When UninjectLibrary fails, any more info?
When UninjectLibrary fails, any more info?
This code returns an error message with GetLastError 0
That is not much info
Is there a way to get more info on what failed?
procedure UnInjectCoreDll;
var Res: Boolean;
begin
Res := UninjectLibrary((ALL_SESSIONS{ or SYSTEM_PROCESSES}) and (not CURRENT_PROCESS), 'CORE.DLL');
if not Res then
LogError('UnInjectCoreDll','UninjectLibrary failed (CORE.DLL): ' + IntToStr(GetLastError),veError);
end;
Thanks
Jan
That is not much info
Is there a way to get more info on what failed?
procedure UnInjectCoreDll;
var Res: Boolean;
begin
Res := UninjectLibrary((ALL_SESSIONS{ or SYSTEM_PROCESSES}) and (not CURRENT_PROCESS), 'CORE.DLL');
if not Res then
LogError('UnInjectCoreDll','UninjectLibrary failed (CORE.DLL): ' + IntToStr(GetLastError),veError);
end;
Thanks
Jan
1) I think so.
2) First step would be to collect more (much more) info. E.g. did injection work? When UninjectLibrary fails, is your hook dll then still loaded in all the processes? Is it the same EXE which is doing the injection and uninjection? Which user account does the EXE run in? Which OS? Does your EXE run with admin rights or not? Which exact InjectLibrary and UninjectLibrary calls are you doing? Etc...
2) First step would be to collect more (much more) info. E.g. did injection work? When UninjectLibrary fails, is your hook dll then still loaded in all the processes? Is it the same EXE which is doing the injection and uninjection? Which user account does the EXE run in? Which OS? Does your EXE run with admin rights or not? Which exact InjectLibrary and UninjectLibrary calls are you doing? Etc...
Re: When UninjectLibrary fails, any more info?
I have similar problem with UninjectLibrary.
I do it in deconstructor.
The result is below. Process is run with admin's rights. Injection was success.
I do it in deconstructor.
Code: Select all
Initializer::~Initializer()
{
for (const std::wstring& s : mLibs)
if (UninjectLibrary(mDriverId.c_str(), s.c_str(), ALL_SESSIONS, true) == FALSE)
std::wcout << L"Failed unloading " << mDriverId << " : " << s.c_str() << " : " << GetLastError() << std::endl;
std::cout << "Uninject result: " << StopInjectionDriver(mDriverId.c_str()) << std::endl;
FinalizeMadCHook();
std::cout << "Initializer::~Initializer()\n";
}
Current dir: D:\Projects\cdev_common\Access\
Added dll AccessLib64.dll
Added dll AccessLib32.dll
Press 'Ctr+C to exit'
Failed unloading HookProcessCreationDemoDriver : D:\Projects\cdev_common\Access\
AccessLib64.dll : 31
Failed unloading HookProcessCreationDemoDriver : D:\Projects\cdev_common\Access\
AccessLib32.dll : 31
Uninject result: 1
Initializer::~Initializer()
Re: When UninjectLibrary fails, any more info?
The error code 31 seems to be ERROR_GEN_FAILURE, which means "A device attached to the system is not functioning".
Are you sure the driver is still running at that moment? And do your UninjectLibrary() parameters match *exactly* your InjectLibrary() parameters - all of them?
Are you sure the driver is still running at that moment? And do your UninjectLibrary() parameters match *exactly* your InjectLibrary() parameters - all of them?
Re: When UninjectLibrary fails, any more info?
Driver worked at that time. Problem occurred because previous version of injector was failed. Reboot solved this problem. It seems if injector failed, next instances of injector behaves some strangely.madshi wrote:The error code 31 seems to be ERROR_GEN_FAILURE, which means "A device attached to the system is not functioning".
Are you sure the driver is still running at that moment? And do your UninjectLibrary() parameters match *exactly* your InjectLibrary() parameters - all of them?
Re: When UninjectLibrary fails, any more info?
For security reasons (we don't want malware to uninject an anti-virus hook dll, for example), uninjection is only allowed to be done by exactly the same exe which did the injection. "Exactly the same exe" means there's a hash/CRC of the exe done which is then compared to the hash of the exe which originally did the injection. So if you inject, then replace the injector with a different version, you cannot uninject, anymore. Maybe that's what happened here?
Re: When UninjectLibrary fails, any more info?
That's ok. I've already injector fixed. If somebody kills injector this is not our problem.madshi wrote:For security reasons (we don't want malware to uninject an anti-virus hook dll, for example), uninjection is only allowed to be done by exactly the same exe which did the injection. "Exactly the same exe" means there's a hash/CRC of the exe done which is then compared to the hash of the exe which originally did the injection. So if you inject, then replace the injector with a different version, you cannot uninject, anymore. Maybe that's what happened here?
Re: When UninjectLibrary fails, any more info?
FWIW, the injector process may be closed and restarted, that's not a problem, but the injector exe file is not allowed to change.