Search found 1068 matches
- Wed Nov 03, 2021 5:40 pm
- Forum: madCodeHook
- Topic: About hooking SHFileOperation
- Replies: 5
- Views: 8243
Re: About hooking SHFileOperation
Hello, Unfortunately I lack the time to help further, I'm currently heavily invested in some fairly large projects and today is yet another typical busy day for me otherwise I'd throw Shell32.dll into IDA and trace it downwards until I hit the definitive copy call. Are you absolutely 100% positive t...
- Tue Nov 02, 2021 8:54 pm
- Forum: madCodeHook
- Topic: About hooking SHFileOperation
- Replies: 5
- Views: 8243
Re: About hooking SHFileOperation
Older OSes such as XP SHFileOperationW(FO_COPY) would eventually boil down to calling CopyFileExW() - the unicode variant of CopyFileEx() I've just confirmed it by looking at the ReactOS source code. Anyhow, if you're not hooking the unicode version of that API you can try that first, otherwise IIRC...
- Tue Nov 02, 2021 3:38 am
- Forum: madCodeHook
- Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
- Replies: 31
- Views: 38657
Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
@lovenamu, Thanks for checking back in, we will run some tests and see what's possibly going wrong here. At least for now you have a workaround, though. I'll update this thread in the next couple of days. I'll also test with Win 10 x64 as you were running this, both 32-bit and 64-bit DLLs for inject...
- Sat Oct 30, 2021 12:33 am
- Forum: madCodeHook
- Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
- Replies: 31
- Views: 38657
Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Woops, sorry I missed it in his code. I see it now, yeah that definitely shouldn't be injected then as it's an Exclude param. I was instead focusing on why some system processes allow for injections (processes of the same name) while others don't due to mitigations =] I originally answered from my s...
- Fri Oct 29, 2021 6:31 am
- Forum: madCodeHook
- Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
- Replies: 31
- Views: 38657
Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Hello, That’s more than likely a mitigation issue requiring Microsoft to be the signer of your DLL or something similar to this. Not all instances will require this so it’s confusing unless you look at the security involved per process, mitigation policy enforcement can be viewed in tools like Proce...
- Tue Oct 26, 2021 1:17 am
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200595
Re: Intel's CET Shadow Stack issue
Ok thank you, I wondered about any/all apps linked with the /CETCOMPAT flag.
--Iconic
--Iconic
- Mon Oct 25, 2021 9:03 pm
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200595
Re: Intel's CET Shadow Stack issue
Bevan,
Can you please let us know if this happens with any process or is this just specific to a process such as Chrome or Edge?
--Iconic
Can you please let us know if this happens with any process or is this just specific to a process such as Chrome or Edge?
--Iconic
- Sat Sep 18, 2021 9:36 pm
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200595
Re: Intel's CET Shadow Stack issue
Unfortunately, like Madshi, I also do not possess the 9th Gen Intel CPUs that have CET technology built-in to the underlying hardware so testing on my end isn't physically possible. As Madshi had said in a recent post, safe hooking uses different code branches where no safe unhooking is simple and s...
- Sat Sep 18, 2021 4:46 am
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200595
Re: Intel's CET Shadow Stack issue
Hmmm, so any process outside of the likes of MS Edge and Chrome you can also reproduce once CET is enabled with the same injected module?
—Iconic
—Iconic
- Sat Sep 18, 2021 12:18 am
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200595
Re: Intel's CET Shadow Stack issue
NO_SAFE_UNHOOKING makes a lot of sense when you're dealing with an API that may have a high call volume such as PeekMessageW() Actually, Madshi recently mentioned this to someone else which solved their separate issue below: http://forum.madshi.net/viewtopic.php?f=7&t=28915&p=54028&hilit...
- Thu Sep 16, 2021 11:16 pm
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200595
Re: Intel's CET Shadow Stack issue
I'm very confident that the latest build of the collection that Madshi linked you to will solve your issue. If other users were still having CET issues since March they'd be blasting him with emails this past 6 months, since the hotfix was released and the hook code stubs updated. I would definitely...
- Thu Sep 16, 2021 3:06 am
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200595
Re: Intel's CET Shadow Stack issue
Do you happen to have a crash dump or maybe you can share your code (callback only)? Does this happen with an empty callback where you just call the next hook? Lastly, and most importantly, does this happen with any other hooked APIs set in the Chrome process or is this only a PeekMessageW() issue y...
- Thu Aug 05, 2021 8:01 pm
- Forum: madCodeHook
- Topic: MCH v3.1.8 x64 Crash when exception raised in hooked procedure
- Replies: 5
- Views: 7838
Re: MCH v3.1.8 x64 Crash when exception raised in hooked procedure
Is there any specific reason why you'd need(?) to hook a procedure that intentionally raises an exception? ***Update*** I've just tested and reproduced on x64 only when calling the "hooked" function, as you've said x86 seems to work fine. When commenting out the "raise exception"...
- Fri Apr 23, 2021 8:05 pm
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200595
Re: Intel's CET Shadow Stack issue
MCH v4.0 is definitely worth the upgrade as there have been several fixes and additions since v3.0 which is now nearly 10 years old! Highly recommend the upgrade
--Iconic
--Iconic
- Wed Apr 07, 2021 10:36 pm
- Forum: madCodeHook
- Topic: using RestoreCode with NtHookEngine
- Replies: 12
- Views: 17691
Re: using RestoreCode with NtHookEngine
Bevan, They both (x86 and x64) exceed the byte limits (10 and 14 bytes, respectively) , since the original author already states this and you had mentioned this in a previous post. This means we'd have a worst case scenario of 10 bytes on x86 and of 14 bytes on x64. In this hook engine I'm using onl...