Search found 1065 matches
- Sat Oct 30, 2021 12:33 am
- Forum: madCodeHook
- Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
- Replies: 31
- Views: 38409
Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Woops, sorry I missed it in his code. I see it now, yeah that definitely shouldn't be injected then as it's an Exclude param. I was instead focusing on why some system processes allow for injections (processes of the same name) while others don't due to mitigations =] I originally answered from my s...
- Fri Oct 29, 2021 6:31 am
- Forum: madCodeHook
- Topic: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
- Replies: 31
- Views: 38409
Re: [madCodeHook 4.2.0 or 4.1.3] Some excluded process are Injected
Hello, That’s more than likely a mitigation issue requiring Microsoft to be the signer of your DLL or something similar to this. Not all instances will require this so it’s confusing unless you look at the security involved per process, mitigation policy enforcement can be viewed in tools like Proce...
- Tue Oct 26, 2021 1:17 am
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200139
Re: Intel's CET Shadow Stack issue
Ok thank you, I wondered about any/all apps linked with the /CETCOMPAT flag.
--Iconic
--Iconic
- Mon Oct 25, 2021 9:03 pm
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200139
Re: Intel's CET Shadow Stack issue
Bevan,
Can you please let us know if this happens with any process or is this just specific to a process such as Chrome or Edge?
--Iconic
Can you please let us know if this happens with any process or is this just specific to a process such as Chrome or Edge?
--Iconic
- Sat Sep 18, 2021 9:36 pm
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200139
Re: Intel's CET Shadow Stack issue
Unfortunately, like Madshi, I also do not possess the 9th Gen Intel CPUs that have CET technology built-in to the underlying hardware so testing on my end isn't physically possible. As Madshi had said in a recent post, safe hooking uses different code branches where no safe unhooking is simple and s...
- Sat Sep 18, 2021 4:46 am
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200139
Re: Intel's CET Shadow Stack issue
Hmmm, so any process outside of the likes of MS Edge and Chrome you can also reproduce once CET is enabled with the same injected module?
—Iconic
—Iconic
- Sat Sep 18, 2021 12:18 am
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200139
Re: Intel's CET Shadow Stack issue
NO_SAFE_UNHOOKING makes a lot of sense when you're dealing with an API that may have a high call volume such as PeekMessageW() Actually, Madshi recently mentioned this to someone else which solved their separate issue below: http://forum.madshi.net/viewtopic.php?f=7&t=28915&p=54028&hilit...
- Thu Sep 16, 2021 11:16 pm
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200139
Re: Intel's CET Shadow Stack issue
I'm very confident that the latest build of the collection that Madshi linked you to will solve your issue. If other users were still having CET issues since March they'd be blasting him with emails this past 6 months, since the hotfix was released and the hook code stubs updated. I would definitely...
- Thu Sep 16, 2021 3:06 am
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200139
Re: Intel's CET Shadow Stack issue
Do you happen to have a crash dump or maybe you can share your code (callback only)? Does this happen with an empty callback where you just call the next hook? Lastly, and most importantly, does this happen with any other hooked APIs set in the Chrome process or is this only a PeekMessageW() issue y...
- Thu Aug 05, 2021 8:01 pm
- Forum: madCodeHook
- Topic: MCH v3.1.8 x64 Crash when exception raised in hooked procedure
- Replies: 5
- Views: 7740
Re: MCH v3.1.8 x64 Crash when exception raised in hooked procedure
Is there any specific reason why you'd need(?) to hook a procedure that intentionally raises an exception? ***Update*** I've just tested and reproduced on x64 only when calling the "hooked" function, as you've said x86 seems to work fine. When commenting out the "raise exception"...
- Fri Apr 23, 2021 8:05 pm
- Forum: madCodeHook
- Topic: Intel's CET Shadow Stack issue
- Replies: 47
- Views: 200139
Re: Intel's CET Shadow Stack issue
MCH v4.0 is definitely worth the upgrade as there have been several fixes and additions since v3.0 which is now nearly 10 years old! Highly recommend the upgrade
--Iconic
--Iconic
- Wed Apr 07, 2021 10:36 pm
- Forum: madCodeHook
- Topic: using RestoreCode with NtHookEngine
- Replies: 12
- Views: 17382
Re: using RestoreCode with NtHookEngine
Bevan, They both (x86 and x64) exceed the byte limits (10 and 14 bytes, respectively) , since the original author already states this and you had mentioned this in a previous post. This means we'd have a worst case scenario of 10 bytes on x86 and of 14 bytes on x64. In this hook engine I'm using onl...
- Wed Apr 07, 2021 7:49 pm
- Forum: madCodeHook
- Topic: using RestoreCode with NtHookEngine
- Replies: 12
- Views: 17382
Re: using RestoreCode with NtHookEngine
Yes, that would make complete sense. If the hook was just a relative jmp (0xE9 and 5 bytes) it would be restored along with some other 6 byte methods such as absolute jump (0x25FF) and push address ret (0x68 <address> 0xC3) but since the function prologue is modified > 6 bytes RestoreCode() just ref...
- Tue Apr 06, 2021 11:49 pm
- Forum: madCodeHook
- Topic: using RestoreCode with NtHookEngine
- Replies: 12
- Views: 17382
Re: using RestoreCode with NtHookEngine
Bevan,
What does GetLastError() return for you immediately after RestoreCode() is called? Seems something is amiss. Call SetLastError(0) before the call to RestoreCode() just to be extra sure that the hook code didn't set any error internally via the OS.
--Iconic
What does GetLastError() return for you immediately after RestoreCode() is called? Seems something is amiss. Call SetLastError(0) before the call to RestoreCode() just to be extra sure that the hook code didn't set any error internally via the OS.
--Iconic
- Thu Apr 01, 2021 1:42 am
- Forum: madCodeHook
- Topic: Fastest way to IPC from a DLL to an EXE
- Replies: 23
- Views: 23809
Re: Fastest way to IPC from a DLL to an EXE
No problem, good luck
--Iconic
--Iconic