Uninjection problem (DLL ref count + AutoUnhookCounter)

c++ / delphi package - dll injection and api hooking
Post Reply
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Uninjection problem (DLL ref count + AutoUnhookCounter)

Post by EaSy »

Hi,
we found that if we call injection of dll on one process more than 10times we are not able to uninject dll anymore. It is because calling of FreeLibrary is stopped after 10 calls and AutoUnhookCounter is 0. So no more threads are able to uninject anything. It is also reproducible with your demos.

I propose to raise a limit to 0xFFFF.

PP
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Post by EaSy »

And also... that ExitThread is ugly.

PP
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Post by madshi »

Thanks, will have a look at this.

Why do you find the ExitThread ugly? This is *always* called from an injection remote thread created by madCodeHook, it's never called in any other situation. ExitThread is the fastest and cleanest way to close that remote thread without doing further processing.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Post by iconic »

Just adding to Madshi's last post, in some cases an explicit call to ExitThread is absolutely needed for "proper" thread closure. This is the case for native threads and require a call to RtlExitUserThread (native equivalent of a WIN32 ExitThread) inside the thread's callback procedure. RtlCreateUserThread is an example of a native thread creation API which just wraps NtCreateThread(Ex)

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Post by madshi »

Test build available here:

http://madshi.net/madCollectionBeta.exe (2.7.11.7)
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Post by EaSy »

Hi,
you forgot to update InjectThread with 0xFFFF as well.

PP
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Post by madshi »

I was a bit afraid of simple switching to 0xFFFF because I wasn't sure it would be the correct value on all OSs. But I think I found a nice solution. Try this build:

http://madshi.net/madCollectionBeta.exe (installer 2.7.12.2)

What do you think?
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Post by EaSy »

Hi, I can't see any change in your code that is relevant to this issue.

Can you explain it a bit? Thx.

PP
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Post by madshi »

Stupid me. I modified the code in the wip madCodeHook 4.0, but failed to copy it down to madCodeHook 3. Basically I've replaced this code:

Code: Select all

                dll.LoadCount := $ff;
with this:

Code: Select all

                if firstDll.LoadCount >= $ff then
                  dll.LoadCount := firstDll.LoadCount
                else
                  dll.LoadCount := $ff;
The idea is that the first DLL in the list should be a statically linked dll, so I simply use that dll's load count value.
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Post by EaSy »

Now the hooking dll doesn't have its count changed by LoadLibrary/FreeLibrary anymore, because it will be considered as static.

Will be the behaviour all the same for both 64b and 32b versions?
I thought that you modify load counts only in 32b version.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Post by madshi »

EaSy wrote:Now the hooking dll doesn't have its count changed by LoadLibrary/FreeLibrary anymore, because it will be considered as static.
Yes, that was the whole idea. I'm confused. Using 0xFFFF, as you suggested, should have the same effect, so why are you now seemingly not happy with this? Or am I misunderstanding you?
EaSy wrote:Will be the behaviour all the same for both 64b and 32b versions?
I thought that you modify load counts only in 32b version.
This is currently only done for 32bit.
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Post by EaSy »

Hi, sorry for the late reply.

I believe, that if I call InjectDll more than 10 times on the process (for example possible in your demo) it will call LoadLibrary more than 10times. Once I call Uninject, it will disable hooks and call up to10times FreeLibrary. But the DLL will stay loaded in process but dormant. But later if I call Uninject again it will do nothing because AutoUnhookCounter blocks it, but the DLL is still in the process.

Am I right?

PP
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Post by madshi »

Oh, I see now. You're looking at the C++ code, right? I've made the changes to the Delphi code, and I thought that would be enough because the Delphi code is compiled into the CInjectThread32 array which is then used by the C++ code. But I missed the fact that I'm doing that for 32bit, only, so I still have to change the C++ code, to make the changes work in 64bit, too. Sorry about that, will do the same changes for the C++ code in the next build.
EaSy
Posts: 150
Joined: Tue Oct 23, 2012 12:33 pm

Re: Uninjection problem (DLL ref count + AutoUnhookCounter)

Post by EaSy »

Great, thx.
Post Reply