Microsoft Edge hooking

c++ / delphi package - dll injection and api hooking
nomen
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Microsoft Edge hooking

Post by nomen »

Hi all:

I am hooking the next dll functions:

HookAPI("WSOCK32.DLL", "send", sendCallback, (PVOID*) &sendNext);
HookAPI("WSOCK32.DLL", "sendto", sendtoCallback, (PVOID*) &sendtoNext);
HookAPI("WS2_32.DLL", "WSASend", WSASendCallback, (PVOID*) &WSASendNext);
HookAPI("WS2_32.DLL", "WSASendTo", WSASendToCallback, (PVOID*) &WSASendToNext);
HookAPI("WS2_32.DLL", "send", WS2sendCallback, (PVOID*) &WS2sendNext);
HookAPI("WS2_32.DLL", "sendto", WS2sendtoCallback, (PVOID*) &WS2sendtoNext);

It works perfectly with Internet Explorer, Firefox, Opera, Chrome,...
But now I´m testing Windows 10 and seems that Microsoft Edge does not use this functions. ¿Somebody knows what functions/DLLs uses Microsoft Edge?

Thanks in advance!
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Microsoft Edge hooking

Post by madshi »

I don't know, sorry. Maybe someone else can help out?
nomen
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: Microsoft Edge hooking

Post by nomen »

I hope it!
I´m trying to doiscover with API Monitor but Windows 10 is not supported and does not help me. :sorry:
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Microsoft Edge hooking

Post by iconic »

IIRC Edge is a modern UI app, if this is the case your DLL is only loaded if

[1] The DLL has ALL APPLICATION PACKAGES group added to its file permissions
[2] Contains no manifest (can create loading problems)

P.S: If you're supporting Windows NT based operating systems only you don't need to be hooking WSOCK32.DLL (Winsock 1.x) exports, they're redirected to WS2_32.dll (Winsock2). Your WSOCK32.dll send and sendto hooks are redundant and unnecessary

--Iconic
nomen
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: Microsoft Edge hooking

Post by nomen »

Thank you very much Iconic!
I will work on this direction and I'll tell you!
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Microsoft Edge hooking

Post by madshi »

Good thinking, iconic. I had thought the problem was in hooking, didn't cross my mind that it might be injection instead.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Microsoft Edge hooking

Post by iconic »

Thanks Mathias, it's a privilege to be on this forum and help others

--Iconic
nomen
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: Microsoft Edge hooking

Post by nomen »

There has been no luck :sorry:

As you can see in the attachment ALL APPLICATION PACKAGES (TODOS LOS PAQUETES DE APLICACIONES in spanish) group is added to its file permissions. It has read and execution permissions. Is this enough?

The DLL has not manifest. In the previous version it has an empty manifest:

Code: Select all

<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
</assembly>
but now I change to have nothing. mt.exe output is:

Code: Select all

mt.exe : general error c101008c: Failed to read the manifest from the resource of file "C:\wefisy64.dll". El tipo de
so especificado no se encuentra en el archivo de imagen.
So I think I'm doing as you indicate, but something is wrong.
By the way, with this configuration the hook continues working correctly with Internet Explorer.

Any ideas?
Attachments
ALL_APPLICATION_PACKAGES_Perms.jpg
ALL_APPLICATION_PACKAGES_Perms.jpg (58.53 KiB) Viewed 17155 times
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Microsoft Edge hooking

Post by madshi »

Please double check with the ProcessExplorer if your hook dll is loaded into Edge or not. That's the first thing you need to achieve.
nomen
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: Microsoft Edge hooking

Post by nomen »

I checked with ProcessExplorer my DLL is NOT loaded in Edge.

I have fount this article http://blog.nektra.com/main/2013/02/25/ ... o-app-win8. It seems interesting but I have not read it in depth. Now I 'm at work , I'll look in the afternoon.

By the way , if anyone has any ideas would be welcome.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Microsoft Edge hooking

Post by madshi »

Well, if injection doesn't succeed, that's the key problem right there. You could try the following:

http://madshi.net/PrintMonitor.zip

If you give read/execute access to ALL_APPLICATION_PACKAGES to the hook dlls with this demo, does injection work into Edge for you? If so, you can compare the PrintMonitor hook dll to your own to try to figure out why the demo injects fine and yours not.
nomen
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: Microsoft Edge hooking

Post by nomen »

Thank you Madshi.
I will check it at home!
nomen
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: Microsoft Edge hooking

Post by nomen »

Hi all:

I downloaded PrintMonitor and give read/execute access to ALL_APPLICATION_PACKAGES to the hook dlls.
Test the app with Internet Explorer and I can see the hooks. Works correctly.

Then I test the app with Edge and there are not hooks. But there is a curious thing because I can check with Process Explorer that the HookPrintAPIs64.dll is loaded. :o

I will continue later doing more tests.
nomen
Posts: 48
Joined: Wed Jun 25, 2008 7:15 am

Re: Microsoft Edge hooking

Post by nomen »

Nothing works! :cry:

I do check your PrintMonitor settings and it is the same I have. The only difference is Base Address and I do change to 0x57800000 as your program (I think this should not affect but I do change it).
I do check the DLL code and is the same ( I do not use CollectHooks but this is NT only app).
I have no manifest, ALL APPLICATION PACKAGES group is added to its file permissions and it has read and execution permissions.
Even I use the icacls.exe utility to set the DLL file privileges to allow read and execute access to low integrity processes as we can read in http://blog.nektra.com/main/2013/02/25/ ... -app-win8/

I´m very lost...
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Microsoft Edge hooking

Post by madshi »

Ok, must be some weird compiler/linker setting then, I would guess. Or maybe your hook dll has static links to some weird dlls? You could try this:

1) Load the PrintMonitor MSVC++ project.
2) Rename the projects so that they match your own hook dll project names.
3) Comment out the API hooks.
4) Compile.
5) Add ALL APPLICATION PACKAGES.

Does the hook dll compiled this way inject successfully? If so, replace the code step by step with your own code (or at all once if you feel lucky). With a bit of luck this might already solve the problem.
Post Reply