Microsoft Edge hooking

c++ / delphi package - dll injection and api hooking

Microsoft Edge hooking

Postby nomen » Sat Aug 29, 2015 5:36 pm

Hi all:

I am hooking the next dll functions:

HookAPI("WSOCK32.DLL", "send", sendCallback, (PVOID*) &sendNext);
HookAPI("WSOCK32.DLL", "sendto", sendtoCallback, (PVOID*) &sendtoNext);
HookAPI("WS2_32.DLL", "WSASend", WSASendCallback, (PVOID*) &WSASendNext);
HookAPI("WS2_32.DLL", "WSASendTo", WSASendToCallback, (PVOID*) &WSASendToNext);
HookAPI("WS2_32.DLL", "send", WS2sendCallback, (PVOID*) &WS2sendNext);
HookAPI("WS2_32.DLL", "sendto", WS2sendtoCallback, (PVOID*) &WS2sendtoNext);

It works perfectly with Internet Explorer, Firefox, Opera, Chrome,...
But now I´m testing Windows 10 and seems that Microsoft Edge does not use this functions. ¿Somebody knows what functions/DLLs uses Microsoft Edge?

Thanks in advance!
nomen
 
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: Microsoft Edge hooking

Postby madshi » Sat Aug 29, 2015 5:38 pm

I don't know, sorry. Maybe someone else can help out?
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Microsoft Edge hooking

Postby nomen » Sat Aug 29, 2015 6:27 pm

I hope it!
I´m trying to doiscover with API Monitor but Windows 10 is not supported and does not help me. :sorry:
nomen
 
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: Microsoft Edge hooking

Postby iconic » Sat Aug 29, 2015 8:02 pm

IIRC Edge is a modern UI app, if this is the case your DLL is only loaded if

[1] The DLL has ALL APPLICATION PACKAGES group added to its file permissions
[2] Contains no manifest (can create loading problems)

P.S: If you're supporting Windows NT based operating systems only you don't need to be hooking WSOCK32.DLL (Winsock 1.x) exports, they're redirected to WS2_32.dll (Winsock2). Your WSOCK32.dll send and sendto hooks are redundant and unnecessary

--Iconic
iconic
 
Posts: 840
Joined: Wed Jun 08, 2005 5:08 am

Re: Microsoft Edge hooking

Postby nomen » Sat Aug 29, 2015 9:45 pm

Thank you very much Iconic!
I will work on this direction and I'll tell you!
nomen
 
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: Microsoft Edge hooking

Postby madshi » Sun Aug 30, 2015 6:00 am

Good thinking, iconic. I had thought the problem was in hooking, didn't cross my mind that it might be injection instead.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Microsoft Edge hooking

Postby iconic » Sun Aug 30, 2015 7:35 am

Thanks Mathias, it's a privilege to be on this forum and help others

--Iconic
iconic
 
Posts: 840
Joined: Wed Jun 08, 2005 5:08 am

Re: Microsoft Edge hooking

Postby nomen » Mon Aug 31, 2015 8:33 am

There has been no luck :sorry:

As you can see in the attachment ALL APPLICATION PACKAGES (TODOS LOS PAQUETES DE APLICACIONES in spanish) group is added to its file permissions. It has read and execution permissions. Is this enough?

The DLL has not manifest. In the previous version it has an empty manifest:

Code: Select all
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
</assembly>


but now I change to have nothing. mt.exe output is:
Code: Select all
mt.exe : general error c101008c: Failed to read the manifest from the resource of file "C:\wefisy64.dll". El tipo de
so especificado no se encuentra en el archivo de imagen.


So I think I'm doing as you indicate, but something is wrong.
By the way, with this configuration the hook continues working correctly with Internet Explorer.

Any ideas?
Attachments
ALL_APPLICATION_PACKAGES_Perms.jpg
ALL_APPLICATION_PACKAGES_Perms.jpg (58.67 KiB) Viewed 5330 times
nomen
 
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: Microsoft Edge hooking

Postby madshi » Mon Aug 31, 2015 8:48 am

Please double check with the ProcessExplorer if your hook dll is loaded into Edge or not. That's the first thing you need to achieve.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Microsoft Edge hooking

Postby nomen » Mon Aug 31, 2015 9:36 am

I checked with ProcessExplorer my DLL is NOT loaded in Edge.

I have fount this article http://blog.nektra.com/main/2013/02/25/ ... o-app-win8. It seems interesting but I have not read it in depth. Now I 'm at work , I'll look in the afternoon.

By the way , if anyone has any ideas would be welcome.
nomen
 
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: Microsoft Edge hooking

Postby madshi » Mon Aug 31, 2015 9:59 am

Well, if injection doesn't succeed, that's the key problem right there. You could try the following:

http://madshi.net/PrintMonitor.zip

If you give read/execute access to ALL_APPLICATION_PACKAGES to the hook dlls with this demo, does injection work into Edge for you? If so, you can compare the PrintMonitor hook dll to your own to try to figure out why the demo injects fine and yours not.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Microsoft Edge hooking

Postby nomen » Mon Aug 31, 2015 10:08 am

Thank you Madshi.
I will check it at home!
nomen
 
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: Microsoft Edge hooking

Postby nomen » Mon Aug 31, 2015 12:08 pm

Hi all:

I downloaded PrintMonitor and give read/execute access to ALL_APPLICATION_PACKAGES to the hook dlls.
Test the app with Internet Explorer and I can see the hooks. Works correctly.

Then I test the app with Edge and there are not hooks. But there is a curious thing because I can check with Process Explorer that the HookPrintAPIs64.dll is loaded. :o

I will continue later doing more tests.
nomen
 
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: Microsoft Edge hooking

Postby nomen » Wed Sep 02, 2015 4:09 pm

Nothing works! :cry:

I do check your PrintMonitor settings and it is the same I have. The only difference is Base Address and I do change to 0x57800000 as your program (I think this should not affect but I do change it).
I do check the DLL code and is the same ( I do not use CollectHooks but this is NT only app).
I have no manifest, ALL APPLICATION PACKAGES group is added to its file permissions and it has read and execution permissions.
Even I use the icacls.exe utility to set the DLL file privileges to allow read and execute access to low integrity processes as we can read in http://blog.nektra.com/main/2013/02/25/ ... -app-win8/

I´m very lost...
nomen
 
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: Microsoft Edge hooking

Postby madshi » Wed Sep 02, 2015 4:24 pm

Ok, must be some weird compiler/linker setting then, I would guess. Or maybe your hook dll has static links to some weird dlls? You could try this:

1) Load the PrintMonitor MSVC++ project.
2) Rename the projects so that they match your own hook dll project names.
3) Comment out the API hooks.
4) Compile.
5) Add ALL APPLICATION PACKAGES.

Does the hook dll compiled this way inject successfully? If so, replace the code step by step with your own code (or at all once if you feel lucky). With a bit of luck this might already solve the problem.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Next

Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 3 guests