Page 1 of 1

When UninjectLibrary fails, any more info?

PostPosted: Thu Dec 24, 2009 10:50 am
by JanDoggen
This code returns an error message with GetLastError 0
That is not much info :?
Is there a way to get more info on what failed?

procedure UnInjectCoreDll;
var Res: Boolean;
begin
Res := UninjectLibrary((ALL_SESSIONS{ or SYSTEM_PROCESSES}) and (not CURRENT_PROCESS), 'CORE.DLL');
if not Res then
LogError('UnInjectCoreDll','UninjectLibrary failed (CORE.DLL): ' + IntToStr(GetLastError),veError);
end;

Thanks
Jan

PostPosted: Wed Dec 30, 2009 11:10 am
by madshi
I've on my to do list to produce better error codes in case of failure. Right now there's no way you can ask madCodeHook for the exact error cause. You'll have to find out yourself.

PostPosted: Thu Dec 31, 2009 8:14 am
by JanDoggen
Hi Matthias

(1) But is the FALSE result of UninjectLibrary reliable?
(2) Any ideas how I could find out what is going on if it fails?

Thanks
Jan

PostPosted: Thu Dec 31, 2009 9:06 am
by madshi
1) I think so.
2) First step would be to collect more (much more) info. E.g. did injection work? When UninjectLibrary fails, is your hook dll then still loaded in all the processes? Is it the same EXE which is doing the injection and uninjection? Which user account does the EXE run in? Which OS? Does your EXE run with admin rights or not? Which exact InjectLibrary and UninjectLibrary calls are you doing? Etc...

Re: When UninjectLibrary fails, any more info?

PostPosted: Tue Oct 13, 2015 1:08 pm
by Tuxford
I have similar problem with UninjectLibrary.

I do it in deconstructor.
Code: Select all
Initializer::~Initializer()
{
        for (const std::wstring& s : mLibs)
      if (UninjectLibrary(mDriverId.c_str(), s.c_str(), ALL_SESSIONS, true) == FALSE)
         std::wcout << L"Failed unloading " << mDriverId << " : " << s.c_str() << " : " << GetLastError() << std::endl;

   std::cout << "Uninject result: " << StopInjectionDriver(mDriverId.c_str()) << std::endl;
   FinalizeMadCHook();
   std::cout << "Initializer::~Initializer()\n";
}


The result is below. Process is run with admin's rights. Injection was success.

Current dir: D:\Projects\cdev_common\Access\
Added dll AccessLib64.dll
Added dll AccessLib32.dll
Press 'Ctr+C to exit'
Failed unloading HookProcessCreationDemoDriver : D:\Projects\cdev_common\Access\
AccessLib64.dll : 31
Failed unloading HookProcessCreationDemoDriver : D:\Projects\cdev_common\Access\
AccessLib32.dll : 31
Uninject result: 1
Initializer::~Initializer()

Re: When UninjectLibrary fails, any more info?

PostPosted: Tue Oct 13, 2015 2:26 pm
by madshi
The error code 31 seems to be ERROR_GEN_FAILURE, which means "A device attached to the system is not functioning".

Are you sure the driver is still running at that moment? And do your UninjectLibrary() parameters match *exactly* your InjectLibrary() parameters - all of them?

Re: When UninjectLibrary fails, any more info?

PostPosted: Thu Oct 15, 2015 7:54 am
by Tuxford
madshi wrote:The error code 31 seems to be ERROR_GEN_FAILURE, which means "A device attached to the system is not functioning".

Are you sure the driver is still running at that moment? And do your UninjectLibrary() parameters match *exactly* your InjectLibrary() parameters - all of them?

Driver worked at that time. Problem occurred because previous version of injector was failed. Reboot solved this problem. It seems if injector failed, next instances of injector behaves some strangely.

Re: When UninjectLibrary fails, any more info?

PostPosted: Thu Oct 15, 2015 8:32 am
by madshi
For security reasons (we don't want malware to uninject an anti-virus hook dll, for example), uninjection is only allowed to be done by exactly the same exe which did the injection. "Exactly the same exe" means there's a hash/CRC of the exe done which is then compared to the hash of the exe which originally did the injection. So if you inject, then replace the injector with a different version, you cannot uninject, anymore. Maybe that's what happened here?

Re: When UninjectLibrary fails, any more info?

PostPosted: Fri Oct 16, 2015 2:23 pm
by Tuxford
madshi wrote:For security reasons (we don't want malware to uninject an anti-virus hook dll, for example), uninjection is only allowed to be done by exactly the same exe which did the injection. "Exactly the same exe" means there's a hash/CRC of the exe done which is then compared to the hash of the exe which originally did the injection. So if you inject, then replace the injector with a different version, you cannot uninject, anymore. Maybe that's what happened here?

That's ok. I've already injector fixed. If somebody kills injector this is not our problem.

Re: When UninjectLibrary fails, any more info?

PostPosted: Fri Oct 16, 2015 6:09 pm
by madshi
FWIW, the injector process may be closed and restarted, that's not a problem, but the injector exe file is not allowed to change.