Unmanaged injection doesn't work

Coordinator
Jan 27, 2009 at 5:16 PM
Edited Jan 27, 2009 at 5:17 PM
E-MAIL REQUEST:

I have a unmanaged testing program based on your sample code:

1. I changed your "UnmanagedHook.cpp" in your sample code, and replaced the main function with code below:

extern "C" int main(int argc, wchar_t* argv[])
{
    ULONG id;
    RhCreateAndInject(L"c:\\windows\\system32\\cmd.exe",NULL,0,L"u:\\bin\\cmdhelpd.dll",NULL,NULL,0,&id);
}

2. in my injection dll, I have an exported function as follows:
extern "C" __declspec(dllexport)
void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* InRemoteInfo)
{
    RhWakeUpProcess();
}

But after that I got the error at this line:
THROW(STATUS_INTERNAL_ERROR, L"C++ completion routine has returned success but didn't raise the remote event.");

I found that there is an event created for double check the running of remote thread, and I also found that the event should have been set from your sample code. But I'm not sure why I got this error. Do I need to handle more on NativeInjectionEntryPoint?

my computer:
32bit Vista with SP1, English version.

I'm looking forward for your reply.
Coordinator
Jan 27, 2009 at 5:20 PM
I am not really sure why this error occurs. This is indeed an internal error because usually it is impossible :-).

But I think the problem with your code is that the native entry point immediately returns and this may cause the thread and event set "virtually" simultaneously. This again may cause the host injection to report an error, because it now detects that the thread has been terminated and "thinks" that the event is not set.

My recommendation is that you insert a sleep(5000) statement or do something more in there...

regards
chris
Jan 28, 2009 at 10:31 AM
Thanks a lot for the response. Some updates below:

Creating a Command Prompt Window with RhCreateAndInject doesn't work. The new created process exit right after RhWakeUpProcess. But After I changed the cmd.exe to notepad.exe, it started to work.

extern "C" int main(int argc, wchar_t* argv[])
{
    ULONG id;
    // change the notepad.exe below to cmd.exe, it will be failed.
    RhCreateAndInject(L"c:\\windows\\system32\\notepad.exe",NULL,0,L"D:\\Downloads\\EasyHook 2.5 Beta Source Code\\Debug\\x86\\TestInject.dll",NULL,NULL,0,&id);
}

I'm still investigating the issue and will let you know the reason once I got.
Jan 29, 2010 at 10:44 PM

I suspect that cmd.exe is called without command line parameters and thus it is done and exits.  Perhaps CreateProcess differs from ShellExecute in this manner?

-Jason

 

Jan 30, 2010 at 8:05 AM
ChristophHusse wrote:
E-MAIL REQUEST:

I have a unmanaged testing program based on your sample code:

1. I changed your "UnmanagedHook.cpp" in your sample code, and replaced the main function with code below:

extern "C" int main(int argc, wchar_t* argv[])
{
    ULONG id;
    RhCreateAndInject(L"c:\\windows\\system32\\cmd.exe",NULL,0,L"u:\\bin\\cmdhelpd.dll",NULL,NULL,0,&id);
}

2. in my injection dll, I have an exported function as follows:
extern "C" __declspec(dllexport)
void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* InRemoteInfo)
{
    RhWakeUpProcess();
}

But after that I got the error at this line:
THROW(STATUS_INTERNAL_ERROR, L"C++ completion routine has returned success but didn't raise the remote event.");

I found that there is an event created for double check the running of remote thread, and I also found that the event should have been set from your sample code. But I'm not sure why I got this error. Do I need to handle more on NativeInjectionEntryPoint?

my computer:
32bit Vista with SP1, English version.

I'm looking forward for your reply.

Hum... That's so really simple, it should work ! If you know what I am doing with EasyHook ! so many things...

Are you running EasyHook on a 64 bits Win or not ?

In which platform your main.exe runs ? & are you sure that your cmd.exe is compiled in the same platform & that you don't have any WOW64 issues (main.exe & cmd.exe not compiled for the same targeted platform) ?

 

The last time I encountered a similar exception in my code was in injecting 64 bits targets from a 32 bits program !