinObj , but IsInjectionDriverInstalled returns TRUE.
_NN_
Posts: 55
Joined: Mon Jan 21, 2013 4:00 pm

Re: IsInjectionDriverInstalled returns TRUE incorrectly

Post by _NN_ »

I think I got it.
When there is any process with injected dll, this function returns TRUE, but it is not possible to stop the driver since the dll is still loaded.

With the current API it is hard to understand that this what happens.

The flow is:

IsInjectionDriverInstalled
InstallInjectionDriver
InjectLibraryW (dll is loaded in some process)
StopInjectionDriver
UninstallInjectionDriver

Now if you run this flow again, IsInjectionDriverInstalled returns TRUE, InstallInjectionDriver will fail and StopInjectionDriver will fail too.
What is the correct way to work with the driver if I don't want to uninject my dlls. It is dangerous to do this.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: IsInjectionDriverInstalled returns TRUE incorrectly

Post by madshi »

It's done this way for security reasons. I have many customers in the security business, and they usually don't want malware to be able to stop the driver. So one protection method is to reject any attemps to stop the driver while any DLL injection request is still active. So if you want to stop the driver, you have to deactivate all the injection requests first (again you can use SetMadCHookOption() to make sure you only update the driver information without uninjecting from running processes).

However, if you don't care about protection from malware, you can change your "madConfigDrv.exe" parameters. There's an option there which allows you to configure the driver in such a way that it supports stopping even if there are still active injection requests.
Post Reply