madShi Hooking API issues with EMET 5.5 version

contains all delphi packages mentioned below

madShi Hooking API issues with EMET 5.5 version

Postby manutai » Fri Apr 01, 2016 12:13 pm

When EMET 5.5 is installed on a machine and we are trying to hook API NtCreateFile, NtCreateSection, NtMapViewOfSection, NtUnmapViewOfSection and other Nt APIs, HookAPI returns -1 with originalFunctionPtr to NULL. Why HookAPI is not possible when EMET 5.5 is installed.

i) Word & Powerpoint give an issue when first launched with EAF enabled for winword.exe/powerpnt.exe. The issue is overcome by disabling EAF for the mentioned processes/exes.

ii) Also, excel crashes upon launch when SimExecFlow mitigation is enabled ( We have hooked the API ). SimExecFlow.jpg shows the encountered alert from EMET. The issue is overcome by disabling SimExecFlow for excel.exe.

I am using madcodehook 3.1.5.

Note : We have tried madCodeHook 3.1.11 version as well. its HookAPI returns 0 with originalFunctionPtr to NULL.
manutai
 
Posts: 79
Joined: Sun Aug 03, 2008 1:40 am

Re: madShi Hooking API issues with EMET 5.5 version

Postby manutai » Fri Apr 01, 2016 12:42 pm

Execl crash attachment is added with EMET SimExecFlow enabled.
Attachments
Excel_crash.jpg
Excel crashes when madShi API is hooked and EMET SimExecFlow enabled,
Excel_crash.jpg (41.12 KiB) Viewed 1703 times
SimExecFlow.jpg
EMET SimExecFlow enable snapshot
SimExecFlow.jpg (46.35 KiB) Viewed 1703 times
manutai
 
Posts: 79
Joined: Sun Aug 03, 2008 1:40 am

Re: madShi Hooking API issues with EMET 5.5 version

Postby madshi » Fri Apr 01, 2016 5:19 pm

The EAF complaint should be gone when using the new drivers from version 3.1.11.

SimExecFlow seems to cause a lot of problems. See here for a few random google search hits:

https://social.technet.microsoft.com/Fo ... forum=emet
http://forums.mozillazine.org/viewtopic ... &t=2971229

Not sure about the HookAPI() problems. Nobody else reported any such problems to me yet. The only EMET related problem report I got so far was the EAF one.

Which OS and which application bitdepth are we talking about? And have you changed any EMET settings to non-default settings?
madshi
Site Admin
 
Posts: 9338
Joined: Sun Mar 21, 2004 5:25 pm

Re: madShi Hooking API issues with EMET 5.5 version

Postby manutai » Mon Apr 04, 2016 8:58 am

Hi

We have created a dll which will hooked API's (NtCreateFile, NtCreateSection, NtMapViewOfSection, NtUnmapViewOfSection and other Nt APIs ) for application winword, powerpoint and excel, it's HookAPI function returns -1 with originalFunctionPtr to NULL.

Machine and Application configuration is as follows:

1. Win7-64 bit and application is office 2010 - 32 bit (winword.exe, powerepoint.exe and excel).

Also, we are using default setting of EMET.
manutai
 
Posts: 79
Joined: Sun Aug 03, 2008 1:40 am

Re: madShi Hooking API issues with EMET 5.5 version

Postby madshi » Mon Apr 04, 2016 9:02 am

1) Can you please show me your HookAPI() calls?

2) Could you double check if the same problem occurs on Windows 8.1 x64? That would make things a lot easier for me.
madshi
Site Admin
 
Posts: 9338
Joined: Sun Mar 21, 2004 5:25 pm

Re: madShi Hooking API issues with EMET 5.5 version

Postby manutai » Mon Apr 04, 2016 2:27 pm

1) HookApi :

Code: Select all
madCHookApi function :  madCHookApi(BOOL) HookAPI( LPCSTR pszModule, LPCSTR pszFuncName, PVOID  pCallbackFunc, PVOID  *pNextHook,
                                                                                    #ifdef __cplusplus
                                                                                    DWORD  dwFlags = 0
                                                                                    #else
                                                                                   DWORD  dwFlags
                                                                                 #endif);

We are using as follows :

Code: Select all
   lRet = HookAPI(lHookFuncInfo->mstrDLLName,
            lHookFuncInfo->mstrFuncName,
            lHookFuncInfo->mHookedFuncPtr,
            lHookFuncInfo->mOrgFuncPtr);


we get lRet = -1 and lHookFuncInfo->mOrgFuncPtr to NULL

(With madCodeHook 3.1.11 version lRet returns 0 with originalFunctionPtr to NULL)

Code: Select all
      lHookFuncInfo = (HookFuncInfo *)malloc(sizeof(HookFuncInfo));
      strcpy(lHookFuncInfo->mstrDLLName, "ntdll.dll");
      strcpy(lHookFuncInfo->mstrFuncName, "NtCreateFile");
      lHookFuncInfo->mHookedFuncPtr = NtCreateFileCallback;
      lHookFuncInfo->mOrgFuncPtr = (void **)&NtCreateFileFinal;
      sVecHookFuncInfo.push_back(lHookFuncInfo);

     NTSTATUS WINAPI NtCreateFileCallback (/* [out] */ PHANDLE FileHandle, /* [in] */ ACCESS_MASK DesiredAccess, /* [in] */ POBJECT_ATTRIBUTES ObjectAttributes,
                                                           /* [out] */ PIO_STATUS_BLOCK IoStatusBlock, /* [in, opt] */ PLARGE_INTEGER AllocationSize,/* [in] */ ULONG FileAttributes,
                                                           /* [in] */ ULONG ShareAccess,/* [in] */ ULONG CreateDisposition,/* [in] */ ULONG CreateOptions,/* [in] */ PVOID EaBuffer,
                                                           /* [in] */ ULONG EaLength);

    NtCreateFile_type    NtCreateFileFinal;

  typedef NTSTATUS (WINAPI * NtCreateFile_type)(/* [out] */PHANDLE FileHandle,/* [in] */   ACCESS_MASK DesiredAccess,/* [in] */POBJECT_ATTRIBUTES ObjectAttributes,
                                                                   /* [out] */   PIO_STATUS_BLOCK IoStatusBlock,/* [in, opt] */   PLARGE_INTEGER AllocationSize,
                                                                      /* [in] */   ULONG FileAttributes,/* [in] */   ULONG ShareAccess,/* [in] */   ULONG CreateDisposition,
                                                                  /* [in] */   ULONG CreateOptions,/* [in] */   PVOID EaBuffer,   /* [in] */   ULONG EaLength);


2) We are not able to open office 2010-32 bit word/excel/powerpoint file over Windows 8.1 64 bit when EMET is installed, as word/excel/ppt file is taking 99% CPU, henceforth not able to verify the our dll behaviour.
manutai
 
Posts: 79
Joined: Sun Aug 03, 2008 1:40 am

Re: madShi Hooking API issues with EMET 5.5 version

Postby madshi » Thu Apr 07, 2016 8:57 am

I've extended my test project "PrintMonitor" to also hook and report NtCreateFile. You can download it here with compiled exe/dll/sys files:

http://madshi.net/PrintMonitorNtCreateFile.zip

This demo works just fine on my Windows 8.1 x64 PC with EMET 5.5 installed with default settings (which includes strict settings for Microsoft Office). Office starts just fine here. And my demo works just fine, too. NtCreateFile is properly hooked and reported here.

Can you please try the demo above, compiled by me? Does it work on your PC?
madshi
Site Admin
 
Posts: 9338
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCollection

Who is online

Users browsing this forum: No registered users and 2 guests

cron