Search found 150 matches

by EaSy
Thu May 03, 2018 7:51 am
Forum: madCodeHook
Topic: MCH 3x: Win10 Parallel DLL loading issue
Replies: 6
Views: 7185

Re: MCH 3x: Win10 Parallel DLL loading issue

Hi, thx for fixing it, can you make beta build to test it? Thx. 1) MS evidently invested some time to check api hooking to disable paralel loading in case of their Detour dll injection, so it is the good idea to follow their path. 2) Sounds nice, but we will wait until it is done and bug free since ...
by EaSy
Thu May 03, 2018 7:21 am
Forum: madCodeHook
Topic: MCH 3x: Win10 Parallel DLL loading issue
Replies: 6
Views: 7185

Re: MCH 3x: Win10 Parallel DLL loading issue

Hi, you mean this part of the code I guess: // if (mtid <> 0) and (mtid <> ctid) then begin // // This is not the main thread! This usually doesn't happen, except sometimes in win10. // // We "solve" this by waiting until the main thread has completed executing our loader stub. // // Max w...
by EaSy
Wed Apr 18, 2018 6:54 am
Forum: madCodeHook
Topic: MCH 3x: Win10 Parallel DLL loading issue
Replies: 6
Views: 7185

MCH 3x: Win10 Parallel DLL loading issue

Hi, one customer has issue with MCH and parallel dll loading in their internal "K2.exe" app. Symptoms: They start K2. It takes about 10s to start it than it crash it in shcore.dll. (I can send you dump with symbols if you want ~100MB). 0 Id: 1d04.394 Suspend: 1 Teb: 0035e000 Unfrozen # Chi...
by EaSy
Wed Apr 18, 2018 6:24 am
Forum: madCodeHook
Topic: MCH 3x: Small bug in GetCallingModule
Replies: 1
Views: 2258

MCH 3x: Small bug in GetCallingModule

Hi, I discovered small bug in your GetCallingModule function code (ModuleTools.cpp, 379). ... if ( ((*g_pHookCollection)[i].pCodeHook != NULL) && ((*g_pHookCollection)[i].pCodeHook->mpInUseCodeArray != NULL) && (pReturnAddress >= (*g_pHookCollection)[i].pCodeHook->mpInUseCodeArray) &...
by EaSy
Fri Apr 21, 2017 1:57 pm
Forum: madCodeHook
Topic: MCH3: Chrome and MIXTURE_MODE
Replies: 9
Views: 11681

Re: MCH3: Chrome and MIXTURE_MODE

It works. Thx.

PP
by EaSy
Thu Apr 20, 2017 4:03 am
Forum: madCodeHook
Topic: MCH3: Chrome and MIXTURE_MODE
Replies: 9
Views: 11681

Re: MCH3: Chrome and MIXTURE_MODE

Hi,
I believe it is only 64b related. I haven't seen any problems related to 32b code yet.

PP
by EaSy
Wed Apr 19, 2017 1:29 pm
Forum: madCodeHook
Topic: MCH3: Chrome and MIXTURE_MODE
Replies: 9
Views: 11681

Re: MCH3: Chrome and MIXTURE_MODE

Hi, I'd like to reopen this issue, because Bitdefender guys changed their hooks. Lines with * are bitdefender's code. 0:009> u ntdll!ntopenprocess ntdll!NtOpenProcess: *00007ff8`8ee46580 48b85c060597f77f0000 mov rax,7FF79705065Ch *00007ff8`8ee4658a 50 push rax *00007ff8`8ee4658b c3 ret 00007ff8`8ee4...
by EaSy
Wed Apr 12, 2017 11:07 am
Forum: madCodeHook
Topic: MCH3: W10 Insider DllHost injecting crash
Replies: 36
Views: 31713

Re: MCH3: W10 Insider DllHost injecting crash

Everything is OK. You can release it.

PP
by EaSy
Mon Apr 10, 2017 11:08 am
Forum: madCodeHook
Topic: MCH3: W10 Insider DllHost injecting crash
Replies: 36
Views: 31713

Re: MCH3: W10 Insider DllHost injecting crash

We should have results tomorrow afternoon.
by EaSy
Mon Apr 10, 2017 10:46 am
Forum: madCodeHook
Topic: MCH3: W10 Insider DllHost injecting crash
Replies: 36
Views: 31713

Re: MCH3: W10 Insider DllHost injecting crash

Hi,
I have sent this to our testers. They will check all OS versions.

PP
by EaSy
Mon Apr 10, 2017 10:33 am
Forum: madCodeHook
Topic: MCH3: W10 Insider DllHost injecting crash
Replies: 36
Views: 31713

Re: MCH3: W10 Insider DllHost injecting crash

Hi,
I am taking my suspicion back. It was caused by windbg breakpoint on nttestalert (MCH wasn't able to rewrite it). Everything looks OK.

Thx for quick fix!

PS: I am using Process Hacker http://processhacker.sourceforge.net/

PP
by EaSy
Mon Apr 10, 2017 9:49 am
Forum: madCodeHook
Topic: MCH3: W10 Insider DllHost injecting crash
Replies: 36
Views: 31713

Re: MCH3: W10 Insider DllHost injecting crash

Hi,
I am testing it now. Second RW memory page works OK, so the dllhost is not crashing or hanging anymore.
But I am experiencing some issue with "non-main thread waiting" part of the code you have implemeted. I am debugging it right now. Maybe it is related, maybe not.

PP
by EaSy
Sat Apr 08, 2017 6:23 am
Forum: madCodeHook
Topic: MCH3: W10 Insider DllHost injecting crash
Replies: 36
Views: 31713

Re: MCH3: W10 Insider DllHost injecting crash

You can set mitigation policies as startup info or in registry without any api call.


PP
by EaSy
Fri Apr 07, 2017 10:39 am
Forum: madCodeHook
Topic: MCH3: W10 Insider DllHost injecting crash
Replies: 36
Views: 31713

Re: MCH3: W10 Insider DllHost injecting crash

We will be satisfied even if no "dynamic code prohibited" process is injected at all for now. But it can change in time when we will know what are the clear intentions behind this and how the apps will use this in future.
by EaSy
Fri Apr 07, 2017 10:27 am
Forum: madCodeHook
Topic: MCH3: W10 Insider DllHost injecting crash
Replies: 36
Views: 31713

Re: MCH3: W10 Insider DllHost injecting crash

You have 3 options: 1) Leave dynamic code prohibited processes be. 2) Implement NtTestAlert hook without VirtualProtect calls (maybe indirect jmp). 3) Call driver/serverapp to manipulate process memory for you. Set event or smth like that (From the presentation I included in this thread before: Miti...