Search found 42 matches

by Bevan Collins
Mon Oct 25, 2021 9:16 pm
Forum: madCodeHook
Topic: Intel's CET Shadow Stack issue
Replies: 47
Views: 198478

Re: Intel's CET Shadow Stack issue

Hi Iconic

this happens with processes marked as CET compatible (/CETCOMPAT) including Chrome, Edge, and the test app I shared.
by Bevan Collins
Thu Sep 30, 2021 10:04 pm
Forum: madCodeHook
Topic: Intel's CET Shadow Stack issue
Replies: 47
Views: 198478

Re: Intel's CET Shadow Stack issue

yes, the test project just continuously calls the hooked API. I have also tested hooking APIs other than PeekMessageW with the same result. Also, I assume the issue occurs in both debug vs release builds, and in 32bit as well as in 64bit? I think it was still occurring in debug builds. I don't have ...
by Bevan Collins
Sat Sep 18, 2021 7:43 am
Forum: madCodeHook
Topic: Intel's CET Shadow Stack issue
Replies: 47
Views: 198478

Re: Intel's CET Shadow Stack issue

I believe so, the test app https://www.dropbox.com/s/34fnbg8vbx9o2 ... 3.zip?dl=0 is built with /CETCOMPAT
by Bevan Collins
Sat Sep 18, 2021 3:43 am
Forum: madCodeHook
Topic: Intel's CET Shadow Stack issue
Replies: 47
Views: 198478

Re: Intel's CET Shadow Stack issue

Thanks iconic. It's definitely a CET issue as it can only be replicated on a CET enabled process. See https://bugs.chromium.org/p/chromium/issues/detail?id=1245815#c15: First conclusion - the shadow stack has overflowed but the real stack has not. Likely culprit - epclient64 doing some hooking, adju...
by Bevan Collins
Fri Sep 17, 2021 7:24 pm
Forum: madCodeHook
Topic: Intel's CET Shadow Stack issue
Replies: 47
Views: 198478

Re: Intel's CET Shadow Stack issue

I just tested with using NO_SAFE_UNHOOKING and it no longer crashes. Thanks madshi, I will use this work around. Let me know if you want me to do any tests.
by Bevan Collins
Fri Sep 17, 2021 7:12 pm
Forum: madCodeHook
Topic: Intel's CET Shadow Stack issue
Replies: 47
Views: 198478

Re: Intel's CET Shadow Stack issue

I'm sorry to report that this is still a problem for MCH 4.20.0 and can easily be replicated by repeatedly calling a hooked API from a CET enabled process until the shadow stack overflows. There is in-depth analysis in the chromium bug report that should help find a solution.

Thanks
by Bevan Collins
Thu Sep 16, 2021 9:55 pm
Forum: madCodeHook
Topic: Intel's CET Shadow Stack issue
Replies: 47
Views: 198478

Re: Intel's CET Shadow Stack issue

FYI: I just tried using detours in the test app instead and it worked without crashing
by Bevan Collins
Thu Sep 16, 2021 7:49 pm
Forum: madCodeHook
Topic: Intel's CET Shadow Stack issue
Replies: 47
Views: 198478

Re: Intel's CET Shadow Stack issue

Here is a stand-alone test app and dump file https://www.dropbox.com/s/34fnbg8vbx9o2lu/SS-1513.zip?dl=0. I just took a VisualStudio app wizard, repeatedly called PeekMessage and enabled CET. As noted by Google, this manifests as a shadow stack overflow on CET supported hardware. I can replicate this...
by Bevan Collins
Wed Sep 15, 2021 11:07 pm
Forum: madCodeHook
Topic: Intel's CET Shadow Stack issue
Replies: 47
Views: 198478

Re: Intel's CET Shadow Stack issue

Hi, I think that there may still be a problem with shadow stack support. Our software is hooking PeekMessageW in chrome.exe and msedge.exe. This is causing https://bugs.chromium.org/p/chromium/issues/detail?id=1245815 One suggested fix is: for the shadow stack overflow would be to pop the correct nu...
by Bevan Collins
Wed Apr 07, 2021 9:15 pm
Forum: madCodeHook
Topic: using RestoreCode with NtHookEngine
Replies: 12
Views: 16887

Re: using RestoreCode with NtHookEngine

NtHookEngine uses an absolute jump: VOID WriteJump(VOID *pAddress, ULONG_PTR JumpTo) { DWORD dwOldProtect = 0; VirtualProtect(pAddress, JUMP_WORST, PAGE_EXECUTE_READWRITE, &dwOldProtect); BYTE *pCur = (BYTE *) pAddress; #ifdef _M_IX86 *(pCur++) = 0xff; *(pCur++) = 0x25; *((DWORD *) pCur) = (DWOR...
by Bevan Collins
Wed Apr 07, 2021 9:10 am
Forum: madCodeHook
Topic: using RestoreCode with NtHookEngine
Replies: 12
Views: 16887

Re: using RestoreCode with NtHookEngine

thanks for the answer madshi
by Bevan Collins
Wed Apr 07, 2021 8:00 am
Forum: madCodeHook
Topic: using RestoreCode with NtHookEngine
Replies: 12
Views: 16887

Re: using RestoreCode with NtHookEngine

NtHookEngine overwrites writes 10 bytes on x86, 14 bytes on x64. So that would explain the behavior, but why can't the code be restored?
by Bevan Collins
Wed Apr 07, 2021 1:19 am
Forum: madCodeHook
Topic: using RestoreCode with NtHookEngine
Replies: 12
Views: 16887

Re: using RestoreCode with NtHookEngine

GetLastError returns 0
by Bevan Collins
Tue Apr 06, 2021 7:57 pm
Forum: madCodeHook
Topic: using RestoreCode with NtHookEngine
Replies: 12
Views: 16887

Re: using RestoreCode with NtHookEngine

I've tried using GetProcAddress with the same result. NtHookEngine is very simple, the code can be found here: https://ntcore.com/files/nthookengine.htm, it doesn't use IAT patching. I have dissassembled madCodeHook to try to figure out what the problem is. WasCodeChanged is returning 1 but orgCode ...
by Bevan Collins
Mon Apr 05, 2021 8:59 pm
Forum: madCodeHook
Topic: using RestoreCode with NtHookEngine
Replies: 12
Views: 16887

using RestoreCode with NtHookEngine

Hi, is there any way to unhook NtHookEngine hooks with RestoreCode? RestoreCode always returns FALSE #include <windows.h> #include <nthookengine.h> #include <madchook.h> #include <stdio.h> int WINAPI MyMessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) { printf("hooked MessageB...