Search found 1019 matches

by iconic
Fri Nov 19, 2021 9:52 pm
Forum: madCodeHook
Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Replies: 29
Views: 686

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Hello, My source code for the service INCLUDE test is below, it's very simple. The DLLs are empty code wise and do absolutely nothing which is best for these types of tests as we only care about injection and not hooking in this scenario. unit uTestMCHInclude; {$SetPEOptFlags $140} // DEP + ASLR //{...
by iconic
Thu Nov 18, 2021 7:27 pm
Forum: madCodeHook
Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Replies: 29
Views: 686

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Hello, I've not been able to reproduce any issues with both include and exclude lists even when using a service that is auto-started so I'm not sure what else I can do here to help. All of my different tests have worked fine on my PCs and I've tested more than 1 machine and OS. I can make some guess...
by iconic
Tue Nov 16, 2021 11:22 pm
Forum: madCodeHook
Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Replies: 29
Views: 686

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Hello, I've modified the code to only use the INCLUDE list with cmd.exe and copied my original demo code to a system service set to auto-start but I am not able to reproduce your issue once again. My tests worked correctly and only cmd.exe process was injected and no other processes even after resta...
by iconic
Tue Nov 16, 2021 9:35 pm
Forum: madCodeHook
Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Replies: 29
Views: 686

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Hello,

I'll take a look into this ASAP and try to reproduce on my Windows 10 x64 setup. Thanks!

--Iconic
by iconic
Mon Nov 08, 2021 8:12 pm
Forum: madCodeHook
Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Replies: 29
Views: 686

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

B is recommended if you have to support both 32-bit and 64-bit OS versions. Since I was only testing with 64-bit Windows 10 I didn't need to use the 2nd parameter (which is the 32-bit driver filename).

--Iconic
by iconic
Sun Nov 07, 2021 12:58 am
Forum: madCodeHook
Topic: About hooking SHFileOperation
Replies: 5
Views: 198

Re: About hooking SHFileOperation

I'm very doubt SHFileOperation in win7 uses a publicly known file copy function internally You may be correct, I haven't personally checked with Windows 7. But, what begs the questions is.... Why would XP use CopyFileEx() and (according to your initial post) Windows 10 use CopyFile2() which are bot...
by iconic
Fri Nov 05, 2021 10:38 pm
Forum: madCodeHook
Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Replies: 29
Views: 686

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Hello, I've just completed a series of EXCLUDE (not INCLUDE) tests with MCH Injection. I was not able to reproduce your issue at all, everything worked perfectly fine here. I tested in both Windows 7 x64 and Windows 10 x64. My simple code is below which matches yours except it's in Delphi (which I d...
by iconic
Fri Nov 05, 2021 7:43 pm
Forum: madCodeHook
Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Replies: 29
Views: 686

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

// Enable binary signing policies. if (flags & MITIGATION_FORCE_MS_SIGNED_BINS) { PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY policy = {}; // Allow only MS signed binaries. policy.MicrosoftSignedOnly = true; // NOTE: there are two other flags available to allow // 1) Only Windows Store signed. /...
by iconic
Fri Nov 05, 2021 5:26 pm
Forum: madCodeHook
Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Replies: 29
Views: 686

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Hello, On the contrary, I beieve the Include param with Chrome as a target for injection is in fact solved as I mentioned yesterday. You can clearly see that the Chrome instances without the signature restriction for Microsoft get injected just fine but those that have this enforcement do not. If yo...
by iconic
Thu Nov 04, 2021 5:43 pm
Forum: madCodeHook
Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Replies: 29
Views: 686

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

I tested with Process Hacker, you can double-click those Chrome process instances and under the general tab look at "mitigation policies" I was correct in saying there are more enforcements on certain instances of Chrome. See below please: Chrome processes that can be injected: DEP (perman...
by iconic
Thu Nov 04, 2021 5:33 pm
Forum: madCodeHook
Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Replies: 29
Views: 686

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

I just tested my own library since my demo is already setup for both 32-bit and 64-bit DLLs that are signed, I had the same result as you so it's not an MCH issue with the Include param. 10 Chrome processes were spawned and only half (5) were actually injected using my library and indepedently testi...
by iconic
Wed Nov 03, 2021 5:40 pm
Forum: madCodeHook
Topic: About hooking SHFileOperation
Replies: 5
Views: 198

Re: About hooking SHFileOperation

Hello, Unfortunately I lack the time to help further, I'm currently heavily invested in some fairly large projects and today is yet another typical busy day for me otherwise I'd throw Shell32.dll into IDA and trace it downwards until I hit the definitive copy call. Are you absolutely 100% positive t...
by iconic
Tue Nov 02, 2021 8:54 pm
Forum: madCodeHook
Topic: About hooking SHFileOperation
Replies: 5
Views: 198

Re: About hooking SHFileOperation

Older OSes such as XP SHFileOperationW(FO_COPY) would eventually boil down to calling CopyFileExW() - the unicode variant of CopyFileEx() I've just confirmed it by looking at the ReactOS source code. Anyhow, if you're not hooking the unicode version of that API you can try that first, otherwise IIRC...
by iconic
Tue Nov 02, 2021 3:38 am
Forum: madCodeHook
Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Replies: 29
Views: 686

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

@lovenamu, Thanks for checking back in, we will run some tests and see what's possibly going wrong here. At least for now you have a workaround, though. I'll update this thread in the next couple of days. I'll also test with Win 10 x64 as you were running this, both 32-bit and 64-bit DLLs for inject...
by iconic
Sat Oct 30, 2021 12:33 am
Forum: madCodeHook
Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Replies: 29
Views: 686

Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected

Woops, sorry I missed it in his code. I see it now, yeah that definitely shouldn't be injected then as it's an Exclude param. I was instead focusing on why some system processes allow for injections (processes of the same name) while others don't due to mitigations =] I originally answered from my s...