madShi Hooking API issues with EMET 5.5 version

contains all delphi packages mentioned below
Post Reply
manutai
Posts: 85
Joined: Sun Aug 03, 2008 1:40 am

madShi Hooking API issues with EMET 5.5 version

Post by manutai »

When EMET 5.5 is installed on a machine and we are trying to hook API NtCreateFile, NtCreateSection, NtMapViewOfSection, NtUnmapViewOfSection and other Nt APIs, HookAPI returns -1 with originalFunctionPtr to NULL. Why HookAPI is not possible when EMET 5.5 is installed.

i) Word & Powerpoint give an issue when first launched with EAF enabled for winword.exe/powerpnt.exe. The issue is overcome by disabling EAF for the mentioned processes/exes.

ii) Also, excel crashes upon launch when SimExecFlow mitigation is enabled ( We have hooked the API ). SimExecFlow.jpg shows the encountered alert from EMET. The issue is overcome by disabling SimExecFlow for excel.exe.

I am using madcodehook 3.1.5.

Note : We have tried madCodeHook 3.1.11 version as well. its HookAPI returns 0 with originalFunctionPtr to NULL.
manutai
Posts: 85
Joined: Sun Aug 03, 2008 1:40 am

Re: madShi Hooking API issues with EMET 5.5 version

Post by manutai »

Execl crash attachment is added with EMET SimExecFlow enabled.
Attachments
Excel crashes when madShi API is hooked and EMET SimExecFlow enabled,
Excel crashes when madShi API is hooked and EMET SimExecFlow enabled,
Excel_crash.jpg (40.97 KiB) Viewed 9317 times
EMET SimExecFlow enable snapshot
EMET SimExecFlow enable snapshot
SimExecFlow.jpg (46.21 KiB) Viewed 9317 times
madshi
Site Admin
Posts: 10527
Joined: Sun Mar 21, 2004 5:25 pm

Re: madShi Hooking API issues with EMET 5.5 version

Post by madshi »

The EAF complaint should be gone when using the new drivers from version 3.1.11.

SimExecFlow seems to cause a lot of problems. See here for a few random google search hits:

https://social.technet.microsoft.com/Fo ... forum=emet
http://forums.mozillazine.org/viewtopic ... &t=2971229

Not sure about the HookAPI() problems. Nobody else reported any such problems to me yet. The only EMET related problem report I got so far was the EAF one.

Which OS and which application bitdepth are we talking about? And have you changed any EMET settings to non-default settings?
manutai
Posts: 85
Joined: Sun Aug 03, 2008 1:40 am

Re: madShi Hooking API issues with EMET 5.5 version

Post by manutai »

Hi

We have created a dll which will hooked API's (NtCreateFile, NtCreateSection, NtMapViewOfSection, NtUnmapViewOfSection and other Nt APIs ) for application winword, powerpoint and excel, it's HookAPI function returns -1 with originalFunctionPtr to NULL.

Machine and Application configuration is as follows:

1. Win7-64 bit and application is office 2010 - 32 bit (winword.exe, powerepoint.exe and excel).

Also, we are using default setting of EMET.
madshi
Site Admin
Posts: 10527
Joined: Sun Mar 21, 2004 5:25 pm

Re: madShi Hooking API issues with EMET 5.5 version

Post by madshi »

1) Can you please show me your HookAPI() calls?

2) Could you double check if the same problem occurs on Windows 8.1 x64? That would make things a lot easier for me.
manutai
Posts: 85
Joined: Sun Aug 03, 2008 1:40 am

Re: madShi Hooking API issues with EMET 5.5 version

Post by manutai »

1) HookApi :

Code: Select all

madCHookApi function :  madCHookApi(BOOL) HookAPI( LPCSTR pszModule, LPCSTR pszFuncName, PVOID  pCallbackFunc, PVOID  *pNextHook,
                                                                                    #ifdef __cplusplus
                                                                                    DWORD  dwFlags = 0
                                                                                    #else
                                                                                   DWORD  dwFlags
                                                                                 #endif);
We are using as follows :

Code: Select all

	lRet = HookAPI(lHookFuncInfo->mstrDLLName, 
				lHookFuncInfo->mstrFuncName, 
				lHookFuncInfo->mHookedFuncPtr,
				lHookFuncInfo->mOrgFuncPtr);
we get lRet = -1 and lHookFuncInfo->mOrgFuncPtr to NULL

(With madCodeHook 3.1.11 version lRet returns 0 with originalFunctionPtr to NULL)

Code: Select all

		lHookFuncInfo = (HookFuncInfo *)malloc(sizeof(HookFuncInfo));
		strcpy(lHookFuncInfo->mstrDLLName, "ntdll.dll");
		strcpy(lHookFuncInfo->mstrFuncName, "NtCreateFile");
		lHookFuncInfo->mHookedFuncPtr = NtCreateFileCallback;
		lHookFuncInfo->mOrgFuncPtr = (void **)&NtCreateFileFinal;
		sVecHookFuncInfo.push_back(lHookFuncInfo);

     NTSTATUS WINAPI NtCreateFileCallback (/* [out] */ PHANDLE FileHandle, /* [in] */ ACCESS_MASK DesiredAccess, /* [in] */ POBJECT_ATTRIBUTES ObjectAttributes,
                                                        	/* [out] */ PIO_STATUS_BLOCK IoStatusBlock, /* [in, opt] */ PLARGE_INTEGER AllocationSize,/* [in] */ ULONG FileAttributes,
                                                        	/* [in] */ ULONG ShareAccess,/* [in] */ ULONG CreateDisposition,/* [in] */ ULONG CreateOptions,/* [in] */ PVOID EaBuffer,
                                                        	/* [in] */ ULONG EaLength);

    NtCreateFile_type	 NtCreateFileFinal;

  typedef NTSTATUS (WINAPI * NtCreateFile_type)(/* [out] */PHANDLE FileHandle,/* [in] */	ACCESS_MASK DesiredAccess,/* [in] */POBJECT_ATTRIBUTES ObjectAttributes,
                                                                	/* [out] */	PIO_STATUS_BLOCK IoStatusBlock,/* [in, opt] */	PLARGE_INTEGER AllocationSize,
                                                                      /* [in] */	ULONG FileAttributes,/* [in] */	ULONG ShareAccess,/* [in] */	ULONG CreateDisposition,
                                                               	/* [in] */	ULONG CreateOptions,/* [in] */	PVOID EaBuffer,	/* [in] */	ULONG EaLength);
2) We are not able to open office 2010-32 bit word/excel/powerpoint file over Windows 8.1 64 bit when EMET is installed, as word/excel/ppt file is taking 99% CPU, henceforth not able to verify the our dll behaviour.
madshi
Site Admin
Posts: 10527
Joined: Sun Mar 21, 2004 5:25 pm

Re: madShi Hooking API issues with EMET 5.5 version

Post by madshi »

I've extended my test project "PrintMonitor" to also hook and report NtCreateFile. You can download it here with compiled exe/dll/sys files:

http://madshi.net/PrintMonitorNtCreateFile.zip

This demo works just fine on my Windows 8.1 x64 PC with EMET 5.5 installed with default settings (which includes strict settings for Microsoft Office). Office starts just fine here. And my demo works just fine, too. NtCreateFile is properly hooked and reported here.

Can you please try the demo above, compiled by me? Does it work on your PC?
Post Reply