madshi.net

by **dudul** » Tue Mar 20, 2018 1:37 pm

Hi,
I'm getting an error when the process "c:\windows\System32\ClipUp.exe" runs (the windows activation uses this process).
My dll skipped the hook when this runs, but I still get this error.
The error is ClipUp.exe error which refer to my hook dll (see the attached image).

Please advise.
Thank you in advance

by **dudul** » Tue Mar 20, 2018 1:49 pm

Windows 10 PRO X64 - 1709

by **madshi** » Tue Mar 20, 2018 1:51 pm

Which exact madCodeHook version are you using?

Does the same problem occur with the PrintMonitor demo (compiled and signed by me)?

http://madshi.net/PrintMonitor.zip

by **dudul** » Tue Mar 20, 2018 2:38 pm

I'm using madCodeHook 3.1.17 (I checked it with 3.1.16 too).

It happened with your PrintMonitor.zip too (see the attached image).

by **madshi** » Tue Mar 20, 2018 2:42 pm

Interesting. Hmmmm... Can you reproduce this on a clean VM? Or does it only happen on one specific PC?

by **dudul** » Tue Mar 20, 2018 2:48 pm

I can reproduce it easily, It happened on 4 out of 4 different Win 10 X64 Pcs (didn't try on X86 yet).

by **madshi** » Tue Mar 20, 2018 2:53 pm

Ok, after some googling it seems that 0xc0000428 means "The digital signature for this file couldn't be verified". My best guess right now is that Microsoft only accepts DLLs to be loaded in ClipUp.exe which are signed by Microsoft. Does that make sense to you? I suppose one easy workaround would be to add "c:\windows\System32\ClipUp.exe" to the DLL injection exclusion list. Of course that's not nice at all, but I'm not sure what else we could do right now.

Any thoughts?

by **dudul** » Tue Mar 20, 2018 3:07 pm

I see, I tried it, but still get this error
Currently I'm checking at the beginning of the DllMain function if the current process is "c:\windows\System32\ClipUp.exe" and return true if so (if no continue with the hook process).

Is there other way to exclude the process?

by **madshi** » Tue Mar 20, 2018 3:08 pm

Yes! In the InjectLibrary() call there's a parameter where you can exclude specific processes from being injected.

(Please note that if you use this parameter, you also need to modify your UninjectLibrary() call in the same way.)

by **dudul** » Tue Mar 20, 2018 3:20 pm

Thanks, I'll try and update you asap

by **dudul** » Tue Mar 20, 2018 4:07 pm

It works, thank you very much.

One more question about the uninject function:
Currently I'm using "UninjectAllLibrariesW" and pass it only the driver name.
Do I need to switch to "UninjectLibraryW" or can I keep use "UninjectAllLibrariesW"?

by **madshi** » Tue Mar 20, 2018 4:36 pm

That's fine, you can keep using UninjectAllLibrariesW.

madshi.net

ClipUp.exe error

ClipUp.exe error

Re: ClipUp.exe error

Re: ClipUp.exe error

Re: ClipUp.exe error

Re: ClipUp.exe error

Re: ClipUp.exe error

Re: ClipUp.exe error

Re: ClipUp.exe error

Re: ClipUp.exe error

Re: ClipUp.exe error

Re: ClipUp.exe error

Re: ClipUp.exe error

Who is online