Possible issue related to madCodeHook, Sentinel One and chromium/Adobe sandbox

c++ / delphi package - dll injection and api hooking
Post Reply
Safetica
Posts: 4
Joined: Tue Oct 26, 2021 7:32 am

Possible issue related to madCodeHook, Sentinel One and chromium/Adobe sandbox

Post by Safetica »

Hello madshi,

we are facing an issue with crashing Adobe Reader or MS Teams. The issue is related to NtOpenProcess hook. When our solution (using madCodeHook) and the one from Sentinel One are present in the system and both are injecting Adobe Reader or MS Teams and hooking the API, the processes are crashing.

When we changed the flags for the hook to NO_MIXTURE_MODE | FOLLOW_JMP application worked fine and hook as well.

We have discussed the issue with developers from Sentinel One and got the following information. Could you please look at the info and check if devs from Sentinel One have found some issue in madCodeHook that should be addressed or if there is some other problem on their site?

I will provide the dump from the crashing process asap. Here is the information from Sentinel One:
It seems that this is an issue of bad interaction between madhooks library and chromium sandbox.

It seems that under acrobat reader protected mode, acrobat.exe creates a child process acrobat.exe, that runs inside an app container. Looking at acrobat.exe, it seems that it uses a variant of chromium sandbox to run the restricted child process, which adds its own hooks (including a hook on NtOpenProcess).

The issue seems to be that madhooks sees the jmp instruction of S1 hook on NtOpenProcess, and falls back to what they call "mixture mode" in their documentation. As far as i understand, in this mode they hook both the IATs and the export tables. The entry for the function in the export table (NtOpenProcess in our case) is patched with a new value that is right after the end of ntdll image.

The problem is that to create the hook on the child process, chromium sandbox tries to read the first 32 bytes of a function to hook from the child process with ReadProcessMemory. The address that is read from is the pointer for the function from the export table of ntdll in the parent process (which should be identical).

Since the child is created as a suspended process, the patched pointer of the function doesn't exist in the child process (since stguard didn't load yet, so the hook wasn't created). This causes the ReadProcessMemory call to fail, which in turn fails the sandboxed process creation (which eventually causes adobe to display the dialog box).

i don't know why madhooks could not place a hook on NtOpenProcess, and decided to opt for the fallback, but since the S1 hook is a simple jmp instruction, i believe this is an issue is not specific to S1, and will happen with any other vendor that manages to hook a function before madCodeHook, and with any product that happen to use chromium sandbox (i didn't test on ms teams yet, but it is likely it uses chromium sandbox as well).


The relevant functions in chromium sandbox (the code isn't exactly the same as in acrobat.exe, but seems close enough)

PatchNtdll (main/sandbox/win/src/interception.cc 357)

https://github.com/chromium/chromium/bl ... on.cc#L357


PatchClientFunctions (main/sandbox/win/src/interception.cc 423)

https://github.com/chromium/chromium/bl ... on.cc#L423



ResolverThunk::Init main/sandbox/win/src/resolver.cc 18

https://github.com/chromium/chromium/bl ... ver.cc#L18


ServiceResolverThunk::ResolveTarget service_resolver.cc 27

https://github.com/chromium/chromium/bl ... ver.cc#L27


ServiceResolverThunk::IsFunctionAService service_resolver_64.cc 234

https://github.com/chromium/chromium/bl ... 64.cc#L234
Thanks a lot!

Tom Svoboda
Safetica
Posts: 4
Joined: Tue Oct 26, 2021 7:32 am

Re: Possible issue related to madCodeHook, Sentinel One and chromium/Adobe sandbox

Post by Safetica »

The dump file from injected MS Teams process can be downloaded here:
https://send.safetica.cloud/download/f6 ... dN_Q8677aw

STGuard64.dll is ours (using madCodeHook), InProcessClient64.dll is from Sentinel One.
The link is limited to one download or 7 days. If you need it, I can provide it again together with Azure VM for testing. In case you are interested, I will send you the information via e-mail.
Safetica
Posts: 4
Joined: Tue Oct 26, 2021 7:32 am

Re: Possible issue related to madCodeHook, Sentinel One and chromium/Adobe sandbox

Post by Safetica »

And there is a dump file from Adobe DC
https://send.safetica.cloud/download/33 ... 9NXXm9bMCQ
The link has the same limitations as the one with MS Teams
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Possible issue related to madCodeHook, Sentinel One and chromium/Adobe sandbox

Post by madshi »

Please simply use FOLLOW_JMP which is the best solution to this problem. The only reason why FOLLOW_JMP is not the default behaviour is that I'm scared of changing the default behaviour because I don't want to break any existing projects out there.
Safetica
Posts: 4
Joined: Tue Oct 26, 2021 7:32 am

Re: Possible issue related to madCodeHook, Sentinel One and chromium/Adobe sandbox

Post by Safetica »

Ok, thank you for the information. So do you think that using FOLLOW_JMP is the best solution in general and when we tested it widely, we should use it as a default value?

According to the documentation, the main risk is when the other solution removes its hook. In such situation, our hook will be removed as well. Is there any other risk that we should consider?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Possible issue related to madCodeHook, Sentinel One and chromium/Adobe sandbox

Post by madshi »

2 different hooking libraries trying to hook the same API is always trouble. I think FOLLOW_JMP is probably the safest solution to that, but no solution is perfect in this situation. I think the only risk is that the other hooking library uninstalls its hook, which then sort of renders your hook ineffective. I've had no complaints about any stability issues with FOLLOW_JMP, so it seems to work well.
Post Reply