madshi.net

Hi AndersB, Your code update would be better with the below changes, but thanks for pointing this out to us. function AnsiToGlobalUnicode(const ansi: AnsiString) : pointer; var us1 : UnicodeString; begin if ansi <> '' then begin us1 := UnicodeString(ansi); result := pointer(GlobalAlloc(GPTR, Length(...

It's that time again... Happy New Year (2021) to all of our friends here on the forum Stay safe and be productive.

--Iconic

Hi Bevan, Thanks for deleting your project online containing the .lib files. Much appreciated. Accidents happen and whether you were in a rush or perhaps forgot that this can be viewed publicly... things happen, but thanks for your quick deletion of such sensitive files. So... according to your last...

Hi Bevan, I've uploaded the pre-built 64-bit binary here https://easyupload.io/mo975t You may need to disable Windows Defender and/or other security apps in order to download it, it's being detected as a virus likely because MCH was compiled into it and it's using APIs like WriteProcessMemory and Cr...

Hi Bevan, I've rerun the demo on Windows 10 x64 20H2 and tested a 64-bit .exe compiled with madCHook64mt.lib - it continues to work as expected without issue here. I tested 3x with both the WOW64 version of Notepad as well as the Native 64-bit version of Notepad. Did you want me to upload my pre-bui...

I’ll test on Windows 10 later today and see if there is any change.

—Iconic

Hello, I've tested here on Win 7 x64 SP1 with both target builds of the same .exe (32-bit and 64-bit) and then tried both instances (32-bit and 64-bit) of Notepad to see if it was something related to WOW64 <-> Native execution but it doesn't appear to be. In any case it all worked perfectly fine fo...

Hello,

I'll make some time tomorrow to check into this. Thanks!

--Iconic

Completely agree with Madshi on this one. HTTP would be the best way to go given your circumstances.

--Iconic

Hi Bevan, I'm familiar with those linker flag options, especially /integritycheck. I use a kernel call to ObRegisterCallbacks() a lot in drivers to protect the thread and process object, ObRegisterCallbacks() will completely fail if /integritycheck isn't specified. Definitely appears to be CI relate...

Thanks for posting your event information. After looking at it I don't think this has anything to do with opening the system process and is specifically a CI error for code integrity of your injected DLL file. SYSTEM just attempts to verify it. So, it sounds more like your signature for your DLL has...

Ok, great We can add this to the to-do list then.

--Iconic

Hey Mathias, I'm talking about the OS hardcoded process ids of 0 and 4, they're static. In Windows 2000 SYSTEM process id is 8 but on XP+ it's always 4. So, by looking at the process id alone it can be determined if it will create a failed security audit entry. That's what I was saying. Neither proc...

Hi Bevan, I ran a few tests and do see that MCH is indeed opening the SYSTEM process when attempting to inject system-wide. Actually, even PID 0 (System Idle Process) is attempted as well. Of course with SYSTEM the return of NtOpenProcess() is (NTSTATUS)0xC0000022 which is STATUS_ACCESS_DENIED. So, ...

Hello, I’ll run some tests later today and see. Worst case we may update the code to dismiss pid 4 (XP and above) or pid 8 (Win2K). They cannot be injected successfully anyhow. What OS are you seeing the audit details in the event viewer? Legacy OSes like XP? P.S: Can you also try excluding the name...