Injecting a DLL to IE10 in App Mode (Windows 8)

c++ / delphi package - dll injection and api hooking
Post Reply
chaos072
Posts: 21
Joined: Wed Mar 20, 2013 2:22 am

Injecting a DLL to IE10 in App Mode (Windows 8)

Post by chaos072 »

Hi..

As you may know, there are two ways to run Internet Explorer 10 in windows 8, app mode and desktop mode.

I'm trying to hook Internet Explorer in Windows 8(x64).

In desktop aplication mode everything is fine. But in app mode DLL injection does not work correctly.

When IE is running in app mode, two iexplore.exe instances are loaded as parent and child processes as you can see from attached screenshot.

The problems is that my hook dll is not injected to the child iexplore.exe(PID 4588) automatically.

But I can see that my hook dll is injected to the parent iexplorer.exe(PID 4552) succesfully.

I injected my hook dll as follows:

InjectLibrary(TEXT("MyDriver"), TEXT("MyHook.x86.dll"), ALL_SESSIONS, FALSE, NULL, L"Dbgview.exe");
InjectLibrary(TEXT("MyDriver"), TEXT("MyHook.x64.dll"), ALL_SESSIONS, FALSE, NULL, L"Dbgview.exe");

For test purpose, I didn't hook any APIs in my hook dll.

Thank you.
Attachments
AppIE.png
AppIE.png (93.54 KiB) Viewed 8816 times
Top
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Injecting a DLL to IE10 in App Mode (Windows 8)

Post by iconic »

Looks to be a sandbox issue with IE 10, specifically EPM (enhanced protected mode)... This is just my opinion from first glance, I do not run IE though.
Enters the "Enhanced Protected Mode" (EPM)

As IE10 Metro was marketed as a "no plugin" browser, it was the perfect candidate to implement a more restrictive sandbox.

Here is what it does:

IE tabs processes are run in an AppContainer, which is basically the sandbox in which every WinRT applications are run.
It ensures IE always run as a 64bit process on x64 architectures, with DEP always enabled
ASLR has more entropy (better than the current ASLR in Windows 7 and web browsers like Chrome which does not yet use it)
Read access to the file system (and registry) is now blocked too (previously, only write access was blocked)
Interprocess communications are blocked, including sockets connections to localhost
Source: http://www.julien-manici.com/blog/ie10- ... windows-8/

--Iconic
Top
madshi
Site Admin
Posts: 10764
Joined: Sun Mar 21, 2004 5:25 pm

Re: Injecting a DLL to IE10 in App Mode (Windows 8)

Post by madshi »

In order to inject your hook dll into Metro style apps, your hook dll (or its parent folder) must have NTFS security read/execute rights for "ALL_APPLICATION_PACKAGES".

It's also possible that the IE10 sandbox is simply too strict, I don't know for sure.
Top
chaos072
Posts: 21
Joined: Wed Mar 20, 2013 2:22 am

Re: Injecting a DLL to IE10 in App Mode (Windows 8)

Post by chaos072 »

Thank you madshi!

After modifying folder and dll permission as you suggested, everything works like a charm!

Thank you!
Top
Post Reply

Return to “madCodeHook”