Search found 150 matches
- Thu May 03, 2018 7:51 am
- Forum: madCodeHook
- Topic: MCH 3x: Win10 Parallel DLL loading issue
- Replies: 6
- Views: 10754
Re: MCH 3x: Win10 Parallel DLL loading issue
Hi, thx for fixing it, can you make beta build to test it? Thx. 1) MS evidently invested some time to check api hooking to disable paralel loading in case of their Detour dll injection, so it is the good idea to follow their path. 2) Sounds nice, but we will wait until it is done and bug free since ...
- Thu May 03, 2018 7:21 am
- Forum: madCodeHook
- Topic: MCH 3x: Win10 Parallel DLL loading issue
- Replies: 6
- Views: 10754
Re: MCH 3x: Win10 Parallel DLL loading issue
Hi, you mean this part of the code I guess: // if (mtid <> 0) and (mtid <> ctid) then begin // // This is not the main thread! This usually doesn't happen, except sometimes in win10. // // We "solve" this by waiting until the main thread has completed executing our loader stub. // // Max w...
- Wed Apr 18, 2018 6:54 am
- Forum: madCodeHook
- Topic: MCH 3x: Win10 Parallel DLL loading issue
- Replies: 6
- Views: 10754
MCH 3x: Win10 Parallel DLL loading issue
Hi, one customer has issue with MCH and parallel dll loading in their internal "K2.exe" app. Symptoms: They start K2. It takes about 10s to start it than it crash it in shcore.dll. (I can send you dump with symbols if you want ~100MB). 0 Id: 1d04.394 Suspend: 1 Teb: 0035e000 Unfrozen # Chi...
- Wed Apr 18, 2018 6:24 am
- Forum: madCodeHook
- Topic: MCH 3x: Small bug in GetCallingModule
- Replies: 1
- Views: 3893
MCH 3x: Small bug in GetCallingModule
Hi, I discovered small bug in your GetCallingModule function code (ModuleTools.cpp, 379). ... if ( ((*g_pHookCollection)[i].pCodeHook != NULL) && ((*g_pHookCollection)[i].pCodeHook->mpInUseCodeArray != NULL) && (pReturnAddress >= (*g_pHookCollection)[i].pCodeHook->mpInUseCodeArray) &...
- Fri Apr 21, 2017 1:57 pm
- Forum: madCodeHook
- Topic: MCH3: Chrome and MIXTURE_MODE
- Replies: 9
- Views: 15579
Re: MCH3: Chrome and MIXTURE_MODE
It works. Thx.
PP
PP
- Thu Apr 20, 2017 4:03 am
- Forum: madCodeHook
- Topic: MCH3: Chrome and MIXTURE_MODE
- Replies: 9
- Views: 15579
Re: MCH3: Chrome and MIXTURE_MODE
Hi,
I believe it is only 64b related. I haven't seen any problems related to 32b code yet.
PP
I believe it is only 64b related. I haven't seen any problems related to 32b code yet.
PP
- Wed Apr 19, 2017 1:29 pm
- Forum: madCodeHook
- Topic: MCH3: Chrome and MIXTURE_MODE
- Replies: 9
- Views: 15579
Re: MCH3: Chrome and MIXTURE_MODE
Hi, I'd like to reopen this issue, because Bitdefender guys changed their hooks. Lines with * are bitdefender's code. 0:009> u ntdll!ntopenprocess ntdll!NtOpenProcess: *00007ff8`8ee46580 48b85c060597f77f0000 mov rax,7FF79705065Ch *00007ff8`8ee4658a 50 push rax *00007ff8`8ee4658b c3 ret 00007ff8`8ee4...
- Wed Apr 12, 2017 11:07 am
- Forum: madCodeHook
- Topic: MCH3: W10 Insider DllHost injecting crash
- Replies: 36
- Views: 42653
Re: MCH3: W10 Insider DllHost injecting crash
Everything is OK. You can release it.
PP
PP
- Mon Apr 10, 2017 11:08 am
- Forum: madCodeHook
- Topic: MCH3: W10 Insider DllHost injecting crash
- Replies: 36
- Views: 42653
Re: MCH3: W10 Insider DllHost injecting crash
We should have results tomorrow afternoon.
- Mon Apr 10, 2017 10:46 am
- Forum: madCodeHook
- Topic: MCH3: W10 Insider DllHost injecting crash
- Replies: 36
- Views: 42653
Re: MCH3: W10 Insider DllHost injecting crash
Hi,
I have sent this to our testers. They will check all OS versions.
PP
I have sent this to our testers. They will check all OS versions.
PP
- Mon Apr 10, 2017 10:33 am
- Forum: madCodeHook
- Topic: MCH3: W10 Insider DllHost injecting crash
- Replies: 36
- Views: 42653
Re: MCH3: W10 Insider DllHost injecting crash
Hi,
I am taking my suspicion back. It was caused by windbg breakpoint on nttestalert (MCH wasn't able to rewrite it). Everything looks OK.
Thx for quick fix!
PS: I am using Process Hacker http://processhacker.sourceforge.net/
PP
I am taking my suspicion back. It was caused by windbg breakpoint on nttestalert (MCH wasn't able to rewrite it). Everything looks OK.
Thx for quick fix!
PS: I am using Process Hacker http://processhacker.sourceforge.net/
PP
- Mon Apr 10, 2017 9:49 am
- Forum: madCodeHook
- Topic: MCH3: W10 Insider DllHost injecting crash
- Replies: 36
- Views: 42653
Re: MCH3: W10 Insider DllHost injecting crash
Hi,
I am testing it now. Second RW memory page works OK, so the dllhost is not crashing or hanging anymore.
But I am experiencing some issue with "non-main thread waiting" part of the code you have implemeted. I am debugging it right now. Maybe it is related, maybe not.
PP
I am testing it now. Second RW memory page works OK, so the dllhost is not crashing or hanging anymore.
But I am experiencing some issue with "non-main thread waiting" part of the code you have implemeted. I am debugging it right now. Maybe it is related, maybe not.
PP
- Sat Apr 08, 2017 6:23 am
- Forum: madCodeHook
- Topic: MCH3: W10 Insider DllHost injecting crash
- Replies: 36
- Views: 42653
Re: MCH3: W10 Insider DllHost injecting crash
You can set mitigation policies as startup info or in registry without any api call.
PP
PP
- Fri Apr 07, 2017 10:39 am
- Forum: madCodeHook
- Topic: MCH3: W10 Insider DllHost injecting crash
- Replies: 36
- Views: 42653
Re: MCH3: W10 Insider DllHost injecting crash
We will be satisfied even if no "dynamic code prohibited" process is injected at all for now. But it can change in time when we will know what are the clear intentions behind this and how the apps will use this in future.
- Fri Apr 07, 2017 10:27 am
- Forum: madCodeHook
- Topic: MCH3: W10 Insider DllHost injecting crash
- Replies: 36
- Views: 42653
Re: MCH3: W10 Insider DllHost injecting crash
You have 3 options: 1) Leave dynamic code prohibited processes be. 2) Implement NtTestAlert hook without VirtualProtect calls (maybe indirect jmp). 3) Call driver/serverapp to manipulate process memory for you. Set event or smth like that (From the presentation I included in this thread before: Miti...