ClipUp.exe error

c++ / delphi package - dll injection and api hooking
Post Reply
dudul
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

ClipUp.exe error

Post by dudul »

Hi,
I'm getting an error when the process "c:\windows\System32\ClipUp.exe" runs (the windows activation uses this process).
My dll skipped the hook when this runs, but I still get this error.
The error is ClipUp.exe error which refer to my hook dll (see the attached image).

Please advise.
Thank you in advance
Attachments
madshi.png
madshi.png (24.51 KiB) Viewed 14894 times
dudul
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: ClipUp.exe error

Post by dudul »

Windows 10 PRO X64 - 1709
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: ClipUp.exe error

Post by madshi »

Which exact madCodeHook version are you using?

Does the same problem occur with the PrintMonitor demo (compiled and signed by me)?

http://madshi.net/PrintMonitor.zip
dudul
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: ClipUp.exe error

Post by dudul »

I'm using madCodeHook 3.1.17 (I checked it with 3.1.16 too).

It happened with your PrintMonitor.zip too (see the attached image).
Attachments
madshi2.png
madshi2.png (27.82 KiB) Viewed 14889 times
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: ClipUp.exe error

Post by madshi »

Interesting. Hmmmm... Can you reproduce this on a clean VM? Or does it only happen on one specific PC?
dudul
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: ClipUp.exe error

Post by dudul »

I can reproduce it easily, It happened on 4 out of 4 different Win 10 X64 Pcs (didn't try on X86 yet).
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: ClipUp.exe error

Post by madshi »

Ok, after some googling it seems that 0xc0000428 means "The digital signature for this file couldn't be verified". My best guess right now is that Microsoft only accepts DLLs to be loaded in ClipUp.exe which are signed by Microsoft. Does that make sense to you? I suppose one easy workaround would be to add "c:\windows\System32\ClipUp.exe" to the DLL injection exclusion list. Of course that's not nice at all, but I'm not sure what else we could do right now.

Any thoughts?
dudul
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: ClipUp.exe error

Post by dudul »

I see, I tried it, but still get this error
Currently I'm checking at the beginning of the DllMain function if the current process is "c:\windows\System32\ClipUp.exe" and return true if so (if no continue with the hook process).

Is there other way to exclude the process?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: ClipUp.exe error

Post by madshi »

Yes! In the InjectLibrary() call there's a parameter where you can exclude specific processes from being injected.

(Please note that if you use this parameter, you also need to modify your UninjectLibrary() call in the same way.)
dudul
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: ClipUp.exe error

Post by dudul »

Thanks, I'll try and update you asap
dudul
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: ClipUp.exe error

Post by dudul »

It works, thank you very much.

One more question about the uninject function:
Currently I'm using "UninjectAllLibrariesW" and pass it only the driver name.
Do I need to switch to "UninjectLibraryW" or can I keep use "UninjectAllLibrariesW"?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: ClipUp.exe error

Post by madshi »

That's fine, you can keep using UninjectAllLibrariesW.
Post Reply