InjectLibraryA fails, GetLastError()==998 (ERROR_NOACCESS)

[SkyLined]

Hi all,

I wrote a simple program that injects a dll into itself to test the InjectLibraryA function. First I get a Process HANDLE:
me = OpenProcess(PROCESS_ALL_ACCESS, TRUE, GetCurrentProcessId());
Then I inject the dll using:
InjectLibraryA(me, "dll name", 7000);

OpenProcess succeeds but InjectLibraryA doesn't. GetLastError() == 998 (ERROR_NOACCESS).
help.madshi.net doesn't mention this value for GetLastError() value, nor did a search in the forum turn up anything usefull.

Has anybody got any idear why this doesn't work ?

Cheers,
SkyLined

[madshi]

Does it work, if you inject the dll into another process? This error code doesn't come directly from madCodeHook. It's probably the result of a failing win32 API.

[SkyLined]

Hi,

I changed the code slightly to try and insert it into other processes:
InjectLibraryA(CURRENT_USER & (!CURRENT_PROCESS), "dll-name", 7000)
This also returns an error: c0000008 (STATUS_INVALID_PARAMETER)
Docs on the error are here: http://msdn.microsoft.com/library/defau ... s/5525.asp
Apparently a call to NtQueryInformationFile failed !?

[madshi]

InjectLibraryA(CURRENT_USER & (!CURRENT_PROCESS), "dll-name", 7000)

I think "!" is a logical operator. You need a bitwise operator, which should be "~", I guess. But I'm not a C++ expert, so I'm not sure.

Please use the DllInjector.exe which ships with madCodeHook and try to inject your dll with that. Does that work?

Alternatively you can try to copy one of the precompiled dlls from the madCodeHook demos to your project directly and call InjectLibrary(me, 'someDemo.dll') to see whether that works.

Basically: Find out whether your dll is the problem or whether the injection code is the problem.

I'm always suggesting to start work by using one of the demos and changing it so that it fits your needs.

[SkyLined]

You are ofcourse right about the ~

I did some recoding and now it seems to work when I inject into all processes for CURRENT_USER, I have no idear what was going wrong.

Does InjectLibraryA actually do a LoadLibrary or does it use some tweaks to get the code from the dll into the process ? I ask because the dll does not show up in the memory map for ollydbg, my debugger.

[madshi]

It does use LoadLibrary.

[madshi]

P.S: LoadLibraryW in the NT family.

[SkyLined]

Ok, now it's working, unfortunately I wasn't using CVS so I can't tell you what I changed to get it to work.

Btw. I ran into another GetLastError() code: 0x80000003.
This error is triggered by putting an int 3 breakpoint into the DllMain of the library you are injecting. I'm guessing this breakpoint causes an exception, which is caught by InjectLibrary when you're not attached with a debugger. InjectLibrary (falsely) assumes the injection failed and returns FALSE. In my opinion the int 3 breakpoint exception should not be caught by InjectLibrary and it should return TRUE, since the injection worked.

...and another thing: The first argument to InjectLibrary is the HANDLE of the process you want to attach to, but why is it a DWORD and not a HANDLE ?

If you want to update your documentation (which is pretty awesome for a non-commercial product!!) I could get you a list of errorcodes I've come across and the reason why the errors occured and ways to fix it. That would seriously help a lot of newbees like me get their first DllInjecting prg running.

[madshi]

Btw. I ran into another GetLastError() code: 0x80000003.
This error is triggered by putting an int 3 breakpoint into the DllMain of the library you are injecting. I'm guessing this breakpoint causes an exception, which is caught by InjectLibrary when you're not attached with a debugger. InjectLibrary (falsely) assumes the injection failed and returns FALSE. In my opinion the int 3 breakpoint exception should not be caught by InjectLibrary and it should return TRUE, since the injection worked.

InjectLibrary doesn't catch anything. If there's an exception during DllMain, Windows itself unloads the dll again and returns an error code. InjectLibrary internally just calls LoadLibrary (in the context of the target process) and returns what LoadLibrary returned.

...and another thing: The first argument to InjectLibrary is the HANDLE of the process you want to attach to, but why is it a DWORD and not a HANDLE ?

Mainly because the first argument has a multi purpose. It can be used for giving in a process handle or for giving in special flags. The flags can also be combined. So I had to choose between DWORD and HANDLE. Because the majority of people use system wide injection (= special flags) I've decided to use DWORD.

If you want to update your documentation (which is pretty awesome for a non-commercial product!!)

Hopefully there is no misunderstanding! madCodeHook is free only if you use it for non-commercial purpose. If your software is commercial, you need to buy a commercial madCodeHook license, too!

I could get you a list of errorcodes I've come across and the reason why the errors occured and ways to fix it. That would seriously help a lot of newbees like me get their first DllInjecting prg running.

The problem is that the error codes most of the time can have multiple reasons. E.g. c0000008 can have millions of reasons, a failing NtQueryInformationFile is just one out of 1 million.