Page 1 of 1

Windows XP - Injection doesn't work

Posted: Wed Oct 23, 2019 6:28 am
by jgh0721
Recently, when we try injection on Windows XP using MadCodeHook, we confirmed that injection fails with very high probability.

OS: Windows XP SP3
MCH : madCollection 2.8.8.9(beta)

Symptom 1: It is not injected into the processes already in place, but then injected into the processes that are executed (though, irregularly failed).
=> For example, firefox.exe:failed, notepad+.exe: succssed, conemu.exe: successed

Symptom 2: No injections to the processes already in place, and little injections to the processes that are subsequently executed

The DLL/SYS file used was attached to a link; driver name => iMonLOPE1021

p.s: There has been no official update for a year, is there an update schedule?

https://drive.google.com/file/d/1YtblZG ... sp=sharing

Re: Windows XP - Injection doesn't work

Posted: Wed Oct 23, 2019 6:47 am
by iconic
Hello,

What flags are you using for InjectLibrary()?

—Iconic

Re: Windows XP - Injection doesn't work

Posted: Wed Oct 23, 2019 7:14 am
by jgh0721
i use below options

all session
system process include
running process include injection
no include mask
some exclude mask( smss.exe wininit.exe etc.... )

Re: Windows XP - Injection doesn't work

Posted: Wed Oct 23, 2019 7:22 am
by iconic
This is only happening on XP? Have you tested above XP?

—Iconic

Re: Windows XP - Injection doesn't work

Posted: Wed Oct 23, 2019 7:23 am
by madshi
There's going to be a new update pretty soon, but there are no changes planned for XP atm. Nobody else reported injection problems on XP so far, from what I recall.

Please try giving "Everyone" NTFS read&execute rights to the hook dll, just as a quick test.

Re: Windows XP - Injection doesn't work

Posted: Wed Oct 23, 2019 8:07 am
by jgh0721
Yes, This is only Windows XP.

Vista ~ Windows 10 works well. ( both of x86 and x64 )

below these options which i use

isInjectToSystemProcesses = true
ispermanent = false
isinjectometroapps = true
isuseIATPatching = false
isSystemWide = true
IncludeMask = *
ExcludeMask = GetModuleList-x64.exe|iMonLope_SVC.exe|*\windows\incops3\ictray64.exe|iMonLope_UI-DBG.exe|*\windows\incops3\icdi.exe|*\windows\incops3\icdcmgr64.exe|*\windows\incops3\incops3.exe|iMonTerminator.exe|*\windows\incops3\icdi64.exe|GetActiveXInfos-x64.exe|*\windows\incops3\icdcmgr.exe|*\windows\incops3\ictray.exe|xcacls.exe|iMonInjector-x86.exe|iMonLope_UI.exe|iMonInjector-x64.exe|*\windows\incops3\ictrigger64.exe|*\windows\incops3\ictrigger.exe|*\windows\incops3\esshmwow.exe|*\windows\incops3\incops364.exe|*\windows\incops3\icview.exe|

Re: Windows XP - Injection doesn't work

Posted: Wed Oct 23, 2019 8:15 am
by iconic
Thanks for the additional info. If you have some time can you try clearing the include and exclude masks, simply don’t set them at all. I’m curious to see if without inclusions and exclusions if your problem disappears. Thanks

—Iconic

Re: Windows XP - Injection doesn't work

Posted: Thu Oct 24, 2019 2:21 am
by jgh0721
and, i test with any setting include mask / excludemask on windows xp.

and sam result. :-(

Re: Windows XP - Injection doesn't work

Posted: Fri Oct 25, 2019 1:09 am
by iconic
Ok,

I'll attempt to reproduce the issue this weekend and will get back with you as soon as possible. Which version of MCH are you using and also what language (c++ or Delphi)?

--Iconic

Re: Windows XP - Injection doesn't work

Posted: Fri Oct 25, 2019 4:49 am
by jgh0721
i use msvc 2015 with update 3( c++ ), and mch 4.1.2+( mch beta, madcollection 2.8.8.9 , because of approvalcallback )

Re: Windows XP - Injection doesn't work

Posted: Fri Oct 25, 2019 6:51 pm
by iconic
Hello,

I had some time today to run the XP test with MCH system-wide injection and everything worked as expected here. I used the exact same OS version, madCollection beta version as well as MSVC version (2015 Community Edition). Already running processes were properly injected and any newly created processes were also injected just fine for me. I ran the following series of tests:

[1] Regular injection (no approval callback)

[2] IAT injection (no approval callback)

[3] Regular injection + Approval callback

[4] IAT injection + Approval callback

Can you please upload and link us to a complete vcproj that you've created?
XP_SYSTEMWIDE_TEST.PNG
XP_SYSTEMWIDE_TEST.PNG (1.97 MiB) Viewed 6303 times
--Iconic