Black screen issue when "Fast Startup" is enabled.

c++ / delphi package - dll injection and api hooking

Black screen issue when "Fast Startup" is enabled.

Postby chaos072 » Mon Jan 29, 2018 2:01 am

I have an issue when injecting a dll into user processes.

When Windows 10's fast startup is enabled, after turning on Windows, black screen is shown.

1. My hooking application(.exe) is launched by a Windows Service application. That is to say my service process(exe) launches my hooking application(exe). So both processes are running in session 0.

2. Hooking application injects a dll into all 64bit user applications.

3. On "fast startup"-enabled Windows 10, shutdown the computer. All user processes are closed but processes running in session 0 survives "shutdown" because of "fast startup". So my hooking application is not terminated in this sense.

4. Turn on the computer again. Now black screen appears. You may need to repeat shutdown/turn on process several times to see this issue.

5. The test dll I injected into all user processes does nothing. Its DLL_PROCESS_ATTACH handler is empty. It just returns TRUE.

6. I've tested this issue on my two development computers. But I haven't tested it on a clean Windows system. So this issues might be caused by another conflicting applications installed on my computers.

7. I've tested this issue with madCodeHook v3.1.17 and v4.0.4, and got the same result.

8. To workaround this issue, I've temporarily disabled "Fast Startup".
chaos072
 
Posts: 20
Joined: Wed Mar 20, 2013 2:22 am

Re: Black screen issue when "Fast Startup" is enabled.

Postby chaos072 » Tue Jan 30, 2018 4:53 am

Update:

The cause was C:\Windows\System32\dwm.exe.

This process is classifed as "user process" by MCH. When I exclude this process explicitly in InjectLibrary, black screen does not appear.
chaos072
 
Posts: 20
Joined: Wed Mar 20, 2013 2:22 am

Re: Black screen issue when "Fast Startup" is enabled.

Postby madshi » Tue Jan 30, 2018 10:00 am

Hmmmm... Some questions:

1) In your step 3 you're *manually* shutting down the computer, I think? The shutdown is not an unintended result of your hooking application trying to inject, right?
2) If your process survives the "shutdown", does that mean you're not doing another "InjectLibrary" call when the OS boots the next time?
3) If you do call InjectLibrary when the problem occurs, is DWM already running in the moment when you call InjectLibrary?
4) What other DLLs does your empty hook dll statically link to?
5) Does your hook dll have any manifests assigned to it?
6) Does your hook dll have a specific image base address?
7) Does adding read & execute rights for "Everyone" to your hook dll change anything?
8) Does your hook dll still include the madCodeHook static lib file? What happens if you remove that?

One thing maybe worth trying is this: Use the hook dlls from the PrintMonitor demo instead of your own hook dll, to make sure the issue is not specific to your hook dll:

http://madshi.net/PrintMonitor.zip

I know, an "empty" hook dll sounds like it could produce no problems. But actually, it can, if it has a weird image base address, or none at all, or if it statically links to other weird dlls, or if it has a manifest, or [...].
madshi
Site Admin
 
Posts: 9650
Joined: Sun Mar 21, 2004 5:25 pm

Re: Black screen issue when "Fast Startup" is enabled.

Postby chaos072 » Thu Feb 01, 2018 5:12 am

1) Yes, I mean shutting down the computer by clicking Windows start button -> shutdown menu.
2) Yes, the hooking application is restored from hibernated state to running state again. So its process ID is not changed and I'm not calling InjectLibrary() again.
3) I've not tried that.

My dll(which is injected into all user processes) was statically linked to madCodeHook lib. So I will test it further and let you know the result soon.
chaos072
 
Posts: 20
Joined: Wed Mar 20, 2013 2:22 am

Re: Black screen issue when "Fast Startup" is enabled.

Postby chaos072 » Thu Feb 01, 2018 7:17 am

After revmoing all statically linked libs(including madCodeHook lib), unused headers and c/c++ files from the dll, the black screen issue never happens.

I'll find out what caused the problem and leave the result soon.
chaos072
 
Posts: 20
Joined: Wed Mar 20, 2013 2:22 am

Re: Black screen issue when "Fast Startup" is enabled.

Postby madshi » Thu Feb 01, 2018 9:18 am

Good to hear. The result of your tests could be quite interesting!
madshi
Site Admin
 
Posts: 9650
Joined: Sun Mar 21, 2004 5:25 pm

Re: Black screen issue when "Fast Startup" is enabled.

Postby chaos072 » Fri Feb 02, 2018 3:55 pm

Here's what I've found out so far.

"Shell32.dll" causes dwm.exe to malfunction for some reason.

If my hook dll is dependent on Shell32.dll staticlly, when dwm.exe is injected my hook dll, Shell32.dll is loaded automatically and the black screen issue I mentioned occurs.

So If I change my hook dll to load Shell32.dll dynamically by calling LoadLibrary()/FreeLibrary(), the same problem occurs. It doen't help.

I'm loading Shell32.dll to call SHGetFolderPath(). But the black screen issue occurs when Shell32.dll is loaded into dwm.exe. It doesn't matter whether I call SHGetFolderPath() or not.

For your information, dwm.exe is restarted every time the computer is restarted. It's not hibernated.

To reproduce this issue, just call following functions in DLL's DLL_PROCESS_ATTACH handler.

HMODULE hShell32Dll = LoadLibrary(L"Shell32.dll");
FreeLibrary(hShell32Dll);

And repeat shutdown/turn on process several times on a "Fast-Startup" enalbed Windows 10 machine.

Maybe this issue is related to some other applications installed on my computer. But I'm not sure.
chaos072
 
Posts: 20
Joined: Wed Mar 20, 2013 2:22 am

Re: Black screen issue when "Fast Startup" is enabled.

Postby madshi » Fri Feb 02, 2018 4:00 pm

Well, there's a reason why I have hooking rule 4:

http://help.madshi.net/HookingRules.htm

I'd really recommend that you try to get along with kernel32.dll and ntdll.dll, only. If necessary advapi32.dll and maybe user32.dll, but I'd avoid the other dlls, if you can.

If shell32.dll makes trouble for DWM.exe, then that's not madCodeHook's fault. I can't magically fix whatever problem DWM.exe might have with shell32.dll.

You could try disassembling SHGetFolderPath(). It probably calls some native (ntdll.dll) APIs internally, probably some RtlXxx string API. So you can avoid linking in shell32.dll by directly calling the underlying RtlXxx API instead.
madshi
Site Admin
 
Posts: 9650
Joined: Sun Mar 21, 2004 5:25 pm

Re: Black screen issue when "Fast Startup" is enabled.

Postby iconic » Sat Feb 03, 2018 1:16 am

@Chaos072

Depending on the folder you're wanting the path for, maybe you can switch out the Shell API call for ExpandEnvironmentStrings/ExpandEnvironmentStringsForUser() from kernel32.dll

--Iconic
iconic
 
Posts: 823
Joined: Wed Jun 08, 2005 5:08 am

Re: Black screen issue when "Fast Startup" is enabled.

Postby chaos072 » Sat Feb 03, 2018 5:05 pm

I moved SHGetFolderPath() from hook dll to hook application(exe). And whenever hook dll needs to call SHGetFolderPath() it sends a request to hook application via MCH IPC.

And now everything works well.

Thank you madshi and iconic.
chaos072
 
Posts: 20
Joined: Wed Mar 20, 2013 2:22 am


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 2 guests