IsInjectionDriverInstalled returns TRUE incorrectly
IsInjectionDriverInstalled returns TRUE incorrectly
I don't see a driver in WinObj , but IsInjectionDriverInstalled returns TRUE.
Re: IsInjectionDriverInstalled returns TRUE incorrectly
I think I got it.
When there is any process with injected dll, this function returns TRUE, but it is not possible to stop the driver since the dll is still loaded.
With the current API it is hard to understand that this what happens.
The flow is:
IsInjectionDriverInstalled
InstallInjectionDriver
InjectLibraryW (dll is loaded in some process)
StopInjectionDriver
UninstallInjectionDriver
Now if you run this flow again, IsInjectionDriverInstalled returns TRUE, InstallInjectionDriver will fail and StopInjectionDriver will fail too.
What is the correct way to work with the driver if I don't want to uninject my dlls. It is dangerous to do this.
When there is any process with injected dll, this function returns TRUE, but it is not possible to stop the driver since the dll is still loaded.
With the current API it is hard to understand that this what happens.
The flow is:
IsInjectionDriverInstalled
InstallInjectionDriver
InjectLibraryW (dll is loaded in some process)
StopInjectionDriver
UninstallInjectionDriver
Now if you run this flow again, IsInjectionDriverInstalled returns TRUE, InstallInjectionDriver will fail and StopInjectionDriver will fail too.
What is the correct way to work with the driver if I don't want to uninject my dlls. It is dangerous to do this.
Re: IsInjectionDriverInstalled returns TRUE incorrectly
It's done this way for security reasons. I have many customers in the security business, and they usually don't want malware to be able to stop the driver. So one protection method is to reject any attemps to stop the driver while any DLL injection request is still active. So if you want to stop the driver, you have to deactivate all the injection requests first (again you can use SetMadCHookOption() to make sure you only update the driver information without uninjecting from running processes).
However, if you don't care about protection from malware, you can change your "madConfigDrv.exe" parameters. There's an option there which allows you to configure the driver in such a way that it supports stopping even if there are still active injection requests.
However, if you don't care about protection from malware, you can change your "madConfigDrv.exe" parameters. There's an option there which allows you to configure the driver in such a way that it supports stopping even if there are still active injection requests.