InjectLibraryW cause BSOD

c++ / delphi package - dll injection and api hooking
Post Reply
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

InjectLibraryW cause BSOD

Post by pambol »

Hi, i'm with a problem. if i inject at all running processes on W7/XP generate a BSOD.
Here is the injection code.

Code: Select all

for i1 := 0 to high(pl) do
  begin
    if GetCurrentProcessID = pl[i1].id then Continue;
    if dNtSysCall.IsProtectedProcess(pl[i1].id) then Continue;

    hOpen := OpenProcess(PROCESS_ALL_ACCESS ,false , pl[i1].id);

    if Is64BitProcess(hOpen) then
    begin
      if not InjectLibraryW('PSGG64.dll', hOpen, 1) then
      begin
        Memo1.Lines.Add(Format('64 Process [%s] failed to inject', [pl[i1].exeFile]));
      end
      else
      begin
        Memo1.Lines.Add(Format('64 Process [%s] injetacted', [pl[i1].exeFile]));
      end;
    end
    else
    begin
      if not InjectLibraryW('PSGG32.dll', hOpen, 1) then
      begin
        Memo1.Lines.Add(Format('32 Process [%s] failed to inject', [pl[i1].exeFile]));
      end
      else
      begin
        Memo1.Lines.Add(Format('32 Process [%s] injetacted', [pl[i1].exeFile]));
      end;
    end;

    CloseHandle(hOpen);
  end;
I've tried a empty .dll like:

Code: Select all

library Project1;

uses
  System.SysUtils,
  System.Classes;

begin
end.
How i can solve that?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: InjectLibraryW cause BSOD

Post by iconic »

Hi,

Which version of MCH are you currently using? Also, if the DLL is empty, no need to include SysUtils and Classes units (IIRC there is some heavy initialization sections)
MCH should be able to inject system-wide with an empty DLL without issues. In your case, process specific injection also should not have any such effect. System-wide
flags are better for this however come injection time, instead of injecting in a process loop like this.

*** Edit***
Looked at your code more closely, you're setting the injection timeout to 1 ms. I think you might mean 1000 ms (1 second) otherwise there is hardly any time to complete the real operation

Code: Select all

InjectLibrary(DLL_PATH, hProcess, 1000); // for 1 second timeout
Default timeout is 7 seconds, by the way (3rd param is 7000 by default). It's best if you don't adjust this parameter or at least use seconds instead of milliseconds. Might not make a difference
however the calling isn't right with "1" as the 3rd parameter. Try InjectLibraryW(DLL, hProcess); and leave the default parameters in place, does this make a difference?

Also, a tip, lose PROCESS_ALL_ACCESS and use MAXIMUM_ALLOWED access mask instead

--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibraryW cause BSOD

Post by madshi »

Agree with iconic: I would recommend not to include SysUtils and Classes. If you need a couple of functions from SysUtils/Classes, just copy & paste them into your hook dll dpr file instead.

Some system processes like to create an BSOD if you call any GUI APIs in them, like FindWindow, PostMessage etc. I'm not sure what SysUtils & Classes do in their initialization section. Will probably also depend on which Delphi version you're using.

(The InjectLibrary timeout value should in theory not harm, because injection is done by remote threads, which are written to work by themselves.)
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: InjectLibraryW cause BSOD

Post by iconic »

Yes, Madshi is 100% correct, non-interactive processes (mostly session 0 services or critical process like CSRSS or Winlogon) do not like anything "UI" among other things. The timeout comment I made was due to you confusing seconds with milliseconds, just so you're aware. You have to write your DLL code delicately. But, an empty DLL should not BSOD with madCodeHook in general. I've never heard of such a case with including the Windows unit only, for example. Something seems off in that case...

--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibraryW cause BSOD

Post by madshi »

One thing I'm a bit scared of myself is what newer Delphi versions might be doing "secretly" in a dll's initialization. Which is why I personally like to use Delphi 7 for win32 hook dlls. I know Delphi 7 does nothing harmful. Sadly, Delphi 7 doesn't support 64bit dlls, so there's no way to avoid using a newer Delphi version for 64bit. I've actually switched over to MSVC++, but only for hook dlls. For EXEs I still prefer Delphi by a long shot, because it's *SO* much easier to develop GUIs with, and I simply like the language, and the fast compiler etc...
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: InjectLibraryW cause BSOD

Post by iconic »

Delphi 10.x now has MUCH slower compile times, among many other things I've noticed. My go-to is XE2 for 64-bit and 32-bit apps, but Delphi 7 was my favorite, too bad it didn't support 64-bit compilation

--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibraryW cause BSOD

Post by madshi »

Ouch, didn't know that Delphi 10.x compiles slower. Any idea why?

Yes, XE2 is probably the safest choice for 64bit. And yes, Delphi 7 is also my favorite. Still using it a lot today.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: InjectLibraryW cause BSOD

Post by iconic »

That's an email answer =] Yes, MUCH slower, have benches showing it. Very disappointed with that fact. 3/4x actually compiler speed loss. Then again, the trading hands of the company (now Idera?) is a lot over the years.
Delphi will forever be my favorite, along with the inline assembly support. I only use c when I need to :D I recently saw a video showing a modern Delphi compiler compiling 1 million lines in 5 seconds. Not
too bad, in c/c++ that would take an eternity. IIRC the video was also in VM, so that's more like 3 seconds

https://community.idera.com/developer-t ... ith-delphi

--Iconic
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibraryW cause BSOD

Post by madshi »

Yeah, in MSVC++ sometimes even loading a project (and the IDE parsing all the header files etc) can take an eternity...
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: InjectLibraryW cause BSOD

Post by iconic »

It's why we're Delphi coders. We know better :wink:

Back on topic, Pambol please try the above suggestions and let us know the result please.
Your Delphi version used can also be important to us, so please let us know.

--Iconic
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: InjectLibraryW cause BSOD

Post by pambol »

Tested all solutions posted here and the BSOD still.
maybe is the version of MCH who i use madCollection 4.0.0.2.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibraryW cause BSOD

Post by madshi »

Please try updating to the latest madCodeHook build, maybe that helps?
pambol
Posts: 50
Joined: Sat Jun 23, 2018 1:15 am

Re: InjectLibraryW cause BSOD

Post by pambol »

tried update and at IDE say "[dcc64 Fatal Error] Unit1.pas(7): F2613 Unit 'MadCodeHook' not found."
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: InjectLibraryW cause BSOD

Post by madshi »

Maybe your subscription has run out? I guess you could try madCodeHook v3, that one doesn't ever run out.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: InjectLibraryW cause BSOD

Post by iconic »

Update via Email:

This issue was solved by the user by not including unnecessary included files, which I had asked him to eliminate originally...

"solved disabling //, SysUtils{$ENDIF}, SysUtils;//, Forms, Dialogs;"

Case solved. Not directly related to MCH in any way (injection, hooking or other)

--Iconic
Post Reply