madshi.net

Hello, Unfortunately I lack the time to help further, I'm currently heavily invested in some fairly large projects and today is yet another typical busy day for me otherwise I'd throw Shell32.dll into IDA and trace it downwards until I hit the definitive copy call. Are you absolutely 100% positive t...

Older OSes such as XP SHFileOperationW(FO_COPY) would eventually boil down to calling CopyFileExW() - the unicode variant of CopyFileEx() I've just confirmed it by looking at the ReactOS source code. Anyhow, if you're not hooking the unicode version of that API you can try that first, otherwise IIRC...

@lovenamu, Thanks for checking back in, we will run some tests and see what's possibly going wrong here. At least for now you have a workaround, though. I'll update this thread in the next couple of days. I'll also test with Win 10 x64 as you were running this, both 32-bit and 64-bit DLLs for inject...

Woops, sorry I missed it in his code. I see it now, yeah that definitely shouldn't be injected then as it's an Exclude param. I was instead focusing on why some system processes allow for injections (processes of the same name) while others don't due to mitigations =] I originally answered from my s...

Hello, That’s more than likely a mitigation issue requiring Microsoft to be the signer of your DLL or something similar to this. Not all instances will require this so it’s confusing unless you look at the security involved per process, mitigation policy enforcement can be viewed in tools like Proce...

Ok thank you, I wondered about any/all apps linked with the /CETCOMPAT flag.

--Iconic

Bevan,

Can you please let us know if this happens with any process or is this just specific to a process such as Chrome or Edge?

--Iconic

Unfortunately, like Madshi, I also do not possess the 9th Gen Intel CPUs that have CET technology built-in to the underlying hardware so testing on my end isn't physically possible. As Madshi had said in a recent post, safe hooking uses different code branches where no safe unhooking is simple and s...

Hmmm, so any process outside of the likes of MS Edge and Chrome you can also reproduce once CET is enabled with the same injected module?

—Iconic

NO_SAFE_UNHOOKING makes a lot of sense when you're dealing with an API that may have a high call volume such as PeekMessageW() Actually, Madshi recently mentioned this to someone else which solved their separate issue below: http://forum.madshi.net/viewtopic.php?f=7&t=28915&p=54028&hilit...

I'm very confident that the latest build of the collection that Madshi linked you to will solve your issue. If other users were still having CET issues since March they'd be blasting him with emails this past 6 months, since the hotfix was released and the hook code stubs updated. I would definitely...

Do you happen to have a crash dump or maybe you can share your code (callback only)? Does this happen with an empty callback where you just call the next hook? Lastly, and most importantly, does this happen with any other hooked APIs set in the Chrome process or is this only a PeekMessageW() issue y...

Is there any specific reason why you'd need(?) to hook a procedure that intentionally raises an exception? ***Update*** I've just tested and reproduced on x64 only when calling the "hooked" function, as you've said x86 seems to work fine. When commenting out the "raise exception"...

MCH v4.0 is definitely worth the upgrade as there have been several fixes and additions since v3.0 which is now nearly 10 years old! Highly recommend the upgrade

--Iconic

Bevan, They both (x86 and x64) exceed the byte limits (10 and 14 bytes, respectively) , since the original author already states this and you had mentioned this in a previous post. This means we'd have a worst case scenario of 10 bytes on x86 and of 14 bytes on x64. In this hook engine I'm using onl...