Page 1 of 1

madShi Hooking API issues with EMET 5.5 version

Posted: Fri Apr 01, 2016 12:13 pm
by manutai
When EMET 5.5 is installed on a machine and we are trying to hook API NtCreateFile, NtCreateSection, NtMapViewOfSection, NtUnmapViewOfSection and other Nt APIs, HookAPI returns -1 with originalFunctionPtr to NULL. Why HookAPI is not possible when EMET 5.5 is installed.

i) Word & Powerpoint give an issue when first launched with EAF enabled for winword.exe/powerpnt.exe. The issue is overcome by disabling EAF for the mentioned processes/exes.

ii) Also, excel crashes upon launch when SimExecFlow mitigation is enabled ( We have hooked the API ). SimExecFlow.jpg shows the encountered alert from EMET. The issue is overcome by disabling SimExecFlow for excel.exe.

I am using madcodehook 3.1.5.

Note : We have tried madCodeHook 3.1.11 version as well. its HookAPI returns 0 with originalFunctionPtr to NULL.

Re: madShi Hooking API issues with EMET 5.5 version

Posted: Fri Apr 01, 2016 12:42 pm
by manutai
Execl crash attachment is added with EMET SimExecFlow enabled.

Re: madShi Hooking API issues with EMET 5.5 version

Posted: Fri Apr 01, 2016 5:19 pm
by madshi
The EAF complaint should be gone when using the new drivers from version 3.1.11.

SimExecFlow seems to cause a lot of problems. See here for a few random google search hits:

https://social.technet.microsoft.com/Fo ... forum=emet
http://forums.mozillazine.org/viewtopic ... &t=2971229

Not sure about the HookAPI() problems. Nobody else reported any such problems to me yet. The only EMET related problem report I got so far was the EAF one.

Which OS and which application bitdepth are we talking about? And have you changed any EMET settings to non-default settings?

Re: madShi Hooking API issues with EMET 5.5 version

Posted: Mon Apr 04, 2016 8:58 am
by manutai
Hi

We have created a dll which will hooked API's (NtCreateFile, NtCreateSection, NtMapViewOfSection, NtUnmapViewOfSection and other Nt APIs ) for application winword, powerpoint and excel, it's HookAPI function returns -1 with originalFunctionPtr to NULL.

Machine and Application configuration is as follows:

1. Win7-64 bit and application is office 2010 - 32 bit (winword.exe, powerepoint.exe and excel).

Also, we are using default setting of EMET.

Re: madShi Hooking API issues with EMET 5.5 version

Posted: Mon Apr 04, 2016 9:02 am
by madshi
1) Can you please show me your HookAPI() calls?

2) Could you double check if the same problem occurs on Windows 8.1 x64? That would make things a lot easier for me.

Re: madShi Hooking API issues with EMET 5.5 version

Posted: Mon Apr 04, 2016 2:27 pm
by manutai
1) HookApi :

Code: Select all

madCHookApi function :  madCHookApi(BOOL) HookAPI( LPCSTR pszModule, LPCSTR pszFuncName, PVOID  pCallbackFunc, PVOID  *pNextHook,
                                                                                    #ifdef __cplusplus
                                                                                    DWORD  dwFlags = 0
                                                                                    #else
                                                                                   DWORD  dwFlags
                                                                                 #endif);
We are using as follows :

Code: Select all

	lRet = HookAPI(lHookFuncInfo->mstrDLLName, 
				lHookFuncInfo->mstrFuncName, 
				lHookFuncInfo->mHookedFuncPtr,
				lHookFuncInfo->mOrgFuncPtr);
we get lRet = -1 and lHookFuncInfo->mOrgFuncPtr to NULL

(With madCodeHook 3.1.11 version lRet returns 0 with originalFunctionPtr to NULL)

Code: Select all

		lHookFuncInfo = (HookFuncInfo *)malloc(sizeof(HookFuncInfo));
		strcpy(lHookFuncInfo->mstrDLLName, "ntdll.dll");
		strcpy(lHookFuncInfo->mstrFuncName, "NtCreateFile");
		lHookFuncInfo->mHookedFuncPtr = NtCreateFileCallback;
		lHookFuncInfo->mOrgFuncPtr = (void **)&NtCreateFileFinal;
		sVecHookFuncInfo.push_back(lHookFuncInfo);

     NTSTATUS WINAPI NtCreateFileCallback (/* [out] */ PHANDLE FileHandle, /* [in] */ ACCESS_MASK DesiredAccess, /* [in] */ POBJECT_ATTRIBUTES ObjectAttributes,
                                                        	/* [out] */ PIO_STATUS_BLOCK IoStatusBlock, /* [in, opt] */ PLARGE_INTEGER AllocationSize,/* [in] */ ULONG FileAttributes,
                                                        	/* [in] */ ULONG ShareAccess,/* [in] */ ULONG CreateDisposition,/* [in] */ ULONG CreateOptions,/* [in] */ PVOID EaBuffer,
                                                        	/* [in] */ ULONG EaLength);

    NtCreateFile_type	 NtCreateFileFinal;

  typedef NTSTATUS (WINAPI * NtCreateFile_type)(/* [out] */PHANDLE FileHandle,/* [in] */	ACCESS_MASK DesiredAccess,/* [in] */POBJECT_ATTRIBUTES ObjectAttributes,
                                                                	/* [out] */	PIO_STATUS_BLOCK IoStatusBlock,/* [in, opt] */	PLARGE_INTEGER AllocationSize,
                                                                      /* [in] */	ULONG FileAttributes,/* [in] */	ULONG ShareAccess,/* [in] */	ULONG CreateDisposition,
                                                               	/* [in] */	ULONG CreateOptions,/* [in] */	PVOID EaBuffer,	/* [in] */	ULONG EaLength);
2) We are not able to open office 2010-32 bit word/excel/powerpoint file over Windows 8.1 64 bit when EMET is installed, as word/excel/ppt file is taking 99% CPU, henceforth not able to verify the our dll behaviour.

Re: madShi Hooking API issues with EMET 5.5 version

Posted: Thu Apr 07, 2016 8:57 am
by madshi
I've extended my test project "PrintMonitor" to also hook and report NtCreateFile. You can download it here with compiled exe/dll/sys files:

http://madshi.net/PrintMonitorNtCreateFile.zip

This demo works just fine on my Windows 8.1 x64 PC with EMET 5.5 installed with default settings (which includes strict settings for Microsoft Office). Office starts just fine here. And my demo works just fine, too. NtCreateFile is properly hooked and reported here.

Can you please try the demo above, compiled by me? Does it work on your PC?