The madCodeHook 3.0 injection drivers need to be configured and
signed, otherwise they won't work at all.
By configuring the driver file, you bond it to the known "good" hook dlls.
The driver is only ever willing to inject those hook dlls which are known
to it. Injection of any unknown hook dll is always refused.
There's a command line tool available named "madConfigDrv.exe". You need
to call this tool to configure the driver to your specific needs. Here's the
help output of the tool:
 |
madConfigDrv v1.0.0.0, madshi.net
- add your hook dlls to the list of allowed dlls
- define whether the driver can be stopped or not
madConfigDrv driver.sys drivername [hook1.dll] [...] [hook40.dll] [-options]
-unsafeStopAllowed driver can be stopped by anyone at any time
-safeStopAllowed driver can be stopped only...
(1) if no dll injection is active and
(2) by using a special madCodeHook API
-stopDisallowed driver can't be stopped at all
The driver must not be signed yet.
Sign the driver after having allowed all your hook dlls.
|
|
In order to properly configure a driver, there are two things you *have* to
do:
(1) You need to specify a driver name. The name should be unique. I'd
suggest something like "yourCompanyNameProductNameInjDrv". This name is not
directly visible anywhere, so don't worry about using cryptical names. The
name will later be used by the
driver API to contact
your driver. The length of the name is limited to max 39 characters.
(2) You need to tell the driver which dlls you want to have injected. A hash
of each dll file will then be stored into the driver file. Each driver can
store up to 40 different dll hashs.
Optionally you can also tell the driver to allow being stopped. By default
the driver refuses to ever be stopped to make sure that a malware application
can't possible stop the driver behind your back. The option
"-safeStopAllowed" means that the driver can be stopped only by calling the
StopInjectionDriver API, but not by using the device manager GUI, nor
by using "sc.exe". Also stopping will only work if no DLL injection is
currently active. The option "-unsafeStopAllowed" means that the driver can
be stopped at any time, by anyone, no matter what. This may make sense if
you want to use a standard uninstallation software.
Here's a sample batch file:
|
madConfigDrv DemoDriver32.sys HookProcessCreationDemoDriver HookProcessCreation32.dll -unsafeStopAllowed
madConfigDrv DemoDriver64.sys HookProcessCreationDemoDriver HookProcessCreation32.dll HookProcessCreation64.dll -unsafeStopAllowed
|
|
Please note that the driver internally uses an OS resource which can only be
used 8 times (up to XP) respectively 64 times (Vista and newer) at the same
time. That means you need to be a bit careful about how to configure your
drivers. If you have a dozen of products and every one needs dll injection
you may run into trouble with the limited OS resource, especially in XP.
Furthermore other companies are also using the very same OS resource in some
of their drivers. So you might want to think about maybe using only one
driver for all of your products. One driver supports up to 40 different
dlls.
Please also be aware that you have to reconfigure and
sign your driver, everytime you even recompile
the hook dll. A recompiled dll looks like a different dll to madCodeHook.
Of course if you reconfigure the same driver file again and again, you will
soon run into the limit of max 40 dlls per driver. So my tip is to always
start with a "virgin" driver, when you need to reconfigure.