madshi.net

high quality low level programming
http://forum.madshi.net/

UninjectAllLibraries Problem

http://forum.madshi.net/viewtopic.php?f=7&t=28671

Page 1 of 1

UninjectAllLibraries Problem

Posted: Mon Feb 11, 2019 4:10 am
by marcusssong
hello,

when i uninject dll with 'UninjectAllLibraries' function, Another Driver's dll injected.

i set up 4 drivers name differently using madConfigDrv.exe.

madcodehook ver: 4.1.2
OS: windows 10(1803 build 18134.523)

1. copy Driver
copy 'renameme32 (with version resource).sys' -> TestA/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestA/testX64.sys
copy 'renameme32 (with version resource).sys' -> TestB/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestB/testX64.sys
copy 'renameme32 (with version resource).sys' -> TestC/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestC/testX64.sys
copy 'renameme32 (with version resource).sys' -> TestD/testX86.sys
copy 'renameme64 (with version resource).sys' -> TestD/testX64.sys

2. copy Dll
copy 'testX86.dll' -> TestA/testX86.dll
copy 'testX64.dll' -> TestA/testX64.dll
copy 'testX86.dll' -> TestB/testX86.dll
copy 'testX64.dll' -> TestB/testX64.dll
...

5. set Driver Name
madConfigDrv.exe TestA/testX86.dll TestA -unsafeStopAllowed
madConfigDrv.exe TestA/testX64.dll TestA -unsafeStopAllowed
madConfigDrv.exe TestB/testX86.dll TestB -unsafeStopAllowed
madConfigDrv.exe TestB/testX64.dll TestB -unsafeStopAllowed
...

6. dual sign

7. injection
injection TestD -> TestC -> TestB -> TestA

8. check Injected with process Explorer

9. uninjection with UninjectAllLibrariesW
uninject TestA, TestD uninjected.
uninject TestB, TestC uninjected.
uninject TestC, TestB uninjected.
uninject TestD, TestA uninjected.

we are using driver like this in each other product.

is there driver name rule when uninject the dll?

Thank you for your help.

Re: UninjectAllLibraries Problem

Posted: Mon Feb 11, 2019 10:43 am
by madshi
This is extremely weird.

The user mode library talks to the driver using the driver name you provided via a parameter. The user mode library then opens the driver by using CreateFile(\\.\driverName). So all communication between user mode and driver depends on which driver name you provide to the user mode APIs. I don't see any way how the user mode library could even be able to confuse the driver names. If you provide the user mode library with "TestA" driver name, how could the user mode library possibly talk to "TestB" driver? This would only work if the user mode actually knew that a "TestB" driver existed. But it doesn't.

Are you 100% sure that your test was done correctly? I'm sorry to ask this question, but these test results don't make any sense to me... :shock:

Re: UninjectAllLibraries Problem

Posted: Tue Feb 12, 2019 9:00 am
by marcusssong
i tested again but same result...

i attached video i recorded.

here is injection.exe Code

Code: Select all

int main( int argc, char* argv[] )
{
    GetOpt::GetOpt_pp cls( argc, argv );
    bool bInjection = false;

    wchar_t sDriveX86Path[ MAX_PATH ] = { 0, };
    wchar_t sDriveX64Path[ MAX_PATH ] = { 0, };
    wchar_t sDLLX86Path[ MAX_PATH ] = { 0, };
    wchar_t sDLLX64Path[ MAX_PATH ] = { 0, };
    std::wstring sCurrentPath = GetCurrentPath();

    swprintf_s( sDriveX86Path, MAX_PATH, L"%s\\testX86.sys", sCurrentPath.c_str() );
    swprintf_s( sDriveX64Path, MAX_PATH, L"%s\\testX64.sys", sCurrentPath.c_str() );
    swprintf_s( sDLLX86Path, MAX_PATH, L"%s\\testX86.dll", sCurrentPath.c_str() );
    swprintf_s( sDLLX64Path, MAX_PATH, L"%s\\testX64.dll", sCurrentPath.c_str() );

    char szDriverName[ MAX_PATH ] = { 0, };
    cls >> GetOpt::Option( "driverName", szDriverName );
    if( szDriverName[ 0 ] == NULL )
        return -1;

    wchar_t wszDriverName[ MAX_PATH ] = { 0, };
    swprintf_s( wszDriverName, MAX_PATH, L"%S", szDriverName );

    cls >> GetOpt::OptionPresent( 'i', bInjection );

    if( IsInjectionDriverRunning( wszDriverName ) == FALSE )
        LoadInjectionDriver( wszDriverName, sDriveX86Path, sDriveX64Path );

    if( IsInjectionDriverRunning( wszDriverName ) == FALSE )
        return -1;

    if( bInjection == true )
    {
        DWORD dwOptions = 0;
        dwOptions |= INJECT_SYSTEM_PROCESSES;
        dwOptions |= INJECT_METRO_APPS;

        InjectLibraryW( wszDriverName, sDLLX86Path,
            ALL_SESSIONS, dwOptions, NULL, NULL, 
            NULL, NULL, NULL, 7000 );
        
        InjectLibraryW( wszDriverName, sDLLX64Path,
            ALL_SESSIONS, dwOptions, NULL, NULL,
            NULL, NULL, NULL, 7000 );
    }
    else
    {
        UninjectAllLibrariesW( wszDriverName, NULL, 7000 );
        StopInjectionDriver( wszDriverName );
    }

    return 0;
}
Thank you for your help.

https://drive.google.com/open?id=1SnB0_ ... sJzjhDk8ai

Re: UninjectAllLibraries Problem

Posted: Tue Feb 12, 2019 10:10 am
by madshi
I think the issue is *probably* caused by the dlls all having the same name but different file paths. Somewhere probably the difference in the file path gets lost. I'm not exactly sure where.

Can you double check if using different dll names works around the issue?

Re: UninjectAllLibraries Problem

Posted: Wed Feb 13, 2019 1:22 am
by marcusssong
i changed dll file name to testX86A.dll, testX64A.dll, testX86B.dll... like this.

after changed dll name differently, it works well.

i can change the dll name and use but is there plan to fix this problem?

Thank you for your help.

Re: UninjectAllLibraries Problem

Posted: Wed Feb 13, 2019 8:13 am
by madshi
I'll put this on my list of things to look at, but I'm currently busy with a different project, so if renaming the dll names works for you for now, I'll look at this later, when I find some time...
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited