Windows XP - Injection doesn't work

c++ / delphi package - dll injection and api hooking
Post Reply
jgh0721
Posts: 25
Joined: Tue Apr 22, 2014 8:06 am

Windows XP - Injection doesn't work

Post by jgh0721 »

Recently, when we try injection on Windows XP using MadCodeHook, we confirmed that injection fails with very high probability.

OS: Windows XP SP3
MCH : madCollection 2.8.8.9(beta)

Symptom 1: It is not injected into the processes already in place, but then injected into the processes that are executed (though, irregularly failed).
=> For example, firefox.exe:failed, notepad+.exe: succssed, conemu.exe: successed

Symptom 2: No injections to the processes already in place, and little injections to the processes that are subsequently executed

The DLL/SYS file used was attached to a link; driver name => iMonLOPE1021

p.s: There has been no official update for a year, is there an update schedule?

https://drive.google.com/file/d/1YtblZG ... sp=sharing
iconic
Site Admin
Posts: 975
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows XP - Injection doesn't work

Post by iconic »

Hello,

What flags are you using for InjectLibrary()?

—Iconic
jgh0721
Posts: 25
Joined: Tue Apr 22, 2014 8:06 am

Re: Windows XP - Injection doesn't work

Post by jgh0721 »

i use below options

all session
system process include
running process include injection
no include mask
some exclude mask( smss.exe wininit.exe etc.... )
iconic
Site Admin
Posts: 975
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows XP - Injection doesn't work

Post by iconic »

This is only happening on XP? Have you tested above XP?

—Iconic
madshi
Site Admin
Posts: 10339
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows XP - Injection doesn't work

Post by madshi »

There's going to be a new update pretty soon, but there are no changes planned for XP atm. Nobody else reported injection problems on XP so far, from what I recall.

Please try giving "Everyone" NTFS read&execute rights to the hook dll, just as a quick test.
jgh0721
Posts: 25
Joined: Tue Apr 22, 2014 8:06 am

Re: Windows XP - Injection doesn't work

Post by jgh0721 »

Yes, This is only Windows XP.

Vista ~ Windows 10 works well. ( both of x86 and x64 )

below these options which i use

isInjectToSystemProcesses = true
ispermanent = false
isinjectometroapps = true
isuseIATPatching = false
isSystemWide = true
IncludeMask = *
ExcludeMask = GetModuleList-x64.exe|iMonLope_SVC.exe|*\windows\incops3\ictray64.exe|iMonLope_UI-DBG.exe|*\windows\incops3\icdi.exe|*\windows\incops3\icdcmgr64.exe|*\windows\incops3\incops3.exe|iMonTerminator.exe|*\windows\incops3\icdi64.exe|GetActiveXInfos-x64.exe|*\windows\incops3\icdcmgr.exe|*\windows\incops3\ictray.exe|xcacls.exe|iMonInjector-x86.exe|iMonLope_UI.exe|iMonInjector-x64.exe|*\windows\incops3\ictrigger64.exe|*\windows\incops3\ictrigger.exe|*\windows\incops3\esshmwow.exe|*\windows\incops3\incops364.exe|*\windows\incops3\icview.exe|
iconic
Site Admin
Posts: 975
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows XP - Injection doesn't work

Post by iconic »

Thanks for the additional info. If you have some time can you try clearing the include and exclude masks, simply don’t set them at all. I’m curious to see if without inclusions and exclusions if your problem disappears. Thanks

—Iconic
jgh0721
Posts: 25
Joined: Tue Apr 22, 2014 8:06 am

Re: Windows XP - Injection doesn't work

Post by jgh0721 »

and, i test with any setting include mask / excludemask on windows xp.

and sam result. :-(
iconic
Site Admin
Posts: 975
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows XP - Injection doesn't work

Post by iconic »

Ok,

I'll attempt to reproduce the issue this weekend and will get back with you as soon as possible. Which version of MCH are you using and also what language (c++ or Delphi)?

--Iconic
jgh0721
Posts: 25
Joined: Tue Apr 22, 2014 8:06 am

Re: Windows XP - Injection doesn't work

Post by jgh0721 »

i use msvc 2015 with update 3( c++ ), and mch 4.1.2+( mch beta, madcollection 2.8.8.9 , because of approvalcallback )
iconic
Site Admin
Posts: 975
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows XP - Injection doesn't work

Post by iconic »

Hello,

I had some time today to run the XP test with MCH system-wide injection and everything worked as expected here. I used the exact same OS version, madCollection beta version as well as MSVC version (2015 Community Edition). Already running processes were properly injected and any newly created processes were also injected just fine for me. I ran the following series of tests:

[1] Regular injection (no approval callback)

[2] IAT injection (no approval callback)

[3] Regular injection + Approval callback

[4] IAT injection + Approval callback

Can you please upload and link us to a complete vcproj that you've created?
XP_SYSTEMWIDE_TEST.PNG
XP_SYSTEMWIDE_TEST.PNG (1.97 MiB) Viewed 6294 times
--Iconic
Post Reply