Comments (16)
Thanks for the explanation. I understand it now. I will read the readme again to see that I did not miss anything.
Thank you again for the fast response!
Have a good day!
from injdrv.
What value of ForceUserApc
do you use?
from injdrv.
injlib.c: CapturedInjectionInfo->ForceUserApc = TRUE;
from injdrv.
Please, try setting it to FALSE and report back if it solved the problem.
from injdrv.
It works!
Thanks a lot!
What does it mean changing it to FALSE?
from injdrv.
It's explained in the README.md
The DLL is injected right after NTDLL, and since OutputDebugString is kernel32.dll function, it fails. The injection (as you probably know) works by queuing user-mode APC from the driver. The ForceUserApc controls WHEN this APC is actually triggered (executed).
ForceUserApc = TRUE means that the APC is executed on next transition from kernel-mode to user-mode.
ForceUserApc = FALSE means that the APC is executed before entry-point in the EXE is executed (at that point, usually all DLLs are loaded). The APC is triggered "naturally" by NtTestAlert
in the NTDLL itself.
from injdrv.
Read the whole readme, it's all explained there. If you still don't understand, then shoot a question :)
from injdrv.
One more question.
I just noticed that it does not inject the DLL (injdllx86.dll) to 32 bit processes.
I'm running on x64 Windows 7 machine.
I see that it sees the new 32 bit processes with success message L, but the DLL is not loaded?
[injlib]: Injecting (PID: 1152, Wow64: TRUE, Name: 'MobaXterm.exe')
[injlib]: InjpQueueApc successfull
[injlib]: Mark process: 1152 is injected
Am I missing something?
Do I need to change something to allow loading x86 DLL?
from injdrv.
Does it inject x64 DLL instead? What is your injection method? (Settings.Method
)
On x64 it is by default InjMethodThunkless, which means it injects x64 DLL even into x86 processes. Use InjMethodThunk
if you want to inject x86 processes with x86 DLL (again, it's all in the readme :)
from injdrv.
No, it does not inject anything.
#if defined (_M_IX86)
Settings.Method = InjMethodThunk;
#elif defined (_M_AMD64)
Settings.Method = InjMethodThunkless;
#elif defined (_M_ARM64)
Settings.Method = InjMethodWow64LogReparse;
#endif
Settings.Method = InjMethodThunk; on x86
from injdrv.
The driver is compiled for x64, though, doesn't it? Or are you trying it on Win7 x86?
from injdrv.
The driver is compiled for x64. I'm running it on x64 Windows 7 machine
from injdrv.
[injlib]: Current system is Windows 7
[injlib]: InjMethod: 'InjMethodThunkLess'
from injdrv.
...then this branch applies: #elif defined (_M_AMD64)
Try to replace InjMethodThunkless with InjMethodThunk there.
from injdrv.
Works like a champ!
from injdrv.
Hi,
I got BSOD on Windows 10.
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff802bc932524, Address of the instruction which caused the bugcheck
Arg3: ffffe08f1ba66ae0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
FAULTING_IP:
injdrv+2524
fffff802`bc932524 48394110 cmp qword ptr [rcx+10h],rax
MODULE_NAME: injdrv
IMAGE_NAME: injdrv.sys
This is the callstack:
0: kd> kp
Child-SP RetAddr Call Site
00 ffffe08f1ba66208 fffff802
bd45b669 nt!KeBugCheckEx
01 ffffe08f1ba66210 fffff802
bd45abbc nt!KiBugCheckDispatch+0x69
02 ffffe08f1ba66350 fffff802
bd4533ad nt!KiSystemServiceHandler+0x7c
03 ffffe08f1ba66390 fffff802
bd35b126 nt!RtlpExecuteHandlerForException+0xd
04 ffffe08f1ba663c0 fffff802
bd35cc23 nt!RtlDispatchException+0x416
05 ffffe08f1ba66ab0 fffff802
bd45b742 nt!KiDispatchException+0x1f3
06 ffffe08f1ba67160 fffff802
bd4582c5 nt!KiExceptionDispatch+0xc2
07 ffffe08f1ba67340 fffff802
bc932524 nt!KiPageFault+0x405
*** WARNING: Unable to verify timestamp for injdrv.sys
08 ffffe08f1ba674d0 fffff802
bc9327f3 injdrv!InjFindInjectionInfo(void * ProcessId = 0x00000000000020ac)+0x34 [c:\working\injdrv\injlib.c @ 1093] 09 ffffe08f
1ba674f0 fffff802bd7f2efe injdrv!InjLoadImageNotifyRoutine(struct _UNICODE_STRING * FullImageName = 0xffff9188
9adea688 "\Windows\System32\msvcrt.dll", void * ProcessId = 0x00000000000020ac, struct _IMAGE_INFO * ImageInfo = 0xffffe08f
1ba676c0)+0x23 [c:\working\injdrv\injlib.c @ 1340]
0a ffffe08f1ba675b0 fffff802
bd7f19f4 nt!PsCallImageNotifyRoutines+0x12e
0b ffffe08f1ba67610 fffff802
bd7a1721 nt!MiMapViewOfImageSection+0x734
0c ffffe08f1ba67790 fffff802
bd7a0e7b nt!MiMapViewOfSection+0x3c1
0d ffffe08f1ba678e0 fffff802
bd45b143 nt!NtMapViewOfSection+0x12b
0e ffffe08f1ba67a10 00007ff9
f867aea4 nt!KiSystemServiceCopyEnd+0x13
0f 00000070e8c7e6e8 00000000
00000000 0x00007ff9`f867aea4
Checking the source code I found that it is in:
PINJ_INJECTION_INFO
NTAPI
InjFindInjectionInfo(
In HANDLE ProcessId
)
{
PLIST_ENTRY NextEntry = InjInfoListHead.Flink;
while (NextEntry != &InjInfoListHead)
{
PINJ_INJECTION_INFO InjectionInfo = CONTAINING_RECORD(NextEntry,
INJ_INJECTION_INFO,
ListEntry);
if (InjectionInfo->ProcessId == ProcessId)
{
return InjectionInfo;
}
NextEntry = NextEntry->Flink;
}
return NULL;
}
It only happened once.
What could be the cause of the problem?
Maybe the page fault while in the function for memory that should not be paged?
from injdrv.
Related Issues (20)
- Windows 7 x64 - InjMethodThunk method failing in ntdll!RtlEqualUnicodeString due to AV HOT 3
- bypass ProcessDynamicCodePolicy mitigation policy flagged processes. HOT 1
- BSOD on Windows 10 HOT 6
- Cannot inject dll due to signing issue
- Error on build HOT 13
- don`t compiling
- inject any dll HOT 2
- InjMethodThunk issue
- BSOD Windows 10 HOT 1
- not support amd64 exe run on ARM64
- What should it be used for HOT 7
- MSB3191: Unable to create director HOT 1
- 0x139_3_CORRUPT_LIST_ENTRY_injdrv in InjCreateInjectionInfo while call InsertTailList HOT 1
- PsWrapApcWow64Thread cause normalRoutine to become invalid. HOT 6
- Inject to Running processes (with no altertable threads) HOT 3
- Issue after hooking MicrosoftEdgeCP.exe HOT 4
- Random crash for wow64 process in win10 X64 1809 HOT 1
- When the driver runs, the wow64 process under the 64-bit system of win8.1 can't get up. Has anyone encountered this problem? HOT 1
- Thread create messages? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from injdrv.