Unable to inject Clink

[MrIDK22]

Hi,

I recently started getting this error message when launching command prompt with Clink injected.

4d90 inject                    516 ---- 2022/09/01 19:01:20.571 -------------------------------------------------
4d90 inject                    517 Injecting Clink...
4d90 inject_dll                255 Version: 1.2.9.329839
4d90 inject_dll                256 Arch: x64
4d90 inject_dll                257 DLL: C:\Users\<user>\AppData\Local\Temp\clink\dll_cache\1.2.9.329839_6e5f8db5\clink_dll_x64.dll
4d90 inject_dll                259 Parent pid: 27892
4d90 check_dll_version         159 DLL version: 00010002 00090000

Is it possible to tell the issue from just the above? The logs don't seem to be pointing to anything... or is there a way to enable more verbose logging?

[chrisant996]

@MrIDK22 v1.2.9 is 15 months old. Would it be possible to upgrade to a more recent version?

More logging during clink inject was added in newer versions.

[MrIDK22]

I have updated to v1.3.42, log as follows:

530c inject                    563 ---- 2022/09/05 13:39:45.390 -------------------------------------------------
530c inject                    564 Injecting Clink...
530c inject_dll                269 Version: 1.3.42.ef446e
530c inject_dll                270 Arch: x64
530c inject_dll                271 DLL: C:\Users\<user>\AppData\Local\Temp\clink\dll_cache\1.3.42.ef446e_6e5f8db5\clink_dll_x64.dll
530c inject_dll                273 Parent pid: 41992
530c check_dll_version         168 DLL version: 00010003 002a0000
530c inject                    643 Process 41992 was unable to load the Clink DLL.

I ran inject from command line, so Process 41992 is referring to cmd.exe.

I'm using this in work, so it could be some policies from my IT, is there a way to check more detailed logs on why it was unable to load the DLL?

[chrisant996]

The only "why" it can get is which API function (if any) returns an error code, and what error code is returned.

In this case, everything succeeded up to and including injecting a remote thread into the target process. The most common place for anti-malware software to block Clink is the CreateRemoteThread() API.

But the failure occurred in the LoadLibraryW("C:\Users\<user>\AppData\Local\Temp\clink\dll_cache\1.3.42.ef446e_6e5f8db5\clink_dll_x64.dll") API call in the remote thread. That's the one place that it doesn't capture an error code. It's technically possible to capture the error code, but it would require injecting a more complex payload into the target process, and frankly that could make it more likely for anti-malware software to block Clink, so Clink keeps it simple and just gets back a yes/no indicator about whether it was able to load the DLL into the process.

It already confirmed the DLL file exists, is accessible, is the right bit-ness, and etc. If the C:\Users\<user> part of the path contains Unicode characters, then there could potentially be a problem with encoding, but that should work correctly as of v1.2.47.

So, I'm sorry to say, this is almost certainly due to anti-malware software blocking Clink. There's no way for Clink to find out for sure why errors occur. But you might (or might not) be able to find some logging in the anti-malware suite indicating what it has blocked.

Have you tried adding an exception in the anti-malware suite, and also in Windows Defender?
Or you could try filing a "false positive" report for Clink with the anti-malware suite software publisher.

(There's nothing Clink can do about this kind of situation.)

[MrIDK22]

I don't think it's related to Windows Defender as I have been able to get Clink to run previously.

I suspec tit might be anti-malware as it's a work computer, but I can't seem to check on anything on my side. I'll see if I can get IT's help for this.

It's definitely not Clink's issue imo, it's just that I can't seem to get any information on why it's happening, so I thought I could try my luck here.

Sorry and thanks for taking up your time :)

[chrisant996]

I don't think it's related to Windows Defender as I have been able to get Clink to run previously.

Just to be clear: Windows Defender and other anti-malware suites are constantly updating the "signatures" they use to detect malware. So, it is very possible for a suite to be happy with Clink for a while, and then suddenly become unhappy, and then become happy again later (usually in response to people reporting the "false positive" to the anti-malware suite publisher).