What should it be used for about injdrv HOT 7 OPEN

WNODE_HEADER::Guid ?

from injdrv.

Second question.

Using ETW to get cross-process events works fine on Windows10, but in NT6.1, 6.2, and 6.3, no events will be obtained before the restart.

To be specific,
First, I put the DLL file in System32, then installed the driver service and started it, and it worked fine.
Then I started the service process that gets events, like the INJldr project, but it didn't get any events until I restarted the system.

I didn't find the reason.

from injdrv.

Third question,

There are some issues with the drivers that can cause the blue screen to occur (depending on luck).

In the operation of the InjInfoListHead linked list, you should perform necessary exclusive operations, otherwise the blue screen is inevitable when the process moves frequently.

I fixed it and it works fine so far.

from injdrv.

Well, I want to load a DLL in a process that has no Kernel32.dll dependency, usually emulator processes such as Smartgaga or Gameloop. The purpose is to enable access to memory directly from the DLL without relying on Kernel to access it for me. If you have fixed the BSOD issue for the latest Windows 10 (21H2) how can I get the corrected and fixed solution from you? Which branch or origin should I get where the BSOD has been addressed?

from injdrv.

Well, I want to load a DLL in a process that has no Kernel32.dll dependency, usually emulator processes such as Smartgaga or Gameloop. The purpose is to enable access to memory directly from the DLL without relying on Kernel to access it for me. If you have fixed the BSOD issue for the latest Windows 10 (21H2) how can I get the corrected and fixed solution from you? Which branch or origin should I get where the BSOD has been addressed?

NTSTATUS NTAPI InjCreateInjectionInfo (
	IN PINJ_INJECTION_INFO* InjectionInfo,
	IN HANDLE ProcessId
) {

	PINJ_INJECTION_INFO CapturedInjectionInfo;
	KIRQL OldIrql;

	if (InjectionInfo && *InjectionInfo)
	{
		CapturedInjectionInfo = *InjectionInfo;
	}
	else
	{
		CapturedInjectionInfo = ExAllocatePoolWithTag(NonPagedPoolNx, sizeof(INJ_INJECTION_INFO), INJ_MEMORY_TAG);
		if (!CapturedInjectionInfo)
		{
			return STATUS_INSUFFICIENT_RESOURCES;
		}

		if (InjectionInfo)
		{
			*InjectionInfo = CapturedInjectionInfo;
		}
	}

	RtlZeroMemory(CapturedInjectionInfo, sizeof(INJ_INJECTION_INFO));

	CapturedInjectionInfo->ProcessId = ProcessId;
	CapturedInjectionInfo->ForceUserApc = TRUE;
	CapturedInjectionInfo->Method = InjMethod;

	// Add Spin Lock
	KeAcquireSpinLock(&InjInfoListSpinLock, &OldIrql);
	InsertTailList(&InjInfoListHead, &CapturedInjectionInfo->ListEntry);
	KeReleaseSpinLock(&InjInfoListSpinLock, OldIrql);

	return STATUS_SUCCESS;
}

Like this, Just be careful about thread safety.

from injdrv.

Third question,

There are some issues with the drivers that can cause the blue screen to occur (depending on luck).

In the operation of the InjInfoListHead linked list, you should perform necessary exclusive operations, otherwise the blue screen is inevitable when the process moves frequently.

I fixed it and it works fine so far.

Would you mind sharing your fix?

from injdrv.

Third question,

There are some issues with the drivers that can cause the blue screen to occur (depending on luck).

In the operation of the InjInfoListHead linked list, you should perform necessary exclusive operations, otherwise the blue screen is inevitable when the process moves frequently.

I fixed it and it works fine so far.

Would you mind sharing your fix?

Refer to the code I gave in this issue. :)

from injdrv.