When UninjectLibrary fails, any more info?

c++ / delphi package - dll injection and api hooking

When UninjectLibrary fails, any more info?

Postby JanDoggen » Thu Dec 24, 2009 10:50 am

This code returns an error message with GetLastError 0
That is not much info :?
Is there a way to get more info on what failed?

procedure UnInjectCoreDll;
var Res: Boolean;
begin
Res := UninjectLibrary((ALL_SESSIONS{ or SYSTEM_PROCESSES}) and (not CURRENT_PROCESS), 'CORE.DLL');
if not Res then
LogError('UnInjectCoreDll','UninjectLibrary failed (CORE.DLL): ' + IntToStr(GetLastError),veError);
end;

Thanks
Jan
JanDoggen
 
Posts: 30
Joined: Thu Nov 26, 2009 11:23 am
Location: Netherlands

Postby madshi » Wed Dec 30, 2009 11:10 am

I've on my to do list to produce better error codes in case of failure. Right now there's no way you can ask madCodeHook for the exact error cause. You'll have to find out yourself.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Postby JanDoggen » Thu Dec 31, 2009 8:14 am

Hi Matthias

(1) But is the FALSE result of UninjectLibrary reliable?
(2) Any ideas how I could find out what is going on if it fails?

Thanks
Jan
JanDoggen
 
Posts: 30
Joined: Thu Nov 26, 2009 11:23 am
Location: Netherlands

Postby madshi » Thu Dec 31, 2009 9:06 am

1) I think so.
2) First step would be to collect more (much more) info. E.g. did injection work? When UninjectLibrary fails, is your hook dll then still loaded in all the processes? Is it the same EXE which is doing the injection and uninjection? Which user account does the EXE run in? Which OS? Does your EXE run with admin rights or not? Which exact InjectLibrary and UninjectLibrary calls are you doing? Etc...
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: When UninjectLibrary fails, any more info?

Postby Tuxford » Tue Oct 13, 2015 1:08 pm

I have similar problem with UninjectLibrary.

I do it in deconstructor.
Code: Select all
Initializer::~Initializer()
{
        for (const std::wstring& s : mLibs)
      if (UninjectLibrary(mDriverId.c_str(), s.c_str(), ALL_SESSIONS, true) == FALSE)
         std::wcout << L"Failed unloading " << mDriverId << " : " << s.c_str() << " : " << GetLastError() << std::endl;

   std::cout << "Uninject result: " << StopInjectionDriver(mDriverId.c_str()) << std::endl;
   FinalizeMadCHook();
   std::cout << "Initializer::~Initializer()\n";
}


The result is below. Process is run with admin's rights. Injection was success.

Current dir: D:\Projects\cdev_common\Access\
Added dll AccessLib64.dll
Added dll AccessLib32.dll
Press 'Ctr+C to exit'
Failed unloading HookProcessCreationDemoDriver : D:\Projects\cdev_common\Access\
AccessLib64.dll : 31
Failed unloading HookProcessCreationDemoDriver : D:\Projects\cdev_common\Access\
AccessLib32.dll : 31
Uninject result: 1
Initializer::~Initializer()
Tuxford
 
Posts: 8
Joined: Thu Sep 10, 2015 11:01 am

Re: When UninjectLibrary fails, any more info?

Postby madshi » Tue Oct 13, 2015 2:26 pm

The error code 31 seems to be ERROR_GEN_FAILURE, which means "A device attached to the system is not functioning".

Are you sure the driver is still running at that moment? And do your UninjectLibrary() parameters match *exactly* your InjectLibrary() parameters - all of them?
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: When UninjectLibrary fails, any more info?

Postby Tuxford » Thu Oct 15, 2015 7:54 am

madshi wrote:The error code 31 seems to be ERROR_GEN_FAILURE, which means "A device attached to the system is not functioning".

Are you sure the driver is still running at that moment? And do your UninjectLibrary() parameters match *exactly* your InjectLibrary() parameters - all of them?

Driver worked at that time. Problem occurred because previous version of injector was failed. Reboot solved this problem. It seems if injector failed, next instances of injector behaves some strangely.
Tuxford
 
Posts: 8
Joined: Thu Sep 10, 2015 11:01 am

Re: When UninjectLibrary fails, any more info?

Postby madshi » Thu Oct 15, 2015 8:32 am

For security reasons (we don't want malware to uninject an anti-virus hook dll, for example), uninjection is only allowed to be done by exactly the same exe which did the injection. "Exactly the same exe" means there's a hash/CRC of the exe done which is then compared to the hash of the exe which originally did the injection. So if you inject, then replace the injector with a different version, you cannot uninject, anymore. Maybe that's what happened here?
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: When UninjectLibrary fails, any more info?

Postby Tuxford » Fri Oct 16, 2015 2:23 pm

madshi wrote:For security reasons (we don't want malware to uninject an anti-virus hook dll, for example), uninjection is only allowed to be done by exactly the same exe which did the injection. "Exactly the same exe" means there's a hash/CRC of the exe done which is then compared to the hash of the exe which originally did the injection. So if you inject, then replace the injector with a different version, you cannot uninject, anymore. Maybe that's what happened here?

That's ok. I've already injector fixed. If somebody kills injector this is not our problem.
Tuxford
 
Posts: 8
Joined: Thu Sep 10, 2015 11:01 am

Re: When UninjectLibrary fails, any more info?

Postby madshi » Fri Oct 16, 2015 6:09 pm

FWIW, the injector process may be closed and restarted, that's not a problem, but the injector exe file is not allowed to change.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 3 guests

cron