Thanks for the explanation. I understand it now. I will read the readme again to see that I did not miss anything.
Thank you again for the fast response!
Have a good day!

from injdrv.

What value of ForceUserApc do you use?

from injdrv.

injlib.c: CapturedInjectionInfo->ForceUserApc = TRUE;

from injdrv.

Please, try setting it to FALSE and report back if it solved the problem.

from injdrv.

It works!
Thanks a lot!
What does it mean changing it to FALSE?

from injdrv.

It's explained in the README.md

The DLL is injected right after NTDLL, and since OutputDebugString is kernel32.dll function, it fails. The injection (as you probably know) works by queuing user-mode APC from the driver. The ForceUserApc controls WHEN this APC is actually triggered (executed).

ForceUserApc = TRUE means that the APC is executed on next transition from kernel-mode to user-mode.
ForceUserApc = FALSE means that the APC is executed before entry-point in the EXE is executed (at that point, usually all DLLs are loaded). The APC is triggered "naturally" by NtTestAlert in the NTDLL itself.

from injdrv.

Read the whole readme, it's all explained there. If you still don't understand, then shoot a question :)

from injdrv.

One more question.
I just noticed that it does not inject the DLL (injdllx86.dll) to 32 bit processes.
I'm running on x64 Windows 7 machine.
I see that it sees the new 32 bit processes with success message L, but the DLL is not loaded?
[injlib]: Injecting (PID: 1152, Wow64: TRUE, Name: 'MobaXterm.exe')
[injlib]: InjpQueueApc successfull
[injlib]: Mark process: 1152 is injected

Am I missing something?
Do I need to change something to allow loading x86 DLL?

from injdrv.

Does it inject x64 DLL instead? What is your injection method? (Settings.Method)

On x64 it is by default InjMethodThunkless, which means it injects x64 DLL even into x86 processes. Use InjMethodThunk if you want to inject x86 processes with x86 DLL (again, it's all in the readme :)

from injdrv.

No, it does not inject anything.
#if defined (_M_IX86)
Settings.Method = InjMethodThunk;
#elif defined (_M_AMD64)
Settings.Method = InjMethodThunkless;
#elif defined (_M_ARM64)
Settings.Method = InjMethodWow64LogReparse;
#endif

Settings.Method = InjMethodThunk; on x86

from injdrv.

The driver is compiled for x64, though, doesn't it? Or are you trying it on Win7 x86?

from injdrv.

The driver is compiled for x64. I'm running it on x64 Windows 7 machine

from injdrv.

[injlib]: Current system is Windows 7
[injlib]: InjMethod: 'InjMethodThunkLess'

from injdrv.

...then this branch applies: #elif defined (_M_AMD64)

Try to replace InjMethodThunkless with InjMethodThunk there.

from injdrv.

Works like a champ!

from injdrv.

Hi,
I got BSOD on Windows 10.

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff802bc932524, Address of the instruction which caused the bugcheck
Arg3: ffffe08f1ba66ae0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

FAULTING_IP:
injdrv+2524
fffff802`bc932524 48394110 cmp qword ptr [rcx+10h],rax

MODULE_NAME: injdrv

IMAGE_NAME: injdrv.sys

This is the callstack:
0: kd> kp

Child-SP RetAddr Call Site

00 ffffe08f1ba66208 fffff802bd45b669 nt!KeBugCheckEx
01 ffffe08f1ba66210 fffff802bd45abbc nt!KiBugCheckDispatch+0x69
02 ffffe08f1ba66350 fffff802bd4533ad nt!KiSystemServiceHandler+0x7c
03 ffffe08f1ba66390 fffff802bd35b126 nt!RtlpExecuteHandlerForException+0xd
04 ffffe08f1ba663c0 fffff802bd35cc23 nt!RtlDispatchException+0x416
05 ffffe08f1ba66ab0 fffff802bd45b742 nt!KiDispatchException+0x1f3
06 ffffe08f1ba67160 fffff802bd4582c5 nt!KiExceptionDispatch+0xc2
07 ffffe08f1ba67340 fffff802bc932524 nt!KiPageFault+0x405
*** WARNING: Unable to verify timestamp for injdrv.sys
08 ffffe08f1ba674d0 fffff802bc9327f3 injdrv!InjFindInjectionInfo(void * ProcessId = 0x00000000000020ac)+0x34 [c:\working\injdrv\injlib.c @ 1093] 09 ffffe08f1ba674f0 fffff802bd7f2efe injdrv!InjLoadImageNotifyRoutine(struct _UNICODE_STRING * FullImageName = 0xffff91889adea688 "\Windows\System32\msvcrt.dll", void * ProcessId = 0x00000000000020ac, struct _IMAGE_INFO * ImageInfo = 0xffffe08f1ba676c0)+0x23 [c:\working\injdrv\injlib.c @ 1340]
0a ffffe08f1ba675b0 fffff802bd7f19f4 nt!PsCallImageNotifyRoutines+0x12e
0b ffffe08f1ba67610 fffff802bd7a1721 nt!MiMapViewOfImageSection+0x734
0c ffffe08f1ba67790 fffff802bd7a0e7b nt!MiMapViewOfSection+0x3c1
0d ffffe08f1ba678e0 fffff802bd45b143 nt!NtMapViewOfSection+0x12b
0e ffffe08f1ba67a10 00007ff9f867aea4 nt!KiSystemServiceCopyEnd+0x13
0f 00000070e8c7e6e8 0000000000000000 0x00007ff9`f867aea4

Checking the source code I found that it is in:
PINJ_INJECTION_INFO
NTAPI
InjFindInjectionInfo(
In HANDLE ProcessId
)
{
PLIST_ENTRY NextEntry = InjInfoListHead.Flink;

while (NextEntry != &InjInfoListHead)
{
PINJ_INJECTION_INFO InjectionInfo = CONTAINING_RECORD(NextEntry,
INJ_INJECTION_INFO,
ListEntry);

if (InjectionInfo->ProcessId == ProcessId)
{
  return InjectionInfo;
}

NextEntry = NextEntry->Flink;

}

return NULL;
}

It only happened once.
What could be the cause of the problem?
Maybe the page fault while in the function for memory that should not be paged?

from injdrv.