madshi.net

[jgh0721]

Recently, when we try injection on Windows XP using MadCodeHook, we confirmed that injection fails with very high probability.

OS: Windows XP SP3
MCH : madCollection 2.8.8.9(beta)

Symptom 1: It is not injected into the processes already in place, but then injected into the processes that are executed (though, irregularly failed).
=> For example, firefox.exe:failed, notepad+.exe: succssed, conemu.exe: successed

Symptom 2: No injections to the processes already in place, and little injections to the processes that are subsequently executed

The DLL/SYS file used was attached to a link; driver name => iMonLOPE1021

p.s: There has been no official update for a year, is there an update schedule?

https://drive.google.com/file/d/1YtblZG ... sp=sharing

[iconic]

Hello,

What flags are you using for InjectLibrary()?

—Iconic

[jgh0721]

i use below options

all session
system process include
running process include injection
no include mask
some exclude mask( smss.exe wininit.exe etc.... )

[iconic]

This is only happening on XP? Have you tested above XP?

—Iconic

[madshi]

There's going to be a new update pretty soon, but there are no changes planned for XP atm. Nobody else reported injection problems on XP so far, from what I recall.

Please try giving "Everyone" NTFS read&execute rights to the hook dll, just as a quick test.

[jgh0721]

Yes, This is only Windows XP.

Vista ~ Windows 10 works well. ( both of x86 and x64 )

below these options which i use

isInjectToSystemProcesses = true
ispermanent = false
isinjectometroapps = true
isuseIATPatching = false
isSystemWide = true
IncludeMask = *
ExcludeMask = GetModuleList-x64.exe|iMonLope_SVC.exe|*\windows\incops3\ictray64.exe|iMonLope_UI-DBG.exe|*\windows\incops3\icdi.exe|*\windows\incops3\icdcmgr64.exe|*\windows\incops3\incops3.exe|iMonTerminator.exe|*\windows\incops3\icdi64.exe|GetActiveXInfos-x64.exe|*\windows\incops3\icdcmgr.exe|*\windows\incops3\ictray.exe|xcacls.exe|iMonInjector-x86.exe|iMonLope_UI.exe|iMonInjector-x64.exe|*\windows\incops3\ictrigger64.exe|*\windows\incops3\ictrigger.exe|*\windows\incops3\esshmwow.exe|*\windows\incops3\incops364.exe|*\windows\incops3\icview.exe|

[iconic]

Thanks for the additional info. If you have some time can you try clearing the include and exclude masks, simply don’t set them at all. I’m curious to see if without inclusions and exclusions if your problem disappears. Thanks

—Iconic

[jgh0721]

and, i test with any setting include mask / excludemask on windows xp.

and sam result.

[iconic]

Ok,

I'll attempt to reproduce the issue this weekend and will get back with you as soon as possible. Which version of MCH are you using and also what language (c++ or Delphi)?

--Iconic

[jgh0721]

i use msvc 2015 with update 3( c++ ), and mch 4.1.2+( mch beta, madcollection 2.8.8.9 , because of approvalcallback )

[iconic]

Hello,

I had some time today to run the XP test with MCH system-wide injection and everything worked as expected here. I used the exact same OS version, madCollection beta version as well as MSVC version (2015 Community Edition). Already running processes were properly injected and any newly created processes were also injected just fine for me. I ran the following series of tests:

[1] Regular injection (no approval callback)

[2] IAT injection (no approval callback)

[3] Regular injection + Approval callback

[4] IAT injection + Approval callback

Can you please upload and link us to a complete vcproj that you've created?

XP_SYSTEMWIDE_TEST.PNG (1.97 MiB) Viewed 1378 times

--Iconic