Microsoft Edge hooking

c++ / delphi package - dll injection and api hooking
ezh
Posts: 9
Joined: Tue Sep 22, 2015 10:20 am

Re: Microsoft Edge hooking

Post by ezh »

Ok, answers above are very good and useful, we really need ALL APPLICATION PACKAGES flag - and it was enough to inject dll into Edge (by madCodeHook or by other tools). It worked fine - we even released our product with injecting to Edge feature enabled and got no any real problem reports from our users. But 2 days ago new build of Windows10 was released on "fast" updates channel - 10547. And in this build something was changed in Edge. We still can inject dll into MicrosoftEdge.exe process, but not into MicrosoftEdgeCp.exe process. MadCodeHook injection doesn't work, ProcessHacker injection doesn't work.

So, does anyone know anything about it? Can you reproduce problem? (Please, note, problem related to Windows10 build 10547 and couldn't be reproduced on "stable" Win10).
ezh
Posts: 9
Joined: Tue Sep 22, 2015 10:20 am

Re: Microsoft Edge hooking

Post by ezh »

Have update: it is still possible to inject dlls to other Metro applications, but not to Edge. When trying to inject dll madCodeHook succesfully creates remote thread in MicrosoftEdgeCp.exe, call LoadLibraryEx, then dll is being loaded (I see CreateFile and ReadFile calls in ProcMon), and then everything just finished. In Windows event log, under "CodeIntegrity" key I see event with error code 3033 with description my dll didn't match Microsoft code signing rules and was rejected. I want to mention my dll is properly signed, by good certificate (we use it to sign drivers and they work, also on win10), but looks like rules are more strict now for Edge. I can inject other dlls signed by Microsoft to MicrosoftEdgeCp.exe, but not signed by other companies.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Microsoft Edge hooking

Post by madshi »

So basically it's a new protection by Microsoft, which intentionally blocks non-Microsoft DLLs from being injected. That's kind of sad, but probably not much we can do about it. Maybe injection still works if you start the injection first and then Edge afterwards?
ezh
Posts: 9
Joined: Tue Sep 22, 2015 10:20 am

Re: Microsoft Edge hooking

Post by ezh »

Yes! You are right! I tried PrintMonitor sample and if driver was started before Edge - HookPrintAPIs64.dll is loaded into MicrosoftEdgeCp.exe!
Do you have ideas why does it work this way?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Microsoft Edge hooking

Post by madshi »

It's the same way with Chrome. If the sandbox is up and running, it's rejecting injection. But if the injection is done by the madCodeHook driver, that usually happens before the newly created process is fully initialized, so before the sandbox is fully working. So that's why injection succeeds in that situation. Please note that I'm not doing anything special to work around the sandbox. The only difference is the time of injection.
ezh
Posts: 9
Joined: Tue Sep 22, 2015 10:20 am

Re: Microsoft Edge hooking

Post by ezh »

Thank you very much for the explanation.
Sirmabus
Posts: 89
Joined: Fri May 28, 2004 6:20 pm

Re: Microsoft Edge hooking

Post by Sirmabus »

Keep playing around. You might even just ask Microsoft on their forum. Maybe first explaining your software is not malicious, etc.
Just a guess, they probably want you to go the "legit" route by making some BS extension/plug-in.

Anyhow keep messing with it, if it's important to you. Maybe you can side load/inject off an other "trusted" system DLL.
Or since it appears to let you create memory and threads then maybe you can manually map your DLL into the process,
then create a remote, or hijack the main thread long enough to init your stuff (call the DLLMain() or what ever).
There is more then one libs/setups you can get off the web already done for you.
I haven't tried it yet, but there is this one for example that has the feature: https://github.com/DarthTon/Blackbone
Post Reply