Fplyth0ner-Combie
commented
2 years ago WNODE_HEADER::Guid ?
Open Fplyth0ner-Combie opened 2 years ago
Fplyth0ner-Combie
commented
2 years ago WNODE_HEADER::Guid ?
Fplyth0ner-Combie
commented
2 years ago Second question.
Using ETW to get cross-process events works fine on Windows10, but in NT6.1, 6.2, and 6.3, no events will be obtained before the restart.
To be specific, First, I put the DLL file in System32, then installed the driver service and started it, and it worked fine. Then I started the service process that gets events, like the INJldr project, but it didn't get any events until I restarted the system.
I didn't find the reason.
Fplyth0ner-Combie
commented
2 years ago Third question,
There are some issues with the drivers that can cause the blue screen to occur (depending on luck).
In the operation of the InjInfoListHead linked list, you should perform necessary exclusive operations, otherwise the blue screen is inevitable when the process moves frequently.
I fixed it and it works fine so far.
Naeemullah1
commented
2 years ago Well, I want to load a DLL in a process that has no Kernel32.dll dependency, usually emulator processes such as Smartgaga or Gameloop. The purpose is to enable access to memory directly from the DLL without relying on Kernel to access it for me. If you have fixed the BSOD issue for the latest Windows 10 (21H2) how can I get the corrected and fixed solution from you? Which branch or origin should I get where the BSOD has been addressed?
Fplyth0ner-Combie
commented
2 years ago Well, I want to load a DLL in a process that has no Kernel32.dll dependency, usually emulator processes such as Smartgaga or Gameloop. The purpose is to enable access to memory directly from the DLL without relying on Kernel to access it for me. If you have fixed the BSOD issue for the latest Windows 10 (21H2) how can I get the corrected and fixed solution from you? Which branch or origin should I get where the BSOD has been addressed?
NTSTATUS NTAPI InjCreateInjectionInfo (
IN PINJ_INJECTION_INFO* InjectionInfo,
IN HANDLE ProcessId
) {
PINJ_INJECTION_INFO CapturedInjectionInfo;
KIRQL OldIrql;
if (InjectionInfo && *InjectionInfo)
{
CapturedInjectionInfo = *InjectionInfo;
}
else
{
CapturedInjectionInfo = ExAllocatePoolWithTag(NonPagedPoolNx, sizeof(INJ_INJECTION_INFO), INJ_MEMORY_TAG);
if (!CapturedInjectionInfo)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
if (InjectionInfo)
{
*InjectionInfo = CapturedInjectionInfo;
}
}
RtlZeroMemory(CapturedInjectionInfo, sizeof(INJ_INJECTION_INFO));
CapturedInjectionInfo->ProcessId = ProcessId;
CapturedInjectionInfo->ForceUserApc = TRUE;
CapturedInjectionInfo->Method = InjMethod;
// Add Spin Lock
KeAcquireSpinLock(&InjInfoListSpinLock, &OldIrql);
InsertTailList(&InjInfoListHead, &CapturedInjectionInfo->ListEntry);
KeReleaseSpinLock(&InjInfoListSpinLock, OldIrql);
return STATUS_SUCCESS;
}Like this, Just be careful about thread safety.
CycloneRing
commented
1 year ago Third question,
There are some issues with the drivers that can cause the blue screen to occur (depending on luck).
In the operation of the InjInfoListHead linked list, you should perform necessary exclusive operations, otherwise the blue screen is inevitable when the process moves frequently.
I fixed it and it works fine so far.
Would you mind sharing your fix?
Fplyth0ner-Combie
commented
1 year ago Third question,
There are some issues with the drivers that can cause the blue screen to occur (depending on luck).
In the operation of the InjInfoListHead linked list, you should perform necessary exclusive operations, otherwise the blue screen is inevitable when the process moves frequently.
I fixed it and it works fine so far.
Would you mind sharing your fix?
Refer to the code I gave in this issue. :)
https://github.com/wbenny/injdrv/blob/a8dadf43a09f33c33a3957a250cb7ee05a986608/src/injldr/main.c#L24