madShi Hooking API issues with EMET 5.5 version
madShi Hooking API issues with EMET 5.5 version
When EMET 5.5 is installed on a machine and we are trying to hook API NtCreateFile, NtCreateSection, NtMapViewOfSection, NtUnmapViewOfSection and other Nt APIs, HookAPI returns -1 with originalFunctionPtr to NULL. Why HookAPI is not possible when EMET 5.5 is installed.
i) Word & Powerpoint give an issue when first launched with EAF enabled for winword.exe/powerpnt.exe. The issue is overcome by disabling EAF for the mentioned processes/exes.
ii) Also, excel crashes upon launch when SimExecFlow mitigation is enabled ( We have hooked the API ). SimExecFlow.jpg shows the encountered alert from EMET. The issue is overcome by disabling SimExecFlow for excel.exe.
I am using madcodehook 3.1.5.
Note : We have tried madCodeHook 3.1.11 version as well. its HookAPI returns 0 with originalFunctionPtr to NULL.
i) Word & Powerpoint give an issue when first launched with EAF enabled for winword.exe/powerpnt.exe. The issue is overcome by disabling EAF for the mentioned processes/exes.
ii) Also, excel crashes upon launch when SimExecFlow mitigation is enabled ( We have hooked the API ). SimExecFlow.jpg shows the encountered alert from EMET. The issue is overcome by disabling SimExecFlow for excel.exe.
I am using madcodehook 3.1.5.
Note : We have tried madCodeHook 3.1.11 version as well. its HookAPI returns 0 with originalFunctionPtr to NULL.
Re: madShi Hooking API issues with EMET 5.5 version
Execl crash attachment is added with EMET SimExecFlow enabled.
- Attachments
-
- Excel crashes when madShi API is hooked and EMET SimExecFlow enabled,
- Excel_crash.jpg (40.97 KiB) Viewed 11603 times
-
- EMET SimExecFlow enable snapshot
- SimExecFlow.jpg (46.21 KiB) Viewed 11603 times
Re: madShi Hooking API issues with EMET 5.5 version
The EAF complaint should be gone when using the new drivers from version 3.1.11.
SimExecFlow seems to cause a lot of problems. See here for a few random google search hits:
https://social.technet.microsoft.com/Fo ... forum=emet
http://forums.mozillazine.org/viewtopic ... &t=2971229
Not sure about the HookAPI() problems. Nobody else reported any such problems to me yet. The only EMET related problem report I got so far was the EAF one.
Which OS and which application bitdepth are we talking about? And have you changed any EMET settings to non-default settings?
SimExecFlow seems to cause a lot of problems. See here for a few random google search hits:
https://social.technet.microsoft.com/Fo ... forum=emet
http://forums.mozillazine.org/viewtopic ... &t=2971229
Not sure about the HookAPI() problems. Nobody else reported any such problems to me yet. The only EMET related problem report I got so far was the EAF one.
Which OS and which application bitdepth are we talking about? And have you changed any EMET settings to non-default settings?
Re: madShi Hooking API issues with EMET 5.5 version
Hi
We have created a dll which will hooked API's (NtCreateFile, NtCreateSection, NtMapViewOfSection, NtUnmapViewOfSection and other Nt APIs ) for application winword, powerpoint and excel, it's HookAPI function returns -1 with originalFunctionPtr to NULL.
Machine and Application configuration is as follows:
1. Win7-64 bit and application is office 2010 - 32 bit (winword.exe, powerepoint.exe and excel).
Also, we are using default setting of EMET.
We have created a dll which will hooked API's (NtCreateFile, NtCreateSection, NtMapViewOfSection, NtUnmapViewOfSection and other Nt APIs ) for application winword, powerpoint and excel, it's HookAPI function returns -1 with originalFunctionPtr to NULL.
Machine and Application configuration is as follows:
1. Win7-64 bit and application is office 2010 - 32 bit (winword.exe, powerepoint.exe and excel).
Also, we are using default setting of EMET.
Re: madShi Hooking API issues with EMET 5.5 version
1) Can you please show me your HookAPI() calls?
2) Could you double check if the same problem occurs on Windows 8.1 x64? That would make things a lot easier for me.
2) Could you double check if the same problem occurs on Windows 8.1 x64? That would make things a lot easier for me.
Re: madShi Hooking API issues with EMET 5.5 version
1) HookApi :
We are using as follows :
we get lRet = -1 and lHookFuncInfo->mOrgFuncPtr to NULL
(With madCodeHook 3.1.11 version lRet returns 0 with originalFunctionPtr to NULL)
2) We are not able to open office 2010-32 bit word/excel/powerpoint file over Windows 8.1 64 bit when EMET is installed, as word/excel/ppt file is taking 99% CPU, henceforth not able to verify the our dll behaviour.
Code: Select all
madCHookApi function : madCHookApi(BOOL) HookAPI( LPCSTR pszModule, LPCSTR pszFuncName, PVOID pCallbackFunc, PVOID *pNextHook,
#ifdef __cplusplus
DWORD dwFlags = 0
#else
DWORD dwFlags
#endif);
Code: Select all
lRet = HookAPI(lHookFuncInfo->mstrDLLName,
lHookFuncInfo->mstrFuncName,
lHookFuncInfo->mHookedFuncPtr,
lHookFuncInfo->mOrgFuncPtr);
(With madCodeHook 3.1.11 version lRet returns 0 with originalFunctionPtr to NULL)
Code: Select all
lHookFuncInfo = (HookFuncInfo *)malloc(sizeof(HookFuncInfo));
strcpy(lHookFuncInfo->mstrDLLName, "ntdll.dll");
strcpy(lHookFuncInfo->mstrFuncName, "NtCreateFile");
lHookFuncInfo->mHookedFuncPtr = NtCreateFileCallback;
lHookFuncInfo->mOrgFuncPtr = (void **)&NtCreateFileFinal;
sVecHookFuncInfo.push_back(lHookFuncInfo);
NTSTATUS WINAPI NtCreateFileCallback (/* [out] */ PHANDLE FileHandle, /* [in] */ ACCESS_MASK DesiredAccess, /* [in] */ POBJECT_ATTRIBUTES ObjectAttributes,
/* [out] */ PIO_STATUS_BLOCK IoStatusBlock, /* [in, opt] */ PLARGE_INTEGER AllocationSize,/* [in] */ ULONG FileAttributes,
/* [in] */ ULONG ShareAccess,/* [in] */ ULONG CreateDisposition,/* [in] */ ULONG CreateOptions,/* [in] */ PVOID EaBuffer,
/* [in] */ ULONG EaLength);
NtCreateFile_type NtCreateFileFinal;
typedef NTSTATUS (WINAPI * NtCreateFile_type)(/* [out] */PHANDLE FileHandle,/* [in] */ ACCESS_MASK DesiredAccess,/* [in] */POBJECT_ATTRIBUTES ObjectAttributes,
/* [out] */ PIO_STATUS_BLOCK IoStatusBlock,/* [in, opt] */ PLARGE_INTEGER AllocationSize,
/* [in] */ ULONG FileAttributes,/* [in] */ ULONG ShareAccess,/* [in] */ ULONG CreateDisposition,
/* [in] */ ULONG CreateOptions,/* [in] */ PVOID EaBuffer, /* [in] */ ULONG EaLength);
Re: madShi Hooking API issues with EMET 5.5 version
I've extended my test project "PrintMonitor" to also hook and report NtCreateFile. You can download it here with compiled exe/dll/sys files:
http://madshi.net/PrintMonitorNtCreateFile.zip
This demo works just fine on my Windows 8.1 x64 PC with EMET 5.5 installed with default settings (which includes strict settings for Microsoft Office). Office starts just fine here. And my demo works just fine, too. NtCreateFile is properly hooked and reported here.
Can you please try the demo above, compiled by me? Does it work on your PC?
http://madshi.net/PrintMonitorNtCreateFile.zip
This demo works just fine on my Windows 8.1 x64 PC with EMET 5.5 installed with default settings (which includes strict settings for Microsoft Office). Office starts just fine here. And my demo works just fine, too. NtCreateFile is properly hooked and reported here.
Can you please try the demo above, compiled by me? Does it work on your PC?