UninjectAllLibraries Problem

c++ / delphi package - dll injection and api hooking

UninjectAllLibraries Problem

Postby marcusssong » Mon Feb 11, 2019 4:10 am

hello,

when i uninject dll with 'UninjectAllLibraries' function, Another Driver's dll injected.

i set up 4 drivers name differently using madConfigDrv.exe.

madcodehook ver: 4.1.2
OS: windows 10(1803 build 18134.523)

1. copy Driver
copy 'renameme32 (with version resource).sys' -> TestA/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestA/testX64.sys
copy 'renameme32 (with version resource).sys' -> TestB/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestB/testX64.sys
copy 'renameme32 (with version resource).sys' -> TestC/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestC/testX64.sys
copy 'renameme32 (with version resource).sys' -> TestD/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestD/testX64.sys

2. copy Dll
copy 'testX86.dll' -> TestA/testX86.dll
copy 'testX64.dll' -> TestA/testX64.dll
copy 'testX86.dll' -> TestB/testX86.dll
copy 'testX64.dll' -> TestB/testX64.dll
...

5. set Driver Name
madConfigDrv.exe TestA/testX86.dll TestA -unsafeStopAllowed
madConfigDrv.exe TestA/testX64.dll TestA -unsafeStopAllowed
madConfigDrv.exe TestB/testX86.dll TestB -unsafeStopAllowed
madConfigDrv.exe TestB/testX64.dll TestB -unsafeStopAllowed
...

6. dual sign

7. injection
injection TestD -> TestC -> TestB -> TestA

8. check Injected with process Explorer

9. uninjection with UninjectAllLibrariesW
uninject TestA, TestD uninjected.
uninject TestB, TestC uninjected.
uninject TestC, TestB uninjected.
uninject TestD, TestA uninjected.

we are using driver like this in each other product.

is there driver name rule when uninject the dll?

Thank you for your help.
marcusssong
 
Posts: 22
Joined: Wed Apr 26, 2017 1:14 pm

Re: UninjectAllLibraries Problem

Postby madshi » Mon Feb 11, 2019 10:43 am

This is extremely weird.

The user mode library talks to the driver using the driver name you provided via a parameter. The user mode library then opens the driver by using CreateFile(\\.\driverName). So all communication between user mode and driver depends on which driver name you provide to the user mode APIs. I don't see any way how the user mode library could even be able to confuse the driver names. If you provide the user mode library with "TestA" driver name, how could the user mode library possibly talk to "TestB" driver? This would only work if the user mode actually knew that a "TestB" driver existed. But it doesn't.

Are you 100% sure that your test was done correctly? I'm sorry to ask this question, but these test results don't make any sense to me... :shock:
madshi
Site Admin
 
Posts: 9985
Joined: Sun Mar 21, 2004 5:25 pm

Re: UninjectAllLibraries Problem

Postby marcusssong » Tue Feb 12, 2019 9:00 am

i tested again but same result...

i attached video i recorded.

here is injection.exe Code
Code: Select all
int main( int argc, char* argv[] )
{
    GetOpt::GetOpt_pp cls( argc, argv );
    bool bInjection = false;

    wchar_t sDriveX86Path[ MAX_PATH ] = { 0, };
    wchar_t sDriveX64Path[ MAX_PATH ] = { 0, };
    wchar_t sDLLX86Path[ MAX_PATH ] = { 0, };
    wchar_t sDLLX64Path[ MAX_PATH ] = { 0, };
    std::wstring sCurrentPath = GetCurrentPath();

    swprintf_s( sDriveX86Path, MAX_PATH, L"%s\\testX86.sys", sCurrentPath.c_str() );
    swprintf_s( sDriveX64Path, MAX_PATH, L"%s\\testX64.sys", sCurrentPath.c_str() );
    swprintf_s( sDLLX86Path, MAX_PATH, L"%s\\testX86.dll", sCurrentPath.c_str() );
    swprintf_s( sDLLX64Path, MAX_PATH, L"%s\\testX64.dll", sCurrentPath.c_str() );

    char szDriverName[ MAX_PATH ] = { 0, };
    cls >> GetOpt::Option( "driverName", szDriverName );
    if( szDriverName[ 0 ] == NULL )
        return -1;

    wchar_t wszDriverName[ MAX_PATH ] = { 0, };
    swprintf_s( wszDriverName, MAX_PATH, L"%S", szDriverName );

    cls >> GetOpt::OptionPresent( 'i', bInjection );

    if( IsInjectionDriverRunning( wszDriverName ) == FALSE )
        LoadInjectionDriver( wszDriverName, sDriveX86Path, sDriveX64Path );

    if( IsInjectionDriverRunning( wszDriverName ) == FALSE )
        return -1;

    if( bInjection == true )
    {
        DWORD dwOptions = 0;
        dwOptions |= INJECT_SYSTEM_PROCESSES;
        dwOptions |= INJECT_METRO_APPS;

        InjectLibraryW( wszDriverName, sDLLX86Path,
            ALL_SESSIONS, dwOptions, NULL, NULL,
            NULL, NULL, NULL, 7000 );
       
        InjectLibraryW( wszDriverName, sDLLX64Path,
            ALL_SESSIONS, dwOptions, NULL, NULL,
            NULL, NULL, NULL, 7000 );
    }
    else
    {
        UninjectAllLibrariesW( wszDriverName, NULL, 7000 );
        StopInjectionDriver( wszDriverName );
    }

    return 0;
}


Thank you for your help.

https://drive.google.com/open?id=1SnB0_Wl153HUMfK0cixg1BsJzjhDk8ai
marcusssong
 
Posts: 22
Joined: Wed Apr 26, 2017 1:14 pm

Re: UninjectAllLibraries Problem

Postby madshi » Tue Feb 12, 2019 10:10 am

I think the issue is *probably* caused by the dlls all having the same name but different file paths. Somewhere probably the difference in the file path gets lost. I'm not exactly sure where.

Can you double check if using different dll names works around the issue?
madshi
Site Admin
 
Posts: 9985
Joined: Sun Mar 21, 2004 5:25 pm

Re: UninjectAllLibraries Problem

Postby marcusssong » Wed Feb 13, 2019 1:22 am

i changed dll file name to testX86A.dll, testX64A.dll, testX86B.dll... like this.

after changed dll name differently, it works well.

i can change the dll name and use but is there plan to fix this problem?

Thank you for your help.
marcusssong
 
Posts: 22
Joined: Wed Apr 26, 2017 1:14 pm

Re: UninjectAllLibraries Problem

Postby madshi » Wed Feb 13, 2019 8:13 am

I'll put this on my list of things to look at, but I'm currently busy with a different project, so if renaming the dll names works for you for now, I'll look at this later, when I find some time...
madshi
Site Admin
 
Posts: 9985
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 4 guests

cron