UninjectAllLibraries Problem

c++ / delphi package - dll injection and api hooking
Post Reply
marcusssong
Posts: 22
Joined: Wed Apr 26, 2017 1:14 pm

UninjectAllLibraries Problem

Post by marcusssong »

hello,

when i uninject dll with 'UninjectAllLibraries' function, Another Driver's dll injected.

i set up 4 drivers name differently using madConfigDrv.exe.

madcodehook ver: 4.1.2
OS: windows 10(1803 build 18134.523)

1. copy Driver
copy 'renameme32 (with version resource).sys' -> TestA/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestA/testX64.sys
copy 'renameme32 (with version resource).sys' -> TestB/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestB/testX64.sys
copy 'renameme32 (with version resource).sys' -> TestC/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestC/testX64.sys
copy 'renameme32 (with version resource).sys' -> TestD/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestD/testX64.sys

2. copy Dll
copy 'testX86.dll' -> TestA/testX86.dll
copy 'testX64.dll' -> TestA/testX64.dll
copy 'testX86.dll' -> TestB/testX86.dll
copy 'testX64.dll' -> TestB/testX64.dll
...

5. set Driver Name
madConfigDrv.exe TestA/testX86.dll TestA -unsafeStopAllowed
madConfigDrv.exe TestA/testX64.dll TestA -unsafeStopAllowed
madConfigDrv.exe TestB/testX86.dll TestB -unsafeStopAllowed
madConfigDrv.exe TestB/testX64.dll TestB -unsafeStopAllowed
...

6. dual sign

7. injection
injection TestD -> TestC -> TestB -> TestA

8. check Injected with process Explorer

9. uninjection with UninjectAllLibrariesW
uninject TestA, TestD uninjected.
uninject TestB, TestC uninjected.
uninject TestC, TestB uninjected.
uninject TestD, TestA uninjected.

we are using driver like this in each other product.

is there driver name rule when uninject the dll?

Thank you for your help.
madshi
Site Admin
Posts: 10365
Joined: Sun Mar 21, 2004 5:25 pm

Re: UninjectAllLibraries Problem

Post by madshi »

This is extremely weird.

The user mode library talks to the driver using the driver name you provided via a parameter. The user mode library then opens the driver by using CreateFile(\\.\driverName). So all communication between user mode and driver depends on which driver name you provide to the user mode APIs. I don't see any way how the user mode library could even be able to confuse the driver names. If you provide the user mode library with "TestA" driver name, how could the user mode library possibly talk to "TestB" driver? This would only work if the user mode actually knew that a "TestB" driver existed. But it doesn't.

Are you 100% sure that your test was done correctly? I'm sorry to ask this question, but these test results don't make any sense to me... :shock:
marcusssong
Posts: 22
Joined: Wed Apr 26, 2017 1:14 pm

Re: UninjectAllLibraries Problem

Post by marcusssong »

i tested again but same result...

i attached video i recorded.

here is injection.exe Code

Code: Select all

int main( int argc, char* argv[] )
{
    GetOpt::GetOpt_pp cls( argc, argv );
    bool bInjection = false;

    wchar_t sDriveX86Path[ MAX_PATH ] = { 0, };
    wchar_t sDriveX64Path[ MAX_PATH ] = { 0, };
    wchar_t sDLLX86Path[ MAX_PATH ] = { 0, };
    wchar_t sDLLX64Path[ MAX_PATH ] = { 0, };
    std::wstring sCurrentPath = GetCurrentPath();

    swprintf_s( sDriveX86Path, MAX_PATH, L"%s\\testX86.sys", sCurrentPath.c_str() );
    swprintf_s( sDriveX64Path, MAX_PATH, L"%s\\testX64.sys", sCurrentPath.c_str() );
    swprintf_s( sDLLX86Path, MAX_PATH, L"%s\\testX86.dll", sCurrentPath.c_str() );
    swprintf_s( sDLLX64Path, MAX_PATH, L"%s\\testX64.dll", sCurrentPath.c_str() );

    char szDriverName[ MAX_PATH ] = { 0, };
    cls >> GetOpt::Option( "driverName", szDriverName );
    if( szDriverName[ 0 ] == NULL )
        return -1;

    wchar_t wszDriverName[ MAX_PATH ] = { 0, };
    swprintf_s( wszDriverName, MAX_PATH, L"%S", szDriverName );

    cls >> GetOpt::OptionPresent( 'i', bInjection );

    if( IsInjectionDriverRunning( wszDriverName ) == FALSE )
        LoadInjectionDriver( wszDriverName, sDriveX86Path, sDriveX64Path );

    if( IsInjectionDriverRunning( wszDriverName ) == FALSE )
        return -1;

    if( bInjection == true )
    {
        DWORD dwOptions = 0;
        dwOptions |= INJECT_SYSTEM_PROCESSES;
        dwOptions |= INJECT_METRO_APPS;

        InjectLibraryW( wszDriverName, sDLLX86Path,
            ALL_SESSIONS, dwOptions, NULL, NULL, 
            NULL, NULL, NULL, 7000 );
        
        InjectLibraryW( wszDriverName, sDLLX64Path,
            ALL_SESSIONS, dwOptions, NULL, NULL,
            NULL, NULL, NULL, 7000 );
    }
    else
    {
        UninjectAllLibrariesW( wszDriverName, NULL, 7000 );
        StopInjectionDriver( wszDriverName );
    }

    return 0;
}
Thank you for your help.

https://drive.google.com/open?id=1SnB0_ ... sJzjhDk8ai
madshi
Site Admin
Posts: 10365
Joined: Sun Mar 21, 2004 5:25 pm

Re: UninjectAllLibraries Problem

Post by madshi »

I think the issue is *probably* caused by the dlls all having the same name but different file paths. Somewhere probably the difference in the file path gets lost. I'm not exactly sure where.

Can you double check if using different dll names works around the issue?
marcusssong
Posts: 22
Joined: Wed Apr 26, 2017 1:14 pm

Re: UninjectAllLibraries Problem

Post by marcusssong »

i changed dll file name to testX86A.dll, testX64A.dll, testX86B.dll... like this.

after changed dll name differently, it works well.

i can change the dll name and use but is there plan to fix this problem?

Thank you for your help.
madshi
Site Admin
Posts: 10365
Joined: Sun Mar 21, 2004 5:25 pm

Re: UninjectAllLibraries Problem

Post by madshi »

I'll put this on my list of things to look at, but I'm currently busy with a different project, so if renaming the dll names works for you for now, I'll look at this later, when I find some time...
Post Reply