What should it be used for

[Fplyth0ner-Combie]

injdrv/src/injldr/main.c

Line 24 in a8dadf4

GUID SessionGuid = {

[Fplyth0ner-Combie]

WNODE_HEADER::Guid ?

[Fplyth0ner-Combie]

Second question.

Using ETW to get cross-process events works fine on Windows10, but in NT6.1, 6.2, and 6.3, no events will be obtained before the restart.

To be specific,
First, I put the DLL file in System32, then installed the driver service and started it, and it worked fine.
Then I started the service process that gets events, like the INJldr project, but it didn't get any events until I restarted the system.

I didn't find the reason.

[Fplyth0ner-Combie]

Third question,

There are some issues with the drivers that can cause the blue screen to occur (depending on luck).

In the operation of the InjInfoListHead linked list, you should perform necessary exclusive operations, otherwise the blue screen is inevitable when the process moves frequently.

I fixed it and it works fine so far.

[Naeemullah1]

Well, I want to load a DLL in a process that has no Kernel32.dll dependency, usually emulator processes such as Smartgaga or Gameloop. The purpose is to enable access to memory directly from the DLL without relying on Kernel to access it for me. If you have fixed the BSOD issue for the latest Windows 10 (21H2) how can I get the corrected and fixed solution from you? Which branch or origin should I get where the BSOD has been addressed?

[Fplyth0ner-Combie]

Well, I want to load a DLL in a process that has no Kernel32.dll dependency, usually emulator processes such as Smartgaga or Gameloop. The purpose is to enable access to memory directly from the DLL without relying on Kernel to access it for me. If you have fixed the BSOD issue for the latest Windows 10 (21H2) how can I get the corrected and fixed solution from you? Which branch or origin should I get where the BSOD has been addressed?

NTSTATUS NTAPI InjCreateInjectionInfo (
	IN PINJ_INJECTION_INFO* InjectionInfo,
	IN HANDLE ProcessId
) {

	PINJ_INJECTION_INFO CapturedInjectionInfo;
	KIRQL OldIrql;

	if (InjectionInfo && *InjectionInfo)
	{
		CapturedInjectionInfo = *InjectionInfo;
	}
	else
	{
		CapturedInjectionInfo = ExAllocatePoolWithTag(NonPagedPoolNx, sizeof(INJ_INJECTION_INFO), INJ_MEMORY_TAG);
		if (!CapturedInjectionInfo)
		{
			return STATUS_INSUFFICIENT_RESOURCES;
		}

		if (InjectionInfo)
		{
			*InjectionInfo = CapturedInjectionInfo;
		}
	}

	RtlZeroMemory(CapturedInjectionInfo, sizeof(INJ_INJECTION_INFO));

	CapturedInjectionInfo->ProcessId = ProcessId;
	CapturedInjectionInfo->ForceUserApc = TRUE;
	CapturedInjectionInfo->Method = InjMethod;

	// Add Spin Lock
	KeAcquireSpinLock(&InjInfoListSpinLock, &OldIrql);
	InsertTailList(&InjInfoListHead, &CapturedInjectionInfo->ListEntry);
	KeReleaseSpinLock(&InjInfoListSpinLock, OldIrql);

	return STATUS_SUCCESS;
}

Like this, Just be careful about thread safety.

[CycloneRing]

Third question,

There are some issues with the drivers that can cause the blue screen to occur (depending on luck).

In the operation of the InjInfoListHead linked list, you should perform necessary exclusive operations, otherwise the blue screen is inevitable when the process moves frequently.

I fixed it and it works fine so far.

Would you mind sharing your fix?

[Fplyth0ner-Combie]

Third question,

There are some issues with the drivers that can cause the blue screen to occur (depending on luck).

In the operation of the InjInfoListHead linked list, you should perform necessary exclusive operations, otherwise the blue screen is inevitable when the process moves frequently.

I fixed it and it works fine so far.

Would you mind sharing your fix?

Refer to the code I gave in this issue. :)