Page 1 of 1

IsInjectionDriverInstalled returns TRUE incorrectly

Posted: Sun Jul 15, 2018 10:35 am
by _NN_
I don't see a driver in WinObj , but IsInjectionDriverInstalled returns TRUE.

Re: IsInjectionDriverInstalled returns TRUE incorrectly

Posted: Sun Jul 15, 2018 10:49 am
by _NN_
I think I got it.
When there is any process with injected dll, this function returns TRUE, but it is not possible to stop the driver since the dll is still loaded.

With the current API it is hard to understand that this what happens.

The flow is:

IsInjectionDriverInstalled
InstallInjectionDriver
InjectLibraryW (dll is loaded in some process)
StopInjectionDriver
UninstallInjectionDriver

Now if you run this flow again, IsInjectionDriverInstalled returns TRUE, InstallInjectionDriver will fail and StopInjectionDriver will fail too.
What is the correct way to work with the driver if I don't want to uninject my dlls. It is dangerous to do this.

Re: IsInjectionDriverInstalled returns TRUE incorrectly

Posted: Wed Jul 18, 2018 8:11 am
by madshi
It's done this way for security reasons. I have many customers in the security business, and they usually don't want malware to be able to stop the driver. So one protection method is to reject any attemps to stop the driver while any DLL injection request is still active. So if you want to stop the driver, you have to deactivate all the injection requests first (again you can use SetMadCHookOption() to make sure you only update the driver information without uninjecting from running processes).

However, if you don't care about protection from malware, you can change your "madConfigDrv.exe" parameters. There's an option there which allows you to configure the driver in such a way that it supports stopping even if there are still active injection requests.