Driver injection fails for the apps if launched via explorer

c++ / delphi package - dll injection and api hooking
Post Reply
shibliseclore
Posts: 3
Joined: Mon Dec 30, 2019 7:50 am

Driver injection fails for the apps if launched via explorer

Post by shibliseclore »

Hi,

We have been using 3.1.13 Madshi Driver for system wide injection and recently upgraded to 3.1.18. Post upgrading with one of our customer following is observed.

Driver does not get injected for the application which are launched on double click (i.e. Explore.exe to AcroRd2.exe). For eg, it does not get injected in Adobe Reader if Adobe reader is launcher through double click. (In process explorer we can see explorer.exe is a parent process of AcroRd32.exe)
Works fine if Adobe is started through command prompt (i.e Explore.exe to cmd.exe to AcroRd2.exe).

With 3.1.13 everything works fine at customer end, in both the above case. But in our lab it works fine with both version (3.1.13 &3.1.18).

Customer is having this issue on multiple machines.

We have not been able to identify what could be causing this at customer end. Could you please throw some lights on this? Thanks for help.
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Re: Driver injection fails for the apps if launched via expl

Post by iconic »

Hello,

I can certainly try to reproduce this odd behavior on my end by downgrading MCH to v3.x and installing Acrobat in order to run some tests. Quick few questions for you, what OS version and Acrobat version is the customer using?

--Iconic
shibliseclore
Posts: 3
Joined: Mon Dec 30, 2019 7:50 am

Re: Driver injection fails for the apps if launched via expl

Post by shibliseclore »

Adobe Reader version is Adobe Reader DC. OS Name Microsoft Windows 10 Enterprise Version 10.0.17763 Build 17763
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Re: Driver injection fails for the apps if launched via expl

Post by iconic »

Thanks. Is that Win 10 x64 or 32-bit?

—Iconic
shibliseclore
Posts: 3
Joined: Mon Dec 30, 2019 7:50 am

Re: Driver injection fails for the apps if launched via expl

Post by shibliseclore »

It is x64.
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Re: Driver injection fails for the apps if launched via expl

Post by iconic »

Hello,

I've downgraded from MCH 4.x to 3.1.8 and have Adobe Acrobat DC installed on a VM running Windows 10 x64 17763, oddly enough it's the same build I run my HLK tests on so I already had it installed.
I'll run some tests today and report back. Thanks for the additional info

--Iconic
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Re: Driver injection fails for the apps if launched via expl

Post by iconic »

With 3.1.13 everything works fine at customer end, in both the above case. But in our lab it works fine with both version (3.1.13 &3.1.18).
My tests are complete, I share the same result as your lab. I didn't experience the issue whatsoever and duplicated the same OS environment, application of interest and MCH version. Perhaps there is
something specific about the user's software profile causing conflict? Hard to say, merely speculating. Explorer however is a fine target for other hooking, especially for operations such
as controlling shell actions (copy, move, rename, delete etc.) so it's possible there is some sort of application level interference specifically with this process when creating child processes.

Again, merely speculation though.

--Iconic
Post Reply