When UninjectLibrary fails, any more info?

c++ / delphi package - dll injection and api hooking
Post Reply
JanDoggen
Posts: 30
Joined: Thu Nov 26, 2009 11:23 am
Location: Netherlands

When UninjectLibrary fails, any more info?

Post by JanDoggen »

This code returns an error message with GetLastError 0
That is not much info :?
Is there a way to get more info on what failed?

procedure UnInjectCoreDll;
var Res: Boolean;
begin
Res := UninjectLibrary((ALL_SESSIONS{ or SYSTEM_PROCESSES}) and (not CURRENT_PROCESS), 'CORE.DLL');
if not Res then
LogError('UnInjectCoreDll','UninjectLibrary failed (CORE.DLL): ' + IntToStr(GetLastError),veError);
end;

Thanks
Jan
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

I've on my to do list to produce better error codes in case of failure. Right now there's no way you can ask madCodeHook for the exact error cause. You'll have to find out yourself.
JanDoggen
Posts: 30
Joined: Thu Nov 26, 2009 11:23 am
Location: Netherlands

Post by JanDoggen »

Hi Matthias

(1) But is the FALSE result of UninjectLibrary reliable?
(2) Any ideas how I could find out what is going on if it fails?

Thanks
Jan
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

1) I think so.
2) First step would be to collect more (much more) info. E.g. did injection work? When UninjectLibrary fails, is your hook dll then still loaded in all the processes? Is it the same EXE which is doing the injection and uninjection? Which user account does the EXE run in? Which OS? Does your EXE run with admin rights or not? Which exact InjectLibrary and UninjectLibrary calls are you doing? Etc...
Tuxford
Posts: 8
Joined: Thu Sep 10, 2015 11:01 am

Re: When UninjectLibrary fails, any more info?

Post by Tuxford »

I have similar problem with UninjectLibrary.

I do it in deconstructor.

Code: Select all

Initializer::~Initializer()
{
        for (const std::wstring& s : mLibs)
		if (UninjectLibrary(mDriverId.c_str(), s.c_str(), ALL_SESSIONS, true) == FALSE)
			std::wcout << L"Failed unloading " << mDriverId << " : " << s.c_str() << " : " << GetLastError() << std::endl;

	std::cout << "Uninject result: " << StopInjectionDriver(mDriverId.c_str()) << std::endl;
	FinalizeMadCHook();
	std::cout << "Initializer::~Initializer()\n";
}
The result is below. Process is run with admin's rights. Injection was success.
Current dir: D:\Projects\cdev_common\Access\
Added dll AccessLib64.dll
Added dll AccessLib32.dll
Press 'Ctr+C to exit'
Failed unloading HookProcessCreationDemoDriver : D:\Projects\cdev_common\Access\
AccessLib64.dll : 31
Failed unloading HookProcessCreationDemoDriver : D:\Projects\cdev_common\Access\
AccessLib32.dll : 31
Uninject result: 1
Initializer::~Initializer()
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: When UninjectLibrary fails, any more info?

Post by madshi »

The error code 31 seems to be ERROR_GEN_FAILURE, which means "A device attached to the system is not functioning".

Are you sure the driver is still running at that moment? And do your UninjectLibrary() parameters match *exactly* your InjectLibrary() parameters - all of them?
Tuxford
Posts: 8
Joined: Thu Sep 10, 2015 11:01 am

Re: When UninjectLibrary fails, any more info?

Post by Tuxford »

madshi wrote:The error code 31 seems to be ERROR_GEN_FAILURE, which means "A device attached to the system is not functioning".

Are you sure the driver is still running at that moment? And do your UninjectLibrary() parameters match *exactly* your InjectLibrary() parameters - all of them?
Driver worked at that time. Problem occurred because previous version of injector was failed. Reboot solved this problem. It seems if injector failed, next instances of injector behaves some strangely.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: When UninjectLibrary fails, any more info?

Post by madshi »

For security reasons (we don't want malware to uninject an anti-virus hook dll, for example), uninjection is only allowed to be done by exactly the same exe which did the injection. "Exactly the same exe" means there's a hash/CRC of the exe done which is then compared to the hash of the exe which originally did the injection. So if you inject, then replace the injector with a different version, you cannot uninject, anymore. Maybe that's what happened here?
Tuxford
Posts: 8
Joined: Thu Sep 10, 2015 11:01 am

Re: When UninjectLibrary fails, any more info?

Post by Tuxford »

madshi wrote:For security reasons (we don't want malware to uninject an anti-virus hook dll, for example), uninjection is only allowed to be done by exactly the same exe which did the injection. "Exactly the same exe" means there's a hash/CRC of the exe done which is then compared to the hash of the exe which originally did the injection. So if you inject, then replace the injector with a different version, you cannot uninject, anymore. Maybe that's what happened here?
That's ok. I've already injector fixed. If somebody kills injector this is not our problem.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: When UninjectLibrary fails, any more info?

Post by madshi »

FWIW, the injector process may be closed and restarted, that's not a problem, but the injector exe file is not allowed to change.
Post Reply