InjectLibraryW cause BSOD

c++ / delphi package - dll injection and api hooking

InjectLibraryW cause BSOD

Postby pambol » Sat Mar 14, 2020 12:31 am

Hi, i'm with a problem. if i inject at all running processes on W7/XP generate a BSOD.
Here is the injection code.

Code: Select all
for i1 := 0 to high(pl) do
  begin
    if GetCurrentProcessID = pl[i1].id then Continue;
    if dNtSysCall.IsProtectedProcess(pl[i1].id) then Continue;

    hOpen := OpenProcess(PROCESS_ALL_ACCESS ,false , pl[i1].id);

    if Is64BitProcess(hOpen) then
    begin
      if not InjectLibraryW('PSGG64.dll', hOpen, 1) then
      begin
        Memo1.Lines.Add(Format('64 Process [%s] failed to inject', [pl[i1].exeFile]));
      end
      else
      begin
        Memo1.Lines.Add(Format('64 Process [%s] injetacted', [pl[i1].exeFile]));
      end;
    end
    else
    begin
      if not InjectLibraryW('PSGG32.dll', hOpen, 1) then
      begin
        Memo1.Lines.Add(Format('32 Process [%s] failed to inject', [pl[i1].exeFile]));
      end
      else
      begin
        Memo1.Lines.Add(Format('32 Process [%s] injetacted', [pl[i1].exeFile]));
      end;
    end;

    CloseHandle(hOpen);
  end;


I've tried a empty .dll like:

Code: Select all
library Project1;

uses
  System.SysUtils,
  System.Classes;

begin
end.


How i can solve that?
pambol
 
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: InjectLibraryW cause BSOD

Postby iconic » Sat Mar 14, 2020 2:22 am

Hi,

Which version of MCH are you currently using? Also, if the DLL is empty, no need to include SysUtils and Classes units (IIRC there is some heavy initialization sections)
MCH should be able to inject system-wide with an empty DLL without issues. In your case, process specific injection also should not have any such effect. System-wide
flags are better for this however come injection time, instead of injecting in a process loop like this.

*** Edit***
Looked at your code more closely, you're setting the injection timeout to 1 ms. I think you might mean 1000 ms (1 second) otherwise there is hardly any time to complete the real operation

Code: Select all
InjectLibrary(DLL_PATH, hProcess, 1000); // for 1 second timeout


Default timeout is 7 seconds, by the way (3rd param is 7000 by default). It's best if you don't adjust this parameter or at least use seconds instead of milliseconds. Might not make a difference
however the calling isn't right with "1" as the 3rd parameter. Try InjectLibraryW(DLL, hProcess); and leave the default parameters in place, does this make a difference?

Also, a tip, lose PROCESS_ALL_ACCESS and use MAXIMUM_ALLOWED access mask instead

--Iconic
iconic
Site Admin
 
Posts: 960
Joined: Wed Jun 08, 2005 5:08 am

Re: InjectLibraryW cause BSOD

Postby madshi » Sat Mar 14, 2020 8:27 am

Agree with iconic: I would recommend not to include SysUtils and Classes. If you need a couple of functions from SysUtils/Classes, just copy & paste them into your hook dll dpr file instead.

Some system processes like to create an BSOD if you call any GUI APIs in them, like FindWindow, PostMessage etc. I'm not sure what SysUtils & Classes do in their initialization section. Will probably also depend on which Delphi version you're using.

(The InjectLibrary timeout value should in theory not harm, because injection is done by remote threads, which are written to work by themselves.)
madshi
Site Admin
 
Posts: 10232
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibraryW cause BSOD

Postby iconic » Sat Mar 14, 2020 8:53 am

Yes, Madshi is 100% correct, non-interactive processes (mostly session 0 services or critical process like CSRSS or Winlogon) do not like anything "UI" among other things. The timeout comment I made was due to you confusing seconds with milliseconds, just so you're aware. You have to write your DLL code delicately. But, an empty DLL should not BSOD with madCodeHook in general. I've never heard of such a case with including the Windows unit only, for example. Something seems off in that case...

--Iconic
iconic
Site Admin
 
Posts: 960
Joined: Wed Jun 08, 2005 5:08 am

Re: InjectLibraryW cause BSOD

Postby madshi » Sat Mar 14, 2020 9:01 am

One thing I'm a bit scared of myself is what newer Delphi versions might be doing "secretly" in a dll's initialization. Which is why I personally like to use Delphi 7 for win32 hook dlls. I know Delphi 7 does nothing harmful. Sadly, Delphi 7 doesn't support 64bit dlls, so there's no way to avoid using a newer Delphi version for 64bit. I've actually switched over to MSVC++, but only for hook dlls. For EXEs I still prefer Delphi by a long shot, because it's *SO* much easier to develop GUIs with, and I simply like the language, and the fast compiler etc...
madshi
Site Admin
 
Posts: 10232
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibraryW cause BSOD

Postby iconic » Sat Mar 14, 2020 9:05 am

Delphi 10.x now has MUCH slower compile times, among many other things I've noticed. My go-to is XE2 for 64-bit and 32-bit apps, but Delphi 7 was my favorite, too bad it didn't support 64-bit compilation

--Iconic
iconic
Site Admin
 
Posts: 960
Joined: Wed Jun 08, 2005 5:08 am

Re: InjectLibraryW cause BSOD

Postby madshi » Sat Mar 14, 2020 9:10 am

Ouch, didn't know that Delphi 10.x compiles slower. Any idea why?

Yes, XE2 is probably the safest choice for 64bit. And yes, Delphi 7 is also my favorite. Still using it a lot today.
madshi
Site Admin
 
Posts: 10232
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibraryW cause BSOD

Postby iconic » Sat Mar 14, 2020 9:16 am

That's an email answer =] Yes, MUCH slower, have benches showing it. Very disappointed with that fact. 3/4x actually compiler speed loss. Then again, the trading hands of the company (now Idera?) is a lot over the years.
Delphi will forever be my favorite, along with the inline assembly support. I only use c when I need to :D I recently saw a video showing a modern Delphi compiler compiling 1 million lines in 5 seconds. Not
too bad, in c/c++ that would take an eternity. IIRC the video was also in VM, so that's more like 3 seconds

https://community.idera.com/developer-t ... ith-delphi

--Iconic
iconic
Site Admin
 
Posts: 960
Joined: Wed Jun 08, 2005 5:08 am

Re: InjectLibraryW cause BSOD

Postby madshi » Sat Mar 14, 2020 9:49 am

Yeah, in MSVC++ sometimes even loading a project (and the IDE parsing all the header files etc) can take an eternity...
madshi
Site Admin
 
Posts: 10232
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibraryW cause BSOD

Postby iconic » Sat Mar 14, 2020 10:00 am

It's why we're Delphi coders. We know better :wink:

Back on topic, Pambol please try the above suggestions and let us know the result please.
Your Delphi version used can also be important to us, so please let us know.

--Iconic
iconic
Site Admin
 
Posts: 960
Joined: Wed Jun 08, 2005 5:08 am

Re: InjectLibraryW cause BSOD

Postby pambol » Sat Mar 14, 2020 2:30 pm

Tested all solutions posted here and the BSOD still.
maybe is the version of MCH who i use madCollection 4.0.0.2.
pambol
 
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: InjectLibraryW cause BSOD

Postby madshi » Sat Mar 14, 2020 2:50 pm

Please try updating to the latest madCodeHook build, maybe that helps?
madshi
Site Admin
 
Posts: 10232
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibraryW cause BSOD

Postby pambol » Sat Mar 14, 2020 3:29 pm

tried update and at IDE say "[dcc64 Fatal Error] Unit1.pas(7): F2613 Unit 'MadCodeHook' not found."
pambol
 
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: InjectLibraryW cause BSOD

Postby madshi » Sat Mar 14, 2020 3:33 pm

Maybe your subscription has run out? I guess you could try madCodeHook v3, that one doesn't ever run out.
madshi
Site Admin
 
Posts: 10232
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibraryW cause BSOD

Postby iconic » Tue Apr 14, 2020 12:42 am

Update via Email:

This issue was solved by the user by not including unnecessary included files, which I had asked him to eliminate originally...

"solved disabling //, SysUtils{$ENDIF}, SysUtils;//, Forms, Dialogs;"

Case solved. Not directly related to MCH in any way (injection, hooking or other)

--Iconic
iconic
Site Admin
 
Posts: 960
Joined: Wed Jun 08, 2005 5:08 am


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 14 guests