UninjectAllLibraries Problem
Posted: Mon Feb 11, 2019 4:10 am
hello,
when i uninject dll with 'UninjectAllLibraries' function, Another Driver's dll injected.
i set up 4 drivers name differently using madConfigDrv.exe.
madcodehook ver: 4.1.2
OS: windows 10(1803 build 18134.523)
1. copy Driver
copy 'renameme32 (with version resource).sys' -> TestA/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestA/testX64.sys
copy 'renameme32 (with version resource).sys' -> TestB/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestB/testX64.sys
copy 'renameme32 (with version resource).sys' -> TestC/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestC/testX64.sys
copy 'renameme32 (with version resource).sys' -> TestD/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestD/testX64.sys
2. copy Dll
copy 'testX86.dll' -> TestA/testX86.dll
copy 'testX64.dll' -> TestA/testX64.dll
copy 'testX86.dll' -> TestB/testX86.dll
copy 'testX64.dll' -> TestB/testX64.dll
...
5. set Driver Name
madConfigDrv.exe TestA/testX86.dll TestA -unsafeStopAllowed
madConfigDrv.exe TestA/testX64.dll TestA -unsafeStopAllowed
madConfigDrv.exe TestB/testX86.dll TestB -unsafeStopAllowed
madConfigDrv.exe TestB/testX64.dll TestB -unsafeStopAllowed
...
6. dual sign
7. injection
injection TestD -> TestC -> TestB -> TestA
8. check Injected with process Explorer
9. uninjection with UninjectAllLibrariesW
uninject TestA, TestD uninjected.
uninject TestB, TestC uninjected.
uninject TestC, TestB uninjected.
uninject TestD, TestA uninjected.
we are using driver like this in each other product.
is there driver name rule when uninject the dll?
Thank you for your help.
when i uninject dll with 'UninjectAllLibraries' function, Another Driver's dll injected.
i set up 4 drivers name differently using madConfigDrv.exe.
madcodehook ver: 4.1.2
OS: windows 10(1803 build 18134.523)
1. copy Driver
copy 'renameme32 (with version resource).sys' -> TestA/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestA/testX64.sys
copy 'renameme32 (with version resource).sys' -> TestB/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestB/testX64.sys
copy 'renameme32 (with version resource).sys' -> TestC/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestC/testX64.sys
copy 'renameme32 (with version resource).sys' -> TestD/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestD/testX64.sys
2. copy Dll
copy 'testX86.dll' -> TestA/testX86.dll
copy 'testX64.dll' -> TestA/testX64.dll
copy 'testX86.dll' -> TestB/testX86.dll
copy 'testX64.dll' -> TestB/testX64.dll
...
5. set Driver Name
madConfigDrv.exe TestA/testX86.dll TestA -unsafeStopAllowed
madConfigDrv.exe TestA/testX64.dll TestA -unsafeStopAllowed
madConfigDrv.exe TestB/testX86.dll TestB -unsafeStopAllowed
madConfigDrv.exe TestB/testX64.dll TestB -unsafeStopAllowed
...
6. dual sign
7. injection
injection TestD -> TestC -> TestB -> TestA
8. check Injected with process Explorer
9. uninjection with UninjectAllLibrariesW
uninject TestA, TestD uninjected.
uninject TestB, TestC uninjected.
uninject TestC, TestB uninjected.
uninject TestD, TestA uninjected.
we are using driver like this in each other product.
is there driver name rule when uninject the dll?
Thank you for your help.