madshi.net

Hi all:

I am hooking the next dll functions:

HookAPI("WSOCK32.DLL", "send", sendCallback, (PVOID*) &sendNext);
HookAPI("WSOCK32.DLL", "sendto", sendtoCallback, (PVOID*) &sendtoNext);
HookAPI("WS2_32.DLL", "WSASend", WSASendCallback, (PVOID*) &WSASendNext);
HookAPI("WS2_32.DLL", "WSASendTo", WSASendToCallback, (PVOID*) &WSASendToNext);
HookAPI("WS2_32.DLL", "send", WS2sendCallback, (PVOID*) &WS2sendNext);
HookAPI("WS2_32.DLL", "sendto", WS2sendtoCallback, (PVOID*) &WS2sendtoNext);

It works perfectly with Internet Explorer, Firefox, Opera, Chrome,...
But now I´m testing Windows 10 and seems that Microsoft Edge does not use this functions. ¿Somebody knows what functions/DLLs uses Microsoft Edge?

Thanks in advance!

I don't know, sorry. Maybe someone else can help out?

I hope it!
I´m trying to doiscover with API Monitor but Windows 10 is not supported and does not help me.

IIRC Edge is a modern UI app, if this is the case your DLL is only loaded if

[1] The DLL has ALL APPLICATION PACKAGES group added to its file permissions
[2] Contains no manifest (can create loading problems)

P.S: If you're supporting Windows NT based operating systems only you don't need to be hooking WSOCK32.DLL (Winsock 1.x) exports, they're redirected to WS2_32.dll (Winsock2). Your WSOCK32.dll send and sendto hooks are redundant and unnecessary

--Iconic

Thank you very much Iconic!
I will work on this direction and I'll tell you!

Good thinking, iconic. I had thought the problem was in hooking, didn't cross my mind that it might be injection instead.

Thanks Mathias, it's a privilege to be on this forum and help others

--Iconic

There has been no luck

As you can see in the attachment ALL APPLICATION PACKAGES (TODOS LOS PAQUETES DE APLICACIONES in spanish) group is added to its file permissions. It has read and execution permissions. Is this enough?

The DLL has not manifest. In the previous version it has an empty manifest:
but now I change to have nothing. mt.exe output is: So I think I'm doing as you indicate, but something is wrong.
By the way, with this configuration the hook continues working correctly with Internet Explorer.

Any ideas?

Please double check with the ProcessExplorer if your hook dll is loaded into Edge or not. That's the first thing you need to achieve.

I checked with ProcessExplorer my DLL is NOT loaded in Edge.

I have fount this article http://blog.nektra.com/main/2013/02/25/ ... o-app-win8. It seems interesting but I have not read it in depth. Now I 'm at work , I'll look in the afternoon.

By the way , if anyone has any ideas would be welcome.

Well, if injection doesn't succeed, that's the key problem right there. You could try the following:

http://madshi.net/PrintMonitor.zip

If you give read/execute access to ALL_APPLICATION_PACKAGES to the hook dlls with this demo, does injection work into Edge for you? If so, you can compare the PrintMonitor hook dll to your own to try to figure out why the demo injects fine and yours not.

Thank you Madshi.
I will check it at home!

Hi all:

I downloaded PrintMonitor and give read/execute access to ALL_APPLICATION_PACKAGES to the hook dlls.
Test the app with Internet Explorer and I can see the hooks. Works correctly.

Then I test the app with Edge and there are not hooks. But there is a curious thing because I can check with Process Explorer that the HookPrintAPIs64.dll is loaded.

I will continue later doing more tests.

Nothing works!

I do check your PrintMonitor settings and it is the same I have. The only difference is Base Address and I do change to 0x57800000 as your program (I think this should not affect but I do change it).
I do check the DLL code and is the same ( I do not use CollectHooks but this is NT only app).
I have no manifest, ALL APPLICATION PACKAGES group is added to its file permissions and it has read and execution permissions.
Even I use the icacls.exe utility to set the DLL file privileges to allow read and execute access to low integrity processes as we can read in http://blog.nektra.com/main/2013/02/25/ ... -app-win8/

I´m very lost...

Ok, must be some weird compiler/linker setting then, I would guess. Or maybe your hook dll has static links to some weird dlls? You could try this:

1) Load the PrintMonitor MSVC++ project.
2) Rename the projects so that they match your own hook dll project names.
3) Comment out the API hooks.
4) Compile.
5) Add ALL APPLICATION PACKAGES.

Does the hook dll compiled this way inject successfully? If so, replace the code step by step with your own code (or at all once if you feel lucky). With a bit of luck this might already solve the problem.