Search found 1065 matches
- Mon Dec 27, 2021 1:23 am
- Forum: madExcept
- Topic: Delphi 11 - Alexandria
- Replies: 31
- Views: 65677
Re: Delphi 11 - Alexandria
Madshi is working on this I assure you, please don't think otherwise. madExcept, madCodeHook and his newer project are very large projects. In this case supporting new Delphi versions where things can and have changed takes a bit of time to support correctly. We appreciate your patience, truly 110% ...
- Fri Nov 19, 2021 9:52 pm
- Forum: madCodeHook
- Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
- Replies: 31
- Views: 38384
Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Hello, My source code for the service INCLUDE test is below, it's very simple. The DLLs are empty code wise and do absolutely nothing which is best for these types of tests as we only care about injection and not hooking in this scenario. unit uTestMCHInclude; {$SetPEOptFlags $140} // DEP + ASLR //{...
- Thu Nov 18, 2021 7:27 pm
- Forum: madCodeHook
- Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
- Replies: 31
- Views: 38384
Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Hello, I've not been able to reproduce any issues with both include and exclude lists even when using a service that is auto-started so I'm not sure what else I can do here to help. All of my different tests have worked fine on my PCs and I've tested more than 1 machine and OS. I can make some guess...
- Tue Nov 16, 2021 11:22 pm
- Forum: madCodeHook
- Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
- Replies: 31
- Views: 38384
Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Hello, I've modified the code to only use the INCLUDE list with cmd.exe and copied my original demo code to a system service set to auto-start but I am not able to reproduce your issue once again. My tests worked correctly and only cmd.exe process was injected and no other processes even after resta...
- Tue Nov 16, 2021 9:35 pm
- Forum: madCodeHook
- Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
- Replies: 31
- Views: 38384
Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Hello,
I'll take a look into this ASAP and try to reproduce on my Windows 10 x64 setup. Thanks!
--Iconic
I'll take a look into this ASAP and try to reproduce on my Windows 10 x64 setup. Thanks!
--Iconic
- Mon Nov 08, 2021 8:12 pm
- Forum: madCodeHook
- Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
- Replies: 31
- Views: 38384
Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
B is recommended if you have to support both 32-bit and 64-bit OS versions. Since I was only testing with 64-bit Windows 10 I didn't need to use the 2nd parameter (which is the 32-bit driver filename).
--Iconic
--Iconic
- Sun Nov 07, 2021 12:58 am
- Forum: madCodeHook
- Topic: About hooking SHFileOperation
- Replies: 5
- Views: 8145
Re: About hooking SHFileOperation
I'm very doubt SHFileOperation in win7 uses a publicly known file copy function internally You may be correct, I haven't personally checked with Windows 7. But, what begs the questions is.... Why would XP use CopyFileEx() and (according to your initial post) Windows 10 use CopyFile2() which are bot...
- Fri Nov 05, 2021 10:38 pm
- Forum: madCodeHook
- Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
- Replies: 31
- Views: 38384
Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Hello, I've just completed a series of EXCLUDE (not INCLUDE) tests with MCH Injection. I was not able to reproduce your issue at all, everything worked perfectly fine here. I tested in both Windows 7 x64 and Windows 10 x64. My simple code is below which matches yours except it's in Delphi (which I d...
- Fri Nov 05, 2021 7:43 pm
- Forum: madCodeHook
- Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
- Replies: 31
- Views: 38384
Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
// Enable binary signing policies. if (flags & MITIGATION_FORCE_MS_SIGNED_BINS) { PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY policy = {}; // Allow only MS signed binaries. policy.MicrosoftSignedOnly = true; // NOTE: there are two other flags available to allow // 1) Only Windows Store signed. /...
- Fri Nov 05, 2021 5:26 pm
- Forum: madCodeHook
- Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
- Replies: 31
- Views: 38384
Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Hello, On the contrary, I beieve the Include param with Chrome as a target for injection is in fact solved as I mentioned yesterday. You can clearly see that the Chrome instances without the signature restriction for Microsoft get injected just fine but those that have this enforcement do not. If yo...
- Thu Nov 04, 2021 5:43 pm
- Forum: madCodeHook
- Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
- Replies: 31
- Views: 38384
Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
I tested with Process Hacker, you can double-click those Chrome process instances and under the general tab look at "mitigation policies" I was correct in saying there are more enforcements on certain instances of Chrome. See below please: Chrome processes that can be injected: DEP (perman...
- Thu Nov 04, 2021 5:33 pm
- Forum: madCodeHook
- Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
- Replies: 31
- Views: 38384
Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
I just tested my own library since my demo is already setup for both 32-bit and 64-bit DLLs that are signed, I had the same result as you so it's not an MCH issue with the Include param. 10 Chrome processes were spawned and only half (5) were actually injected using my library and indepedently testi...
- Wed Nov 03, 2021 5:40 pm
- Forum: madCodeHook
- Topic: About hooking SHFileOperation
- Replies: 5
- Views: 8145
Re: About hooking SHFileOperation
Hello, Unfortunately I lack the time to help further, I'm currently heavily invested in some fairly large projects and today is yet another typical busy day for me otherwise I'd throw Shell32.dll into IDA and trace it downwards until I hit the definitive copy call. Are you absolutely 100% positive t...
- Tue Nov 02, 2021 8:54 pm
- Forum: madCodeHook
- Topic: About hooking SHFileOperation
- Replies: 5
- Views: 8145
Re: About hooking SHFileOperation
Older OSes such as XP SHFileOperationW(FO_COPY) would eventually boil down to calling CopyFileExW() - the unicode variant of CopyFileEx() I've just confirmed it by looking at the ReactOS source code. Anyhow, if you're not hooking the unicode version of that API you can try that first, otherwise IIRC...
- Tue Nov 02, 2021 3:38 am
- Forum: madCodeHook
- Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
- Replies: 31
- Views: 38384
Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
@lovenamu, Thanks for checking back in, we will run some tests and see what's possibly going wrong here. At least for now you have a workaround, though. I'll update this thread in the next couple of days. I'll also test with Win 10 x64 as you were running this, both 32-bit and 64-bit DLLs for inject...