MchInjDrv

Discussion in 'ProcessGuard' started by Rainwalker, Sep 6, 2004.

Thread Status:
Not open for further replies.
  1. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,712
    Location:
    USA
    You are very welcome
     
  2. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    Thank you all for this useful (and humorous :) ) thread. I had the same thing and was a bit scared and undecided what to do.Luckily there is ...Wildersforum! :D
     
  3. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    Hi Folks,

    I got the same message, but the program that tried to install it was the Process Guard itself, but it has blocked itself.
    I looked at the log and didn´t find nothing, but Trojan Hunter trying to install it.

    Is that correct ?

    Best Regards,

    DonKid.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi DonKid, ProcessGuard does not use those libraries but I believe that TH might and this is what you are seeing. DCS only use their own code for low level drivers.

    HTH Pilli
     
  5. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    Thanks Pilli

    Give another look at log, and I found it.

    Best Regards,

    DonKid.
     
  6. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,712
    Location:
    USA
    TH does indeed use it..........not that it is a bad thing.....
     
  7. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    Thanks for your help.

    Best Regards,

    DonKid.
     
  8. madshi

    madshi Registered Member

    Joined:
    May 3, 2005
    Posts:
    8
    Just found this thread via google. I'm the author of madCodeHook and would like to add a comment:

    As was already explained by the mods here (thank you!), mchInjDrv is a driver which is internally used by madCodeHook to inject dlls into other processes. This is part of the whole API hooking technology. Now the injection driver in itself is quite innocent. It does nothing but inject a specified dll. It doesn't really know what purpose the dll has.

    Unfortunately some programmers misused madCodeHook to write rootkits (I really hate that). I've contacted them and asked them to stop doing that. They promised to stop using madCodeHook for rootkits etc, hopefully they'll really do.

    On the positive side, a lot of good software "antiSomethingBad" is using madCodeHook for good purpose, and I'm quite happy about that.

    When you see "mchInjDrv" on your PC, you can only check whether the process which wants to use that is a process which you trust or not. The injection driver itself is not bad, but the dll which is injected *can* potentially be bad (unfortunately). If there was a way to detect bad dlls, I'd love to add that functionality to the injection driver, but I don't think that's technically possible.

    Why don't companies implement their own hooking technology? Because this is a *damn* difficult job to do. I've spent years to make madCodeHook stable and I'm proud to say that I believe it's one of the best available user mode API hooking packages on the market. All those companies using madCodeHook are just trying to not reinvent the wheel but to use a technology which is well tested and proven. Of course they could try to implement their own solution, but it would cost them years and the first versions would most probably be quite unstable (as mine were in the beginning).

    Thanks for listening. And if you have any questions or suggestions, please let me know.
     
  9. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,712
    Location:
    USA
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi madshi,
    Thank you very much for your input, I certainly appreciate it :)

    Pilli
     
  11. Mephisto

    Mephisto Guest

    You might as well make a wish in one hand - and then sh!t in the other, and see which one get's full the fastest. Rules and Laws only apply to people who follow them - and when it comes to making money all the little niceties are dispensed with.
     
  12. madshi

    madshi Registered Member

    Joined:
    May 3, 2005
    Posts:
    8
    Thanks Pilli!

    Rainwalker, would you mind to comment in text? :)

    Mephisto, you're certainly right in that some people don't care about good/bad and just want to make money, no matter what. But then there are some programmers who write rootkits just to demonstrate their skills. Such hobby programmers (often school kids) are not necessarily as bad as those money eating moral ignoring people. Not that I would want to defend writing rootkits. I find it quite bad and I'm very angry about anyone misusing my madCodeHook package for such purpose!
     
  13. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,712
    Location:
    USA
    No need :)
     
  14. MrOlaf

    MrOlaf Guest

    I get the file mc21.tmp being found by Norton Anti-Virus everytime i start my comp. It says that it is part of backdoor.graybird virus, a very nasty trojan. Dunno if anyone else gets this. I look for the .dll that is supposedly associated with the virus and registry entries, but they do not exist. But it appears everytime. I am worried that the virus has a variant that no progs have found yet. Any thoughts would be apreciated.
     
  15. madshi

    madshi Registered Member

    Joined:
    May 3, 2005
    Posts:
    8
    This seems to be a false alarm. I've been contacted already that Norton fires alarm for all software using madCodeHook. Quite stupid. I'm about to contact Norton to correct this...
     
  16. cjc

    cjc Guest

    I want to thank you guys for your ProcessGuard. I was going crazy with this new Backdoor.Graybird variant which generates "mc2X.tmp". All of the computers which has Spysweeper installed are susceptible. I installed ProcessGuard, rebooted to Safemode, uninstalled Spyweeper and removed the traces in the Registry (do a search for which every temp file your has been infected with), and rebooted.
     
  17. SCer

    SCer Guest

    Spydoctor also uses the mchinjdrv hook.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.