Deucalion DLL does not get unloaded after shutdown if another client calls LoadLibrary on the DLL

[ff14wed]

Issue

Although the Deucalion logs show successful shutdown, in some cases the module is still loaded in the target process preventing any future injection attempts and connections from being made.

Reproduction

1. Inject Deucalion into the target process, e.g.

   deucalion_client path/to/deucalion.dll
   

2. Using another client, force another injection of Deucalion into the target process, e.g.

   deucalion_client path/to/deucalion.dll -f
   

3. Disconnect both clients (Ctrl+C to exit)
4. Attempt to connect again with a new client. This client will fail to make a connection to the named pipe since it does not exist.

Symptoms

• Connecting to the named pipe yields the following error: The system cannot find the file specified. (os error 2)
• Disconnecting all clients and reconnecting a client will still fail to make a connection to Deucalion
• When listing the loaded modules on the target process, Deucalion will be loaded, but no threads are running and the named pipe does not exist.
• Checking the refcount on the Deucalion DLL yields a number greater than 0 even with no clients connected.
• Restarting the target process resolves the issue

Workarounds

• Restart the target process
• or use Deucalion client to eject the DLL (not guaranteed to work), e.g.

  deucalion_client path/to/deucalion.dll -e