madshi.net

Woops, sorry I missed it in his code. I see it now, yeah that definitely shouldn't be injected then as it's an Exclude param. I was instead focusing on why some system processes allow for injections (processes of the same name) while others don't due to mitigations =] I originally answered from my s...

Hello, That’s more than likely a mitigation issue requiring Microsoft to be the signer of your DLL or something similar to this. Not all instances will require this so it’s confusing unless you look at the security involved per process, mitigation policy enforcement can be viewed in tools like Proce...

Ok thank you, I wondered about any/all apps linked with the /CETCOMPAT flag.

--Iconic

Bevan,

Can you please let us know if this happens with any process or is this just specific to a process such as Chrome or Edge?

--Iconic

Unfortunately, like Madshi, I also do not possess the 9th Gen Intel CPUs that have CET technology built-in to the underlying hardware so testing on my end isn't physically possible. As Madshi had said in a recent post, safe hooking uses different code branches where no safe unhooking is simple and s...

Hmmm, so any process outside of the likes of MS Edge and Chrome you can also reproduce once CET is enabled with the same injected module?

—Iconic

NO_SAFE_UNHOOKING makes a lot of sense when you're dealing with an API that may have a high call volume such as PeekMessageW() Actually, Madshi recently mentioned this to someone else which solved their separate issue below: http://forum.madshi.net/viewtopic.php?f=7&t=28915&p=54028&hilit...

I'm very confident that the latest build of the collection that Madshi linked you to will solve your issue. If other users were still having CET issues since March they'd be blasting him with emails this past 6 months, since the hotfix was released and the hook code stubs updated. I would definitely...

Do you happen to have a crash dump or maybe you can share your code (callback only)? Does this happen with an empty callback where you just call the next hook? Lastly, and most importantly, does this happen with any other hooked APIs set in the Chrome process or is this only a PeekMessageW() issue y...

Is there any specific reason why you'd need(?) to hook a procedure that intentionally raises an exception? ***Update*** I've just tested and reproduced on x64 only when calling the "hooked" function, as you've said x86 seems to work fine. When commenting out the "raise exception"...

MCH v4.0 is definitely worth the upgrade as there have been several fixes and additions since v3.0 which is now nearly 10 years old! Highly recommend the upgrade

--Iconic

Bevan, They both (x86 and x64) exceed the byte limits (10 and 14 bytes, respectively) , since the original author already states this and you had mentioned this in a previous post. This means we'd have a worst case scenario of 10 bytes on x86 and of 14 bytes on x64. In this hook engine I'm using onl...

Yes, that would make complete sense. If the hook was just a relative jmp (0xE9 and 5 bytes) it would be restored along with some other 6 byte methods such as absolute jump (0x25FF) and push address ret (0x68 <address> 0xC3) but since the function prologue is modified > 6 bytes RestoreCode() just ref...

Bevan,

What does GetLastError() return for you immediately after RestoreCode() is called? Seems something is amiss. Call SetLastError(0) before the call to RestoreCode() just to be extra sure that the hook code didn't set any error internally via the OS.

--Iconic

No problem, good luck

--Iconic