Hi Iconic
this happens with processes marked as CET compatible (/CETCOMPAT) including Chrome, Edge, and the test app I shared.
Search found 42 matches
- Mon Oct 25, 2021 9:16 pm
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200318
- Thu Sep 30, 2021 10:04 pm
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200318
Re: Intel's CET Shadow Stack issue
yes, the test project just continuously calls the hooked API. I have also tested hooking APIs other than PeekMessageW with the same result. Also, I assume the issue occurs in both debug vs release builds, and in 32bit as well as in 64bit? I think it was still occurring in debug builds. I don't have ...
- Sat Sep 18, 2021 7:43 am
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200318
Re: Intel's CET Shadow Stack issue
I believe so, the test app https://www.dropbox.com/s/34fnbg8vbx9o2 ... 3.zip?dl=0 is built with /CETCOMPAT
- Sat Sep 18, 2021 3:43 am
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200318
Re: Intel's CET Shadow Stack issue
Thanks iconic. It's definitely a CET issue as it can only be replicated on a CET enabled process. See https://bugs.chromium.org/p/chromium/issues/detail?id=1245815#c15: First conclusion - the shadow stack has overflowed but the real stack has not. Likely culprit - epclient64 doing some hooking, adju...
- Fri Sep 17, 2021 7:24 pm
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200318
Re: Intel's CET Shadow Stack issue
I just tested with using NO_SAFE_UNHOOKING and it no longer crashes. Thanks madshi, I will use this work around. Let me know if you want me to do any tests.
- Fri Sep 17, 2021 7:12 pm
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200318
Re: Intel's CET Shadow Stack issue
I'm sorry to report that this is still a problem for MCH 4.20.0 and can easily be replicated by repeatedly calling a hooked API from a CET enabled process until the shadow stack overflows. There is in-depth analysis in the chromium bug report that should help find a solution.
Thanks
Thanks
- Thu Sep 16, 2021 9:55 pm
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200318
Re: Intel's CET Shadow Stack issue
FYI: I just tried using detours in the test app instead and it worked without crashing
- Thu Sep 16, 2021 7:49 pm
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200318
Re: Intel's CET Shadow Stack issue
Here is a stand-alone test app and dump file https://www.dropbox.com/s/34fnbg8vbx9o2lu/SS-1513.zip?dl=0. I just took a VisualStudio app wizard, repeatedly called PeekMessage and enabled CET. As noted by Google, this manifests as a shadow stack overflow on CET supported hardware. I can replicate this...
- Wed Sep 15, 2021 11:07 pm
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200318
Re: Intel's CET Shadow Stack issue
Hi, I think that there may still be a problem with shadow stack support. Our software is hooking PeekMessageW in chrome.exe and msedge.exe. This is causing https://bugs.chromium.org/p/chromium/issues/detail?id=1245815 One suggested fix is: for the shadow stack overflow would be to pop the correct nu...
- Wed Apr 07, 2021 9:15 pm
- Forum: madCodeHook
- Topic: using RestoreCode with NtHookEngine
- Replies: 12
- Views: 17515
Re: using RestoreCode with NtHookEngine
NtHookEngine uses an absolute jump: VOID WriteJump(VOID *pAddress, ULONG_PTR JumpTo) { DWORD dwOldProtect = 0; VirtualProtect(pAddress, JUMP_WORST, PAGE_EXECUTE_READWRITE, &dwOldProtect); BYTE *pCur = (BYTE *) pAddress; #ifdef _M_IX86 *(pCur++) = 0xff; *(pCur++) = 0x25; *((DWORD *) pCur) = (DWOR...
- Wed Apr 07, 2021 9:10 am
- Forum: madCodeHook
- Topic: using RestoreCode with NtHookEngine
- Replies: 12
- Views: 17515
Re: using RestoreCode with NtHookEngine
thanks for the answer madshi
- Wed Apr 07, 2021 8:00 am
- Forum: madCodeHook
- Topic: using RestoreCode with NtHookEngine
- Replies: 12
- Views: 17515
Re: using RestoreCode with NtHookEngine
NtHookEngine overwrites writes 10 bytes on x86, 14 bytes on x64. So that would explain the behavior, but why can't the code be restored?
- Wed Apr 07, 2021 1:19 am
- Forum: madCodeHook
- Topic: using RestoreCode with NtHookEngine
- Replies: 12
- Views: 17515
Re: using RestoreCode with NtHookEngine
GetLastError returns 0
- Tue Apr 06, 2021 7:57 pm
- Forum: madCodeHook
- Topic: using RestoreCode with NtHookEngine
- Replies: 12
- Views: 17515
Re: using RestoreCode with NtHookEngine
I've tried using GetProcAddress with the same result. NtHookEngine is very simple, the code can be found here: https://ntcore.com/files/nthookengine.htm, it doesn't use IAT patching. I have dissassembled madCodeHook to try to figure out what the problem is. WasCodeChanged is returning 1 but orgCode ...
- Mon Apr 05, 2021 8:59 pm
- Forum: madCodeHook
- Topic: using RestoreCode with NtHookEngine
- Replies: 12
- Views: 17515
using RestoreCode with NtHookEngine
Hi, is there any way to unhook NtHookEngine hooks with RestoreCode? RestoreCode always returns FALSE #include <windows.h> #include <nthookengine.h> #include <madchook.h> #include <stdio.h> int WINAPI MyMessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) { printf("hooked MessageB...