Driver Configuration

The madCodeHook injection drivers need to be configured and signed, otherwise they won't work at all. By configuring the driver file, you give it a unique name. Also you can make a set of "good" hook dlls known to the driver. The driver is only ever willing to inject those hook dlls which are known to it, or which are signed with the same certificate as the driver itself. Injection of any unknown hook dll is always refused.

There's a command line tool available named "madConfigDrv.exe". You need to call this tool to configure the driver to your specific needs. Here's the help output of the tool:

madConfigDrv v1.0.3.0,

- add your hook dlls to the list of allowed dlls
- define whether the driver can be stopped or not

madConfigDrv driver.sys drivername [hook1.dll] [...] [hook40.dll] [-options]
-cert=some.dll     consider all dlls trustworthy which are signed like this dll
-unsafeStopAllowed driver can be stopped by anyone at any time
-safeStopAllowed   driver can be stopped only...
                   (1) if no dll injection is active and
                   (2) by using a special madCodeHook API
-stopDisallowed    driver can't be stopped at all

The driver must not be signed yet.
Sign the driver after having allowed all your hook dlls.

In order to properly configure a driver, there is only one thing you *have* to do: You need to specify a driver name. The name should be unique. I'd suggest something like "yourCompanyNameProductNameInjDrv". This name is not directly visible anywhere, so don't worry about using cryptical names. The name will later be used by the driver API to contact your driver. The length of the name is limited to max 39 characters.

Optionally you can tell the driver which dlls you want to have injected. A hash of each dll file will then be stored into the driver file. Each driver can store up to 40 different dll hashs. The driver will refuse to inject any dlls which are not considered trustworthy. There are 3 ways to make a dll be trusted by the driver: 1) If the driver knows the dll by hash (see above), it's of course considered trustworthy. 2) Alternatively, any dll which is signed with the same certificate as the driver itself, is also "good". 3) Finally, if you use the "-cert=some.dll" option, the driver remembers the first certificate of the "some.dll" and compares this certificate to all dlls you're later trying to inject. Only dlls which match this certificate will be considered trustworthy. If you use the "-cert=some.dll" option, dlls which don't match this certificate, but do match the certificate the driver itself was signed with, are *not* considered trustworthy, anymore.

Optionally you can also tell the driver to allow being stopped. By default the driver refuses to ever be stopped to make sure that a malware application can't possible stop the driver behind your back. The option "-safeStopAllowed" means that the driver can be stopped only by calling the StopInjectionDriver API, but not by using the device manager GUI, nor by using "sc.exe". Also stopping will only work if no DLL injection is currently active. The option "-unsafeStopAllowed" means that the driver can be stopped at any time, by anyone, no matter what. This may make sense if you want to use a standard uninstallation software.

Here's a sample batch file:

madConfigDrv DemoDriver32.sys HookProcessCreationDemoDriver HookProcessCreation32.dll -unsafeStopAllowed
madConfigDrv DemoDriver64.sys HookProcessCreationDemoDriver HookProcessCreation32.dll HookProcessCreation64.dll -unsafeStopAllowed

Please note that the driver internally uses an OS resource which can only be used 8 times (up to XP) respectively 64 times (Vista and newer) at the same time. That means you need to be a bit careful about how to configure your drivers. If you have a dozen of products and every one needs dll injection you may run into trouble with the limited OS resource, especially in XP. Furthermore other companies are also using the very same OS resource in some of their drivers. So you might want to think about maybe using only one driver for all of your products. One driver supports up to 40 different dlls. Or if you sign all your hook dlls with the same certificate you sign your driver with, the driver supports injecting a virtually unlimited number of different hook dlls.

Please be aware that if your driver is not signed with the same certificate as your driver, you have to make the hook dll known to the driver. Otherwise injection will be refused. Furthermore, in this situation you also need to reconfigure and re-sign your driver, everytime you even recompile the hook dll. A recompiled dll looks like a different dll to madCodeHook. Of course if you reconfigure the same driver file again and again, you will soon run into the limit of max 40 dlls per driver. So my tip is to always start with a "virgin" driver, when you need to reconfigure.

But really, the best solution is to sign both your drivers and the hook dlls with the same certificate. Then you only have to touch the driver when your certificate runs out, of when you want to switch to a newer driver version.