InjectLibrary failed on microsoft windows server 2003

c++ / delphi package - dll injection and api hooking
ameetmalekar
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: InjectLibrary failed on microsoft windows server 2003

Post by ameetmalekar »

Hi,

Here I am summarizing the scenario.
I am trying to inject a simple dll in internet explorer. The VM is Windows server 2003 standard edition service pack 2 and I am trying through RDP. The target application (internet explorer) is running on RDP session.
It is getting successfully injected through an exe which is running on same session. But the injection fails if dll is injected through service mode exe. Here the injector service is installed and running from main session (not RDP) and target application (internet explorer) is running on RDP session.

Thanks,
Ameet
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary failed on microsoft windows server 2003

Post by madshi »

Sorry for the lack of replying. Will have a look at that ASAP and let you know...
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary failed on microsoft windows server 2003

Post by madshi »

Ok, I've tried again like this:

(1) Started VM, logged in directly (no RDP), user "Administrator", with full admin rights and member of "remote desktop users" group.
(2) Started Internet Explorer.
(3) Started Process Explorer to watch the dlls loaded in the Internet Explorer.

(4) Started mstsc, connected to VM via RDP, logged in as "Adminstrator" another time.
(5) In RDP session: Installed a little service, which does nothing but InjectLibrary(InternetExplorerProcessHandle, empty.dll) in its service proc.
(6) In original session: Checked Process Explorer to see if injection succeeded.

Everything works fine here. The empty dll is injected into the Internet Explorer of the original VM session (no RDP) successfully, by the service installed in the RDP session.

If you want me to find out what is going on, I need to be able to reproduce the problem. If I can't reproduce it, there's nothing I can do. Maybe you want to try giving me an exact and very detailed step-by-step guide to reproduce the problem. I can't read your mind what exact steps you're taking to reproduce the problem, and based on the limited amount of information I have, I'm not able to reproduce the problem.
ameetmalekar
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: InjectLibrary failed on microsoft windows server 2003

Post by ameetmalekar »

Thanks for the reply,

What you are doing is exactly opposite. That is, running service on remote session and target process on main session.

Here in below description I will use the term “main session” for VM without RDP. And will use the term “remote session” for the RDP session taken by mstsc of the VM.

Below is step by steps description of what we are doing.
  1. Started VM, logged in directly on main session (no RDP), user "Administrator", with full admin rights and member of "remote desktop users" group.
    Started Internet Explorer 8(IE) on main session
    Added PID of IE process manually in your given code. Service is installed and run on main session. The service has InjectLibrary function.
    It Works Fine.
    Closed Internet Explorer from main session.
    Now, Stopped the service from main session.

    Now took RDP of the VM. At this time actual VM is also running without lock. So RDP gives a new session of 2003 server. We call this new RDP session as remote session.
    Then started IE at remote session. Note down pid of IE.
    Now at main session added PID of IE Process (running on remote session) in your given service code(and compiled). Installed and ran service on main session (no RDP).
    It is not working.
    So whenever I try to inject a library into a process running on remote session by a process(Service mode) running on main session, it is not able to inject.
We also observed that it is not working if we run both the target process and injector(Service mode) on remote session.
jmpc
Posts: 4
Joined: Tue Oct 08, 2013 12:08 pm

Re: InjectLibrary failed on microsoft windows server 2003

Post by jmpc »

Hello All.

Did you find a solution for this issue? I'm experiencing the same problem. I have a service running under system account that sometimes injects a dll into processes running under different accounts. Injection works OK for processes running under a different session if the user is NOT logged through RDP, but it fails if the (same) user is logged through RDP.

Thank you.
ameetmalekar
Posts: 29
Joined: Thu Feb 16, 2012 5:12 am

Re: InjectLibrary failed on microsoft windows server 2003

Post by ameetmalekar »

Not yet :(
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary failed on microsoft windows server 2003

Post by madshi »

Sorry for the very late reply, once again.

I've just tried to reproduce the problem again, accordingly to the latest info, but still can't.

(1) Started clean Windows 2003 Server SP2 VM, logged in directly (no RDP), user "Administrator", with full admin rights and member of "remote desktop users" group.
(2) Started mstsc, connected to VM via RDP, logged in as "Adminstrator" another time.
(3) In RDP session: Started Internet Explorer.
(4) In main session: Installed a little service, which does nothing but InjectLibrary(InternetExplorerProcessHandle, empty.dll) in its service proc.
(5) In main session: Started Process Explorer to see if injection succeeded.

Injection works just fine here. Here's the exact project I've been testing with:

http://madshi.net/InjectService.rar
jmpc
Posts: 4
Joined: Tue Oct 08, 2013 12:08 pm

Re: InjectLibrary failed on microsoft windows server 2003

Post by jmpc »

Thank you for your answer, madshi.

I can't download your code because the link seems to be broken and produces a 404 Not Found error.
Could you please fix it so we can test it in our enviroments?
In main session: Installed a little service, which does nothing but InjectLibrary(InternetExplorerProcessHandle, empty.dll) in its service proc.
Is the service running under 'Administrator' account or under 'SYSTEM' account? In my case, it's the second one and that's the scenario where the error happens.

To reproduce it, I don't even need to register a service. I created a simple executable that injects a dll into a running process, passing the dll path and the process id as parameters, and ran it under SYSTEM account using the Microsoft PsExec utility from SysInternals:

Code: Select all

c:\PSTools\PsExec.exe -s c:\PSTools\inject_dll.exe c:\PSTools\empty_dll.dll <pid>
Adding -s parameter executes the process under SYSTEM account.
Inject_dll.exe simply opens the specified process and injects the dll passed as parameter through a call to InjectLibrary.
empty_dll.dll is an empty dll that only returns TRUE on DllMain routine.

I hope this helps.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary failed on microsoft windows server 2003

Post by madshi »

Sorry, uploaded the file to the wrong folder. The link should work now.
jmpc
Posts: 4
Joined: Tue Oct 08, 2013 12:08 pm

Re: InjectLibrary failed on microsoft windows server 2003

Post by jmpc »

madshi wrote:Sorry, uploaded the file to the wrong folder. The link should work now.
Thank you so much madshi.
Your example works OK for me. Also, I'm able to inject your empty.dll into a RDP process from SYSTEM account using my injection executable, so the problem seems to be in my dll. I need to investigate further...

Thank you very much.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary failed on microsoft windows server 2003

Post by madshi »

Please keep us posted about what you find. It might be helpful for other madCodeHook users!
jmpc
Posts: 4
Joined: Tue Oct 08, 2013 12:08 pm

Re: InjectLibrary failed on microsoft windows server 2003

Post by jmpc »

Setting "Enable String Pooling" to "Yes" (/GF) in my empty dll project made injection work, I have no idea why.
Tried the exact same thing with a bigger dll (~500k) that hooks some gdi API and it worked as well.
But in a more complex dll (~12MB) , where I hook multiple Windows API functions and program specific code, it did not solve the problem.
I'll let you know if I find a solution.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibrary failed on microsoft windows server 2003

Post by madshi »

Make sure you disable the manifest and set a proper image base address for the hook dll.
Post Reply