Edge Code Injection

c++ / delphi package - dll injection and api hooking
madshi
Site Admin
Posts: 10338
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Post by madshi »

Oh well. Could it be that some debugging stuff (e.g. Application Verifyer) or some extra agressive security software (e.g. Microsoft's EMET) is active on that VM? Or maybe there's another hooking library active which collides with madCodeHook in some way?
ExPx
Posts: 34
Joined: Fri Oct 21, 2016 3:20 pm

Re: Edge Code Injection

Post by ExPx »

I think this issue is not closed. On Win10 64bit computer my system wide hook dll successfully injected all processes except microsoftedgecp.exe. When I start Microsoft Edge, process explorer shows me one MicrosoftEdge.exe and two MicrosoftEdgeCP.exe processes. MicrosoftEdge.exe and first MicrosoftEdgeCP.exe loaded my injection dll. But second MicrosoftEdgeCP.exe cant load it. I really want to know hooking (socket apis) is still available MS Edge browser ?
madshi
Site Admin
Posts: 10338
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Post by madshi »

It might have been better to start a new thread instead of reviving a 2 year old thread which may or may not be related.

Anyway.

1) Do you start injection first, and Edge afterwards? Or the other way round?
2) Does your hook dll have NTFS read/execute rights for "ALL APPLICATION PACKAGES"?
ExPx
Posts: 34
Joined: Fri Oct 21, 2016 3:20 pm

Re: Edge Code Injection

Post by ExPx »

Hi madshi, here is the summary

* I have a service running (singed with EV cert).
* My hook dll is under System32 (signed wit same cert)
* Injection is started on windows boot.
* I start Edge.
* In process explorer I can see one MicrosoftEdge.exe process and two MicrosoftEdgeCP.exe process.
* My dll succesfully injected MicrosoftEdge.exe and one of the MicrosoftEdgeCP.exe process. Other MicrosoftEdgeCP.exe not injected.
* Dll has ALL APPLICATION PACKAGES read and read/execute rights.
* Microsoft Edge 38.14393.0.0
* Microsoft EdgeHTML 14.14393
* Windows 10 Pro 1607, 14393.693 64bit

Note : My dll calls OutputDebugString before start hook functions(xxxx.exe injected). In DgbView I can see messages from injected proecesses except MicrosoftEdgeCP.exe and MicrosoftEdge.exe
madshi
Site Admin
Posts: 10338
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Post by madshi »

Neither your driver nor your hook dll have to be in system32. I'd recommend to keep both in your installation directory, to keep things cleaner. But that's got nothing to do with the problem.

Can you please double check if the same problem also occurs with these two demo projects?

http://madshi.net/PrintMonitor.zip
http://madshi.net/PrintMonitor40.zip
ExPx
Posts: 34
Joined: Fri Oct 21, 2016 3:20 pm

Re: Edge Code Injection

Post by ExPx »

Hi mad.
I tried both demos on my home computer (win10 home). 2 MicrosoftEdgeCP.exe and one MicrosoftEdge.exe process succesfully injected. While testing print preview with Chrome I can get log messages on print monitor. But no log messages for MS edge preview screen. I will test it with printer tomorrow.
madshi
Site Admin
Posts: 10338
Joined: Sun Mar 21, 2004 5:25 pm

Re: Edge Code Injection

Post by madshi »

So injection completely succeeds with both demos? In that case the big question is why it succeeds with the demos, but not with your real project. Maybe you can compare the source code to try to find out?
Post Reply